Tagged: TETRA

Encryption on the TETRA Protocol has been broken

TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.

Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.

The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.

The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.

For more detail about the possible implications the team write:

The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.

The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.

Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.

Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.

Demo: TETRA TEA1 backdoor vulnerability (CVE-2022-24402)

Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.

We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

Slovenian whistleblower who was convicted for reporting a flaw in Police TETRA with an RTL-SDR requests donations

Back in May 2016 we posted about Dejan Ornig, a then 26 year old student at the University of Maribor's Faculty of Criminal Justice, Slovenia who was almost imprisoned for using an RTL-SDR and finding a security flaw in Police TETRA communications. Dejan's story was one of the first of several stories we presented over the years involving a person getting into legal or political trouble from the use of SDRs like the RTL-SDR in more authoritarian countries.

TETRA is a RF digital voice and text communications protocol often used by authorities in European and other countries due to its ability to be secured via encryption. By using an RTL-SDR and an open source TETRA decoder, Dejan discovered that despite official documents specifying that all Police TETRA terminals must be authenticated (we assume this refers to encryption), none actually were.

Dejan went ahead and ethically reported his findings to the Slovenian authorities, working together with Police officers to disclose all his findings. However, in the end no action was taken, and Dejan took his findings to the press. It was then that Dejan was prosecuted by Slovenian Police, his house raided, and he discovered that Police had been collecting evidence against him for more than a year.

To complicate matters further it appears that Dejan also worked as an intelligence informant for the Police and was illegally instructed and helped by two Police detectives to hack into e-mails, Facebook profiles and other online communications of people deemed suspicious.

After seven years of court hearings, his case on the TETRA hack ended in 2022 with Dejan subjected to a seven month suspended prison sentence . Although suspension means that Dejan will not physically reside in jail, his record still records him as a criminal.

The criminal trial and conviction has led to Dejan having problems securing a job and moving forward with his life. He is currently asking for donations online in order to help get his life back on track. Dejan's full story can be read at the funding site. Alternatively you can donate via PayPal.

NOTE: As donation requests can often be scams, we have independently verified that it is indeed Dejan Ornig who submitted this story to us, and that the donation site and PayPal link is legitimate.

NOTE 2: In the past we have had issues moderating comments with stories involving transgender and female contributors. Dejan's story contains info about his sexual orientation and we will not accept derogatory comments on this site regarding this. If desired, please discuss the technical and legal nature of Dejan's situation, any other comments will be removed.

TETRA Decoding (with telive on Linux)
An Example TETRA decoding setup

Tech Minds: Testing the OpenEar DMR TETRA ADSB POCSAG Decoder for RTL-SDR

Back in March we posted about the release of OpenEar, a standalone TETRA decoder for the RTL-SDR. Since then OpenEar has undergone massive developments, not only improving upon the TETRA decoder, but adding DMR, ADS-B and POCSAG decoders as well as a waterfall display.

Recently Tech Minds reviewed this software on his YouTube channel. In the video he shows how to download the software, install the rtlsdr.dll file, and run and use the software. He then demonstrates reception of an amateur radio DMR repeater, reception of POCSAG pager messages and finally reception of ADS-B aircraft messages.

OpenEar Digital Decoder - DMR TETRA P25 ADSB POCSAG RTL-SDR

TETRA-Kit: A New Open Source TETRA Decoder

Thank you to Larry for submitting information about his latest project called TETRA-Kit. TETRA-Kit is an extensible open source TETRA downlink decoder for Linux that makes use of GNU Radio as the first stage, so it should be compatible with any SDR supported by GNU Radio, including the RTL-SDR. Larry writes:

[TETRA-Kit] is inspired by a lot of existing stuff (see 'Previous work' in the project page) but started from scratch with those following ideas:

  • Stays as close as possible to TETRA specification layers defined in ETSI EN 300 392-2 v3.4.1 (2010-08)
  • Transmit downlink informations (including speech frames) in Json plain text format to be recorded or analyzed by an external program
  • Reassociate speech frames with a simple method based on associated caller id and usage marker (save messages transmitted simultaneously in separated files)
  • KISS

The decoder implements a soft synchronizer allowing missing frames (50 bursts) before loosing synchronization.

It consists in 3 parts:

  • A physical layer transforming PI/4 DQPSK rf signal to bits (RF frontend is NESDR at 2MBPS)
  • A decoder, which is the actual TETRA stack reading bits and transforming it to Json text
  • A recorder, which read Json stack output and reorder speech frames into separate files

The ETSI codec is also provided so unencrypted speech can be played.

Software is written in C++ and licensed under GPLv3 and use few external softwares with compatible licensing.

TETRA is a type of digital voice and trunked radio communications system that stands for “Terrestrial Trunked Radio”. It is used in many parts of the world, but not in the USA.

