Seems that there is a deliberate backdoor in the twenty-year-old TErrestrial Trunked RAdio (TETRA) standard used by police forces around the world.
The European Telecommunications Standards Institute (ETSI), an organization that standardizes technologies across the industry, first created TETRA in 1995. Since then, TETRA has been used in products, including radios, sold by Motorola, Airbus, and more. Crucially, TETRA is not open-source. Instead, it relies on what the researchers describe in their presentation slides as “secret, proprietary cryptography,” meaning it is typically difficult for outside experts to verify how secure the standard really is.
The researchers said they worked around this limitation by purchasing a TETRA-powered radio from eBay. In order to then access the cryptographic component of the radio itself, Wetzels said the team found a vulnerability in an interface of the radio.
[…]
Most interestingly is the researchers’ findings of what they describe as the backdoor in TEA1. Ordinarily, radios using TEA1 used a key of 80-bits. But Wetzels said the team found a “secret reduction step” which dramatically lowers the amount of entropy the initial key offered. An attacker who followed this step would then be able to decrypt intercepted traffic with consumer-level hardware and a cheap software defined radio dongle.
Looks like the encryption algorithm was intentionally weakened by intelligence agencies to facilitate easy eavesdropping.
Specifically on the researchers’ claims of a backdoor in TEA1, Boyer added “At this time, we would like to point out that the research findings do not relate to any backdoors. The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption.”
And I would like to point out that that’s the very definition of a backdoor.
Why aren’t we done with secret, proprietary cryptography? It’s just not a good idea.
Details of the security analysis. Another news article.
More Stories
Threat Actors Shift to JavaScript-Based Phishing Attacks
Cybercriminals are increasingly prioritizing script-based phishing techniques over one based on traditional malicious documents Read More
Cybersecurity Incident Affects Arkansas City Water Treatment Facility
Arkansas City’s water treatment facility faced a cyber incident on Sunday and has since switched to manual operations Read More
Warnings after new Valencia ransomware group strikes businesses and leaks data
A new ransomware operation has started to leak information it claims has been stolen from organisations it has compromised around...
New Octo2 Malware Variant Threatens Mobile Banking Security
Cybercriminals have been observed disguising Octo2 as legitimate apps like Google Chrome and NordVPN Read More
The AI Fix #17: Why AI is an AWFUL writer and LinkedIn’s outrageous land grab
In episode 17 of The AI Fix, our hosts meet the worst newsreaders in the world, Graham learns about Big...
14 Million Patients Impacted by US Healthcare Data Breaches in 2024
SonicWall found that data breaches caused by malware attacks on US healthcare organizations have affected 14 million people so far...