Our police and emergency services are still using unencrypted tetra. When the dude who found this 'feature' a few years ago told them the data can be easily sniffed and extracted, they arrested him.
Three issues regarding TETRA:BURST... First, the researchers live in Europe, and there may be significant legal entanglements that they would face if they released PoC code prematurely. Second, this is a structural flaw with the TEA1 Cipher. The other TEA2, 3, and 4 ciphers are licensed differently. This is a design flaw, not a patch. They need an entirely new encryption system. That brings me to my third point: phasing in that new encryption scheme means updating all the radios, the base-stations, and all other infrastructure. It's like upgrading from 4G to 5G. Essentially, the TETRA users need to replace their entire systems. I wish this were as simple as patching the microcode in a processor on your desk. But that's NOT what's going on here.
TETRA is heavily regulated here. I'm a (voluntary, not full-time) firefighter here in Germany, and as such have had training on TETRA handsets as part of my radio certification. Anything that's not openly accessible is a state secret (that includes TETRA encryption), and as such can come with harsh fines. TETRA stations, if disturbed, alarm the Gebirgsjäger (basically, they're the military police), and they are (as far as I know) authorized to use lethal force without prior warning. Safe to say TETRA is one hell of a hornet's nest to kick.
@@paulie-g Do you think anonymity is that good? They know there are researchers looking into this, and they will subpoena their ass. Remember, here in Germany the infrastructure is protected by military police, and they're allowed to use lethal force without warning. Do you really think that they wouldn't be able to unmask the "anonymous" publishers?
I'm involved with the fire service in Germany as well and so the first thing I checked was whether we use the vulnerable encryption. Thankfully it's TAE-2. So we can spend our money on something other than replacing radios yet again...
The question is not whether communications can be decrypted, it is whether it can be done within a reasonable time. When Tetra was designed the algorithms needed to be simple enough for legitimate users to be able to communicate in real time while preventing casual eavesdropping by unauthorised third parties. The components needed to be cheap and capable of mass production while allowing for a “decent” level of security to prevent casual third party interception. Any radio communication is broadcast to everyone within reception range of the transmitter, so is inherently insecure.
It's been +10 years since I've used a tetra/sine radio. Not surprised it's been unsafe since implementation.. Government loves spending money claiming 'uncompromiseable'. If anything they bought some time - used to be completely open on analog. The belief that the new radios where safe increases likelyhood it'll be used for more critical communication. I wonder what has been given away..
This implementation of TETRA is not used in the UK by the gov. The system used in the UK uses the more secure TE2 encryption and is Airwave encoded. It's also already on the way out the door.
@@noname-wo9yy I broke that while in HS in the 1970's using a Knight Kit sig gen and a Hallicrafters SW SSB capable radio ... 'speech inversion' was the technical name, inverted audio, selecting opposite sideband was the effect. That was then sent via FM to the other radios.
@uploadJ Yeah, not saying it was amazing. You could make out some words over the air. MASC was a pretty good one they used in the 80s and 90. It's literally mandated that stores have to send any second hand radios with it to police
Working in two way radio for many years I was shown a very simple device many years ago that could take down an entire Tetra network. Sadly people that specialise in computer and cryptography technology rarely understand the RF part. (I have seen this happen before with data over radio). Breaking crypto is an intellectual challenge, however it may not the best way to intercept communications. If for instance your "target" is using a secure link just break it and force them onto another medium. Rather than intercepting my cell phone traffic just jam it and force me into using a conventional landline.
100% people get all bent out of shape over the wrong things. And they don’t get exactly what you said. The RF side, perhaps other data that is sent in the clear they can’t see, exploiting the system to fall back to no crypto, or just force the person onto a different tech that CAN be snooped. This is why I think it’s important to drop the PoC’s so people can SEE the systems can be exploited EVEN IF they have XYZ unbreakable encryption blah blah blah.
This comment reminded me of the days when the POTUS aircraft were using a 'high security' algorithm to scramble phone calls, not realising that anyone with a communications receiver plus Human Ears and Brain, Mark 1.0, could decipher every word of it.
As an engineer with SDR industry experience I think it's 100% plausible that software would be licensed and incorporated without anyone reading any of the source code. That seems to be standard practice for anything classified or under an NDA, but in the case of open software, it's a safe bet that there just isn't enough time for programmers to be doing "fun side projects" like learning about the code they're incorporating. The backlog is too big and the whole software team is already on mandatory OT. Or you'll be in a board room and hear something like, "It's a P25 bug, not our firmware. [competitor's] handheld has the same problem. Nobody knows how to fix it. The customer doesn't care, they just want GPS to work. " There's no spirit of excellence when it comes to licensing third-party software. Costs too much.
