> Two of the vulnerabilities are deemed critical. One of them appears to be an intentional backdoor [...] Reading the contents of a firmware upgrade is not trivial though, as it is heavily encrypted and relies on a Trusted Execution Environment (TEE), embedded in the core processor of the radio.*
I don't know whether the backdoor allegation is correct, but unfortunately we should treat opaque ostensible security with skepticism.
By their nature, such things often can be used for our protection at the same time they are secretly used against us.
Isn't the time for the generous qualifiers long past? Such, often, can, our protection, unfortunately, skepticism... There is a good track record by now. Something like:
"under the guise of protecting trade secrets and swear words in the code, the code encryption actually protects crappy code stuffed with vulnerabilities (i.e. future entry points available to the right friends and foes) and backdoors (some forgotten and some very much not)". And in this case "future" was a while ago.
Do you remember when cryptography export was controlled? It was implemented by limiting key size to certain number of (effective) bits (of security). This suite is just a victim of that law, as it is a 1990s design.
Sounds like they took the "roll your own and don't tell anyone how it works" approach. Security by obscurity is never security. History has shown that the open encryption standards are the most secure.
It's more of intentionally reducing the keyspace when generating keys. You can use weakly generated keys with industry-standard encryption algorithms. When your 4096-bit key is only 32 bits, it doesn't matter how well-trusted the algorithm is.
The interview that is linked[0] in the footnotes of the article with the person from ETSI is absolutely wild... Some excerpts:
> kz (interviewer): How did it go about meeting those requirements, because that's the one they're saying has a backdoor in it. Was that the condition for export?
> BM (ETSI): Backdoor can mean a couple of things I think. Something like you'd stop the random number generator being random, for instance. [But] what I think was revealed [by the researchers] was that TEA1 has reduced key-entropy. So is that a backdoor? I don't know. I'm not sure it's what I would describe as a backdoor, nor would the TETRA community I think.
...
> KZ: People ... believe they're getting an 80-bit key and they're not.
> BM: Well it is an 80-bit long key. [But] if it had 80 bits of entropy, it wouldn't be exportable.
...
> kz: You're saying 25 years ago 32 bit would have been secure?
> BM: I think so. I can only assume. Because the people who designed this algorithm didn't confer with what was then EP-TETRA [ETSI Project-TETRA is the name of the working group that oversaw the development of the TETRA standard]. We were just given those algorithms. And the algorithms were designed with some assistance from some government authorities, let me put it that way.
...
> bm: That's what we now know yeah - that it did have a reduced key length.
> KZ: What do you mean we now know? SAGE created this algorithm but the Project-TETRA people did not know it had a reduced key?
> BM: That's correct. Not before it was delivered. Once the software had been delivered to them under the confidential understanding, that's the time at which they [would have known].
...
You've really got to wonder who at ETSI gave the thumbs up on doing this interview.
The researchers added a footnote explicitly refuting the claim that 32 bit keys were secure 25 years ago, too.
> The Midnight Blue researchers have since demonstrated real-life exploitations of some of the vulnerabilities, for example at the 2023 Blackhat Conference in Las Vegas (USA). They have shown that TETRA communications secured with the TEA1 encryption algorithm can be broken in one minute on a regular commercial laptop and in 12 hours on a classic laptop from 1998 [III].
What exactly were TETRA radios used for? I assume they were government/infra related, but then I don't understand why they'd need to backdoor the keying
They are used for many things, like fire, ambulance, railways, harbour operations, police, military, coast guard, and so on.
The weaker cipher mode, TEA1, is used when selling the radios to anyone who may not necessarily be an ally or highly trusted. This is the legacy of strong crypto being export-controlled.
It was public that these ciphers were weaker, but they were actually much weaker than advertised. This is the backdoor.
They don't so much backdoor the keying as that they have 4 different cipher profiles, and the one approved for global rather than European use (TEA1) compresses the key from 80 to 32 bits.
It's essentially a surreptitious version of what the US did in the 1990s with "export ciphers".
I think the most relevant use in the context of deliberate backdoor is its use by police and military forces. Apparently some energy providers also use it for remote controlling tasks (no voice).
In 2023 you're telling me that some emergency vehicles are happily rocking encryption protocols with 80-bit, wait actually, 32-bit keys? These are all cases of systemic procrastination. We're talking about emergency vehicles here though, so: neglect.
Nobody is surprised these protocols have been broken, it should not be a surprise, and having some kind of panic reaction should
be considered either a charade or a case of abysmal management.
The fact many armies use this (including my own country's) is mind boggling. Didn't they request the technical details of the encryption and the source code and have it vetted properly before awarding the tender for these devices? /sarcasm
> The vulnerabilities were discovered during the course of 2020, and were reported to the NCSC in the Netherlands in December of that year. It was decided to hold off public disclosure until July 2023, to give emergency services and equipment suppliers the ability to patch the equipment.
Interesting discussion about responsible disclosure. It seems a strange belief that you can tell all the radio operators about the vulnerability without also telling exploiters. Aren't they often one and the same? What's a reasonable approach here?
TL;DR: The only newsworthy vulnerability is the breaking TEA1 - which is anyways the least secure of them all and only intended for commercial use (that is, no emergency services).
