Sophos News

Hacking police radios: 30-year-old crypto flaws in the spotlight

If you’d been quietly chasing down cryptographic bugs in a proprietary police radio system since 2021, but you’d had to wait until the second half of 2023 to go public with your research, how would you deal with the reveal?

You’d probably do what researchers at boutique Dutch cybersecurity consultancy Midnight Blue did: line up a world tour of conference appearances in the US, Germany and Denmark (Black Hat, Usenix, DEF CON, CCC and ISC), and turn your findings into a BWAIN.

The word BWAIN, if you haven’t seen it before, is our very own jocular acronym that’s short for Bug With An Impressive Name, typically with its own logo, PR-friendly website and custom domain name.

(One notorious BWAIN, named after a legendary musical instrument, Orpheus’s Lyre, even had a theme tune, albeit played on a ukulele.)

Introducing TETRA:BURST

This research is dubbed TETRA:BURST, with the letter “A” stylised to look like a shattered radio transmission mast.

TETRA, if you’ve never heard of it before, is short for Terrestrial Trunked Radio, originally Trans-European Trunked Radio, and is widely used (outside North America, at least) by law enforcement, emergency services and some commercial organisations.

TETRA has featured on Naked Security before, when a Slovenian student received a criminal conviction for hacking the TETRA network in his own country after deciding that his vulnerability reports hadn’t been taken seriously enough:

Trunked radio needs fewer base stations and has a longer range than mobile phone networks, which helps in remote areas, and it supports both point-to-point and broadcast communications, desirable when co-ordinating law enforcement or rescue efforts.

The TETRA system, indeed, was standardised back in 1995, when the cryptographic world was very different.

Back then, cryptographic tools including the DES and RC4 ciphers, and the MD5 message digest algorithm, were still in widespread use, though all of them are now considered dangerously unsafe.

DES was superseded at the start of the 2000s because it uses encryption keys just 56 bits long.

Modern computers are sufficiently fast and cheap that determined cryptocrackers can fairly easily try out all possible 256 different keys (what’s known as a brute-force attack, for obvious reasons) against intercepted messages.

RC4, which is supposed to turn input data with recognisable patterns (even a text string of the same character repeated over and over) into random digital shredded cabbage, was found to have signficant imperfections.

These could be used to used to winkle out plaintext input by performing statistical analysis of ciphertext output.

MD5, which is supposed to produce a pseudorandom 16-byte message digest from any input file, thus generating unforgeable fingerprints for files of any size, turned out to be flawed, too.

Attackers can easily trick the algorithm into churning out the same fingerprint for two different files, annihilating its value as a tamper-detection tool.

End-to-end encryption for individual online transactions, which we now take for granted on the web thanks to secure HTTP (HTTPS, based on TLS, short for transport layer security), was both new and unusual back in 1995.

Transaction-based protection relied on the brand-new-at-the-time network-level protocol known as SSL (secure sockets layer), now considered sufficiently insecure that you’ll struggle to find it in use anywhere online.

Party like it’s 1995

Unlike DES, RC4, MD5, SSL and friends, TETRA’s 1995-era encryption remains in widespread use to this day, but hasn’t received much research attention, apparently for two main reasons.

Firstly, even though it’s used around the world, it’s not an everyday service that pops up in all our lives in the way that mobile telephones and web commerce do.

Secondly, the underlying encryption algorithms are proprietary, guarded as trade secrets under strict non-disclosure agreements (NDAs), so it simply hasn’t had the levels of public mathematical scrutiny as unpatented, open-source encryption algorithms.

In contrast, cryptosystems such as AES (which replaced DES), SHA-256 (which replaced MD5), ChaCha20 (which replaced RC4), and various iterations of TLS (which replaced SSL) have all been analysed, dissected, discussed, hacked, attacked and critiqued in public for years, following what’s known in the trade as Kerckhoff’s Principle.

Auguste Kerckhoff was a Dutch-born linguist who ended up as a professor of the German language in Paris.

He published a pair of seminal papers in the 1880s under the title Military Cryptography, in which he proposed that no cryptographic system should ever rely on what we now refer to as security through obscurity.

Simply put, if you need to keep the algorithm secret, as well as the decryption key for each message, you’re in deep trouble..

Your enemies will ultimately, and inevitably, get hold of that algorithm…

…and, unlike decryption keys, which can be changed at will, you’re stuck with the algorithm that uses those keys.

Use NDAs for commerce, not for crypto

Commercial NDAs are peculiarly purposeless for keeping cryptographic secrets, especially for successful products that end up with ever more partners signed up under NDA.

There are four obvious problems here, namely:

The Dutch researchers in this story took the last approach, legally acquiring a bunch of compliant TETRA devices and figuring out how they worked without using any information covered by NDA.

Apparently, they discovered five vulnerabilities that ended up with CVE numbers, dating back to 2022 because of the time involved in liaising with TETRA vendors on how to fix the issues: CVE-2022-24400 to CVE-2022-24404 inclusive.

Obviously, they’re now holding out on full details for maximum PR effect, with their first public paper scheduled for 2023-08-09 at the Black Hat 2023 conference in Las Vegas, USA.

What to do?

Advance information provided by the researchers is enough to remind us of three cryptographic must-follow rules right away:

Fortunately, it looks as though CVE-2022-24401 has already been quashed with firmware updates (assuming users have applied them).

As for the rest of the vulnerabilities…

…we’ll have to wait until the TETRA:BURST tour kicks off for full details and mitigations.