Researchers demo decades-old backdoors in encrypted radio systems used by police

In brief: Dutch researchers have uncovered a decades-old, deliberately placed backdoor in an encrypted radio communications system called TETRA (Terrestrial Trunked Radio). The intentional but covert security breach has remained a secret since the 1990s since the platform is utilized in various critical infrastructure applications, including pipelines, railways, the electric grid, mass transit, and freight trains.

Research group Midnight Blue noted that a similar backdoor exists in radio technology used by several government entities, including police forces, prison personnel, military, intelligence agencies, and emergency services. The white hats found five backdoors in total throughout variants of the TETRA system.

The vulnerabilities could allow bad actors to snoop on voice and data communications and learn how an infrastructure operates, then send commands to do anything from causing power grid blackouts to rerouting trains. Malicious individuals or groups could also use the broken encryption to send bogus information and orders to law enforcement or military personnel.

While these security holes primarily affect European systems, such as the C2000 used in the Netherlands by first responders and the Ministry of Defense, Wired notes that at least two dozen critical infrastructures and organizations use TETRA radios in the United States, including a US Army training base. Other areas that use the radio standard are a mass transit system on the East Coast, border control, an oil refinery, more than one chemical plant, and several utility companies. Three international airports in the US are confirmed to use TETRA radios for ground personnel and security.

Vendors of TETRA radios, some of which are sold exclusively to law enforcement, have known about these backdoors for years but kept the algorithms highly guarded for security reasons. A few OEMs listed were Motorola, Damm, and Hytera.

The irony of it all is almost comical on a couple of levels. The first is the mentality of protecting a system to keep it secure, knowing it is inherently insecure. The second is that it is widely used by police and other law enforcement agencies, which are well known for requesting companies to place backdoors into consumer devices so they can break into them more easily when "needed."

The FBI has repeatedly asked companies, including Apple, to backdoor their devices on multiple occasions. The Bureau even sued Apple after it refused but dropped the case after cracking the iPhone in question through a third party. Maybe now government agencies will realize why it's such a big deal but don't hold your breath.

The researchers withheld full details of the group of vulnerabilities, which they dubbed "TETRA:Burst," until radio manufacturers can get them mitigated. This task is easier said than done. The research group initially discovered the holes in 2021, but some systems are not easily patched. It is unknown which vendors have fixed their systems. It is also unclear if anyone has used the backdoors. Midnight Blue promised to release more technical details on August 9.