> TL;DR: The only newsworthy vulnerability is the breaking TEA1
This is IMHO a very unfair TLDR; . The news is that the researchers claim that there is deliberate backdoor, which ETSI denies. If it is true, there cannot be any further trust in other proprietary parts as well.
neilv|2 years ago
I don't know whether the backdoor allegation is correct, but unfortunately we should treat opaque ostensible security with skepticism.
By their nature, such things often can be used for our protection at the same time they are secretly used against us.
creer|2 years ago
"under the guise of protecting trade secrets and swear words in the code, the code encryption actually protects crappy code stuffed with vulnerabilities (i.e. future entry points available to the right friends and foes) and backdoors (some forgotten and some very much not)". And in this case "future" was a while ago.
jordanmoconnor|2 years ago
[deleted]
wyck|2 years ago
H8crilA|2 years ago
LocalH|2 years ago
ok123456|2 years ago
londons_explore|2 years ago
Obviously you can debate wether having it 'appear' secure for longer before someone publishes details of the flaw is more important or not...
umvi|2 years ago
stavros|2 years ago
xyzzy4747|2 years ago
denysvitali|2 years ago
marcus0x62|2 years ago
> kz (interviewer): How did it go about meeting those requirements, because that's the one they're saying has a backdoor in it. Was that the condition for export?
> BM (ETSI): Backdoor can mean a couple of things I think. Something like you'd stop the random number generator being random, for instance. [But] what I think was revealed [by the researchers] was that TEA1 has reduced key-entropy. So is that a backdoor? I don't know. I'm not sure it's what I would describe as a backdoor, nor would the TETRA community I think.
...
> KZ: People ... believe they're getting an 80-bit key and they're not.
> BM: Well it is an 80-bit long key. [But] if it had 80 bits of entropy, it wouldn't be exportable.
...
> kz: You're saying 25 years ago 32 bit would have been secure?
> BM: I think so. I can only assume. Because the people who designed this algorithm didn't confer with what was then EP-TETRA [ETSI Project-TETRA is the name of the working group that oversaw the development of the TETRA standard]. We were just given those algorithms. And the algorithms were designed with some assistance from some government authorities, let me put it that way.
...
> bm: That's what we now know yeah - that it did have a reduced key length.
> KZ: What do you mean we now know? SAGE created this algorithm but the Project-TETRA people did not know it had a reduced key?
> BM: That's correct. Not before it was delivered. Once the software had been delivered to them under the confidential understanding, that's the time at which they [would have known].
...
You've really got to wonder who at ETSI gave the thumbs up on doing this interview.
0 - https://www.zetter-zeroday.com/p/interview-with-the-etsi-sta...
sillysaurusx|2 years ago
> The Midnight Blue researchers have since demonstrated real-life exploitations of some of the vulnerabilities, for example at the 2023 Blackhat Conference in Las Vegas (USA). They have shown that TETRA communications secured with the TEA1 encryption algorithm can be broken in one minute on a regular commercial laptop and in 12 hours on a classic laptop from 1998 [III].
unknown|2 years ago
[deleted]
k8svet|2 years ago
mcpherrinm|2 years ago
The weaker cipher mode, TEA1, is used when selling the radios to anyone who may not necessarily be an ally or highly trusted. This is the legacy of strong crypto being export-controlled.
It was public that these ciphers were weaker, but they were actually much weaker than advertised. This is the backdoor.
tptacek|2 years ago
It's essentially a surreptitious version of what the US did in the 1990s with "export ciphers".
qwertox|2 years ago
timthorn|2 years ago
https://www.rcrwireless.com/19980309/archived-articles/dolph...
YinSpray|2 years ago
https://web.archive.org/web/20230213001335/https://github.co...
notfed|2 years ago
Nobody is surprised these protocols have been broken, it should not be a surprise, and having some kind of panic reaction should be considered either a charade or a case of abysmal management.
unknown|2 years ago
[deleted]
ajsnigrutin|2 years ago
unknown|2 years ago
[deleted]
Roark66|2 years ago
freeopinion|2 years ago
Interesting discussion about responsible disclosure. It seems a strange belief that you can tell all the radio operators about the vulnerability without also telling exploiters. Aren't they often one and the same? What's a reasonable approach here?
gwbas1c|2 years ago
I suspect that there was an update (or replacement) to the radios that was generally described as an ordinary update / maintenance.
tptacek|2 years ago
unknown|2 years ago
[deleted]
denysvitali|2 years ago
https://www.tetraburst.com/
pixl97|2 years ago
It's kind of like saying...
Vendor: "We support up to 1 zillion bit encryption!"
User: "What's the default out of the box?"
Vendor: "10 bit"
riedel|2 years ago
This is IMHO a very unfair TLDR; . The news is that the researchers claim that there is deliberate backdoor, which ETSI denies. If it is true, there cannot be any further trust in other proprietary parts as well.
opless|2 years ago
Which alone implies that the Tetra crypto security theatre is well known in that industry, and isn't a surprise to vendors in the slightest.
matthewdgreen|2 years ago
unknown|2 years ago
[deleted]
riversflow|2 years ago
Everybody plays the espionage game, Europe really is no exception, they just like to use the US to keep their hands (mostly) clean.