TETRA-Kit Screenshot
TETRA-Kit Screenshot

OpenEar Updated to Version 1.6

The RTL-SDR compatible multi-mode digital decoder OpenEar has recently been updated to version 1.6. The latest version currently supports the decoding of FM/AM, TETRA, DMR, Pocsag and ADS-B. New features include a zoomable waterfall and other GUI and functionality improvements. The changelog reads:

6/4/2020
version 1.6.0
- saving last settings
- waterfall
- zoom on spectrum and waterfall with mouse wheel
- better list placement (pocsag & ads-b)
- wav(I/Q) loading (only 1024000 Sample/sec)
- voice volume & mute button
- spectrum range and offset
- rtl gain and correction (ppm)
- top menu
- frequency list
- some DMR improvement on SYNC detection
- solved center frequency issue (DC problem)
- and other few UI improvements

OpenEar Version 1.6
OpenEar Version 1.6

OpenEar Now Supports TETRA, DMR, POCSAG, ADS-B

Back in March we posted about "OpenEar" which was a newly released Windows TETRA decoder for RTL-SDR dongles. Back then the author "moneriomaa" noted that he planned to add several new modes. In the release that is currently available, OpenEar now supports TETRA, DMR, Pocsag, ADS-B as well as standard AM and NFM modes. We tested the software, and all modes appear to decode as advertised. In the future the author plans to add more modes such as MPT-1327 and AERO.

In the previous post we added an update noting that OpenEar appeared to be violating the GPL licence of OsmocomTETRA, and the author noted that he would remove the TETRA functionality until licencing was resolved. As TETRA decoding is back in the recent releases we assume these legal issues have been solved.

In the current release you also need to provide your own rtlsdr.dll file, which can be obtained from your SDR# folder, or directly from the Osmocom windows release (rename librtlsdr.dll to rtlsdr.dll).

Latest OpenEar Version
Latest OpenEar Version

OpenEar: An Easy to Use Windows TETRA Voice Decoder

A new TETRA voice decoder called "OpenEar" has just been released. The program is a standalone Windows app that directly connects to an RTL-SDR. Decoding a TETRA voice signal is as simple as opening the program, tuning to the TETRA frequency and clicking on the signal. With good signal strength voice comes through very clearly. CPU usage on our PC is also minimal. 

The program source is currently not available as the author notes that he only intends to release it as open source in the future once the project is completed, and right now this is only the first early release. Right now the program is just an .exe with a few .dlls. You'll need to first install the Microsoft Visual C++ Redistributable Package linked in the Git readme. Just in case, we virus scanned the exe and tested the program in Sandboxie. It appears to be clean, and it works as intended.

In the future the author hopes to support many more protocols such as DMR, MPT1327, ACARS, AIR, GSM and more. In order to support his work he is asking for Bitcoin donations, and the donations link can be found on the Git readme.

UPDATE 1: If you're getting missing dll errors and you already installed the Visual C++ Redistributable, try downloading the missing dll's from dll-files.com. There should only be about 5 missing.

UPDATE 2: As pointed out in the comments by Steve M. from Osmocom, this software may be in violation of several GPL licences as no source code has been released and it appears to rely on GPL code and libraries. Please take this into account.

UPDATE 3: As per update 2, the author has decided to temporarily disable the TETRA functionality pending a rewrite of the code that he will complete within one to two months). Instead he has added DMR decoding.

OpenEar TETRA Voice Decoder Screenshot
OpenEar TETRA Voice Decoder Screenshot

SDR# TETRA Plugin Now Available At RTL-SDR.RU

Vasilli has recently released the SDR# TETRA plugin on his website RTL-SDR.RU (note that the site is in Russian, but can be translated with the Google Translate option in the top right of the page). Previously it was only available via ever changing forum links, so it's good to see that it has a permanent home now for the latest version. This plugin allows you to listen to TETRA digital voice via SDR#, without needing to set up any complicated GNU Radio based receivers which were necessary in the past.

The features include (note Translated from Russian):

  • Receiving a signal from the BS band 25kHz and modulation Pi / 4-DQPSK;
  • Automatic adjustment of the reception frequency;
  • Displays information about the BS;
  • Displays ISSI, GSSI subscribers in the channels (for open channels only);
  • Displays a service exchange network (for open channels only);
  • It allows you to listen to the channels in manual or automatic mode selection (only open channels);
  • It allows to filter and distribute the listening priority specified for groups (GSSI);
  • It displays a message with the location (just a short message format)

The current features not yet implemented are:

  • And listen to correctly display any encoded information in a network;
  • Display SDS type 4 (short messages);
  • Record audio from the channels (menu added, but does not work);

We also note that as discussed in a previous post there is a companion program for this plugin called TETRA Trunk Tracker.

SDR# TETRA Decoder Plugin
SDR# TETRA Decoder Plugin