HMF Smart Solutions GmbH, as a German provider and manufacturer of mission-critical communication solutions, hereby gives notice of the findings of a Dutch security consultancy published on 24 July 2023. They describe possible vulnerabilities in the encryption algorithms of the TETRA air interface and the authentication process.

As these findings concern the TETRA standard encryption algorithms (and not the vendor software), which are part of the ETSI standard used by the entire TETRA industry, ETSI has assumed the publication and recommended countermeasures for the vulnerabilities. For more information, please visit the European Telecommunications Standards Institute (ETSI) website.

The investigation result “CVE-2022-24400”  describes a potential vulnerability in the authentication procedure. It is important to note that the vulnerabilities were investigated in a laboratory environment and that it is unlikely that they could occur in a real environment outside of very specific conditions. We share the BSI’s assessment here that CVE-2022-24400 poses a low threat from a practical perspective. The remedy for this problem must be made in the radios. HMF will provide a patch for the TETRA infrastructure ACCESSNET®-T IP for PV 11.5x as additional security. Regarding the provision of patches for TETRA radios supplied by HMF Smart Solutions, please contact HMF Service.

“CVE-2022-24401” describes an attack scenario in which a TETRA radio is attacked by a so-called man-in-the-middle attack in order to introduce forged messages into the communication. To do this, a TETRA base station is to be simulated, the communication from the real TETRA base station is to be intercepted, modified and retransmitted to the TETRA radio under attack. Successfully carried out attacks of this kind outside the laboratory have not been reported. This attack scenario can only be prevented in the TETRA radio. Regarding the provision of patches for TETRA radios supplied by HMF Smart Solutions, please contact HMF Service.

“CVE-2022-24402” describes a reduction of the cryptographic key length within the TEA1 algorithm. Incorrectly, this is referred to in some media as the “backdoor of ETSI”. What is correct is that the algorithm, at the time it was specified, was subject to the restrictions of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. This was signed by 33 countries in Vienna on 12 May 1996. In general, alternative encryption algorithms are available, e.g. TEA3 as well as the recently published TEA SET B algorithms. For possible migrations to alternative algorithms, please contact the HMF service department.

The last finding mentioned, “CVE-2022-24403”, describes a vulnerability that allows obfuscated subscriber identities registered to a base station to be decrypted by listening to that TETRA base station’s control channel. From this, it would be possible to deduce which radio subscribers are registered in a base station, i. e. which are expected to be geographically in the coverage area where the base station emits the strongest signal (best server). The new TEA Set B algorithms provide a remedy here. HMF Smart Solutions is working at full speed to make these available for ACCESSNET®-T IP in a timely manner.

The investigation confirmed the general strength of the TETRA standard and found no weaknesses in the TEA2 and TEA3 algorithms. There is also no known case where the cryptographic key length (reduced compared to TEA2 and TEA3) of TEA1 has already been exploited. IMPORTANT: The results presented in the report do not lead to the disclosure of encryption or authentication keys. 

A blanket, generally valid assessment of the vulnerabilities cannot be made. Instead, these must always be considered in the context of the threat analysis and an individual risk analysis and assessment must be carried out. We will be happy to support you in this classification and advise you individually. Naturally, this advice is free of charge. Please do not hesitate to get in touch with the HMF Service department or your sales contact.