ETSI and TCCA: no TETRA ‘backdoor’

ETSI and TCCA have responded to research findings suggesting that inherent ‘security flaws’ exist within the TETRA standard.

The research was carried out by Dutch security consultancy Midnight Blue, who recently published a document under the name of TETRA:Burst. In it, the agency claimed to have found “five vulnerabilities, two of which are deemed critical.”

According to Midnight Blue, the alleged vulnerabilities were discovered via a process of reverse engineering and analysis of the TETRA Authentication (TAA1) and TETRA Encryption (TEA) algorithms.

Responding to the claims in a statement, ETSI and TCCA said: “With more than 120 countries using dedicated TETRA networks for mission- and business-critical communications, we continually evaluate our standards and procedures – with input from members of industry – to ensure the TETRA standard remains robust in the face of evolving threats.

“ETSI has an ongoing programme of maintenance to ensure standards remain fit for purpose in an evolving security landscape. Work on enhancing the TETRA standard was in progress before the researchers discussed their findings with ETSI.

“Revised standards were released in October 2022. As with all technology standards, work continues to support the standards implementation in the market.”

The statement continued that the TETRA security standards have been specified in conjunction with national security agencies, having also been “designed for and subject to export control regulations which determine the strength of the encryption.”

These regulations, the organisations said, apply to “all available encryption technologies. As the designer of the TETRA security algorithms, ETSI does not consider that this constitutes a ‘backdoor’.”

While refuting aspects of the report, ETSI said that it welcomed research efforts to strengthen standards. “We are pleased that this research affirmed the overall strength of the TETRA standard,” it said, “finding no weaknesses in the TEA2 and TEA3 algorithms following extensive analysis.”

The organisation did admit however that the research uncovered “some general areas for improvement in the TETRA protocol, as well as weaknesses in the TEA1 algorithm, which is classified for general use.”

These, the statement continued, have been addressed or are in the process of being addressed, for instance in the form of software patches from TETRA providers and migration to a new algorithm set.

The ETSI and TCCA statement can be read in full here.