Encryption Vulnerability Uncovered in Police and Military Radios

Two years ago, a team of researchers in the Netherlands uncovered a deliberate backdoor within an encryption algorithm utilized by radios critical to infrastructure, police, and military forces worldwide. This vulnerability exposed all communications secured by the algorithm to potential eavesdropping.

In 2023, the issue was publicly disclosed, prompting the European Telecommunications Standards Institute (ETSI) to advise enhanced end-to-end encryption to protect sensitive communications. However, further investigations revealed vulnerabilities in this recommended encryption, making it equally susceptible to breaches. The compromised algorithm compresses a 128-bit key to 56 bits, easing the cracking process. Concerns linger about the usage and awareness of this insecure implementation.

Costly to deploy, the end-to-end encryption in question is prominently used by law enforcement and military personnel needing additional security layers. Despite ETSI's original advisement to use this system to fortify existing encryption weaknesses, its broader application is not confirmed.

Discoveries by security firm Midnight Blue revealed vulnerabilities in TETRA (Terrestrial Trunked Radio) algorithms, integral to European radio standards since the 1990s, used broadly in radio systems by Motorola, Damm, and Sepura, among others. Their research was disclosed at the BlackHat security conference.

ETSI clarifies that the end-to-end encryption for TETRA-based radios was not developed by them but by The Critical Communications Association's (TCCA) security group. Brian Murgatroyd, an ETSI spokesperson, explained these systems were designated for governmental groups, assuming distinct security requirements.

TETRA-based radios serve a majority of global police forces, though ETSI mentions alternatives to secure end-to-end communication are encouraged. Each encryption algorithm—ranging from TEA1 to TEA4—is tailored for varying security needs and market constraints.

Of grave concern is the TEA1’s key reduction from 80-bits to 32-bits, cracked in under a minute. Parallel vulnerabilities in E2EE encryption revealed potential for fraudulent communication interception by reducing key lengths.

Murgatroyd highlighted that radio firms and customers must navigate export controls impacting available encryption options, indicating decisions on encryption algorithms are customization-dependent. Results from the study are restricted due to non-disclosure agreements, leaving many users unaware of possible risks.

Heavy reliance on TETRA radios by military and security services necessitates stringent encryption, yet questions about widespread awareness of weaknesses remain. As Murgatroyd suggests, national security agencies might not grasp full encryption capacities. Wetzels adds skepticism about less extensive encryption being a deliberate choice by non-Western governments when investing heavily in security infrastructure.