Im kinda curious if any of the flaws are shared with P25. I realize it is a different standard, but if the manufacturers were lazy enough to throw tetra out in that state there may have been some copy pasta going on when engineering P25.
'I think it's 100% plausible that software would be licensed and incorporated without anyone reading any of the source code"" As a consumer of video games in 2023 YOU THINK SO?!?!? Look at Diablo 4... Copy pasting code from a 20+ year old game. This is a Triple A studio btw.. not some indie devs... A triple A studio being bought by Microsoft no less...
I don't think the dudes here know that AES256 is available for the P25 product nowadays. That used to be the function of an add-on module that was TMS320 based in the EF Johnson radios for instance ... and that was back in the 2006 time frame.
The original TETRA project implementation in the UK (Airwaves) was carried out by O2 (BT Cellnet), under BT control (British Telecom). And in case you weren't aware BT has been doing UK government communications "projects" for a very long time. Which means that the UK government likely had full access to all the source code from day 1. In fact it was probably a mandatory requirement that they did for it to be rolled out. It was probably also a requirement that the encryption algos remained available to the 5 eyes network so they could snoop on everyone else's emergency services whenever they needed to
Those security flaws doesn't have any impact on the kind of Tetra that is used by law enforcement or critical infrastructure. They use a different encryption (not TEA1) and they also have a second layer on top of that encryption which requires physical connection to a security chip (looks like a sim card). So it doesn't really have any impact on anything important. Also TEA1 is only one of four encryption variants used in Tetra and it is one of the two that are used by the public.
So it doesn’t impact Law Enforcement, Military or Critical Infrastructure… But they were gagged for a year and a half from even mentioning the flaws and either can’t release a Proof of Concept, or refuse to due to the “Potential for Abuse.” All because these flaws really don’t affect anyone, and aren’t a big deal… Your logic seems sound.
@@RECESSIM I work with a guy who administrates the Tetra system here in Germany. He checked if the system is affected and it isn't. As I said it uses a second layer of protection and so do many more countries. Did the radio you used have a sim card for protection?
@@RECESSIMTEA1 is the "export version" which was made dumb enough to be exported to any country regardless of export restrictions. You can buy a TEA1 network from any vendor right now, granted that you have your local radio operator qualification if required by law. TEA2 on the other hand, has some extra tricks up its sleeves. The WIRED article and a few Twitter threads I read all pointed out that the 32-bit TEA1 was popped, and let's be real, that's the one you are sending to countries you don''t exactly like in a political sense. It's not a secret that the TEA1 system is so massively dumbed down that there have been tools to listen into it for 20-something years. When it comes to TEA2, the additional layers of physical security and location-based administration with a chain of trust make it more resilient. You'd also need to get all the keys for the active base station, even the ones not being transmitted, to actually fully monitor the whole group of handsets. But, I'm sure someone will eventually come up with a way to spoof themselves as an authorized network node, just like Active Directory has had a way to add a rogue node for the last 15 years.
@@drcyb3r The sim card is not for protection😂😂 is for convenience....so that you can transfer your network preveligies using the sim card on another radio if yours fails. TETRA is for deliveries and truckers to upgrade from terrible analog trunking. But GSM killed TETRA plans (industry doesn't buy stupid perfomance lacking stuff) so the only costumer are governments (they use our money and are out of control, so no problem😂). Military personnel using TETRA is as ridicolous as them using GSM (they do).
@@jplacido9999 The sim card is definitely used for protection. It stores keys used for an extra layer of protection. Without it BOS Tetra devices (here in Germany) are unable to connect to the network at all. Also the ID of the card is used to define which groups that Tetra device is allowed to use and which privileges it has. If you lock the card, you also can't connect to the network anymore. I kind of work in that industry, so I know a bit about it.
Can anyone show me a working Spectre or Meltdown that can extract data from a process running by different user? In other words, a real example and not a prepared environment
As far as i am concerned ANYTHING used in the public domain radios cameras SPEED CAMERAS if they are used against the public then ANY/ALL code and schematics MUST be in the public domain .
@@RECESSIM I think it's more worrying that the Google algorithm plucked this video out of millions and thought it might be interesting to me. We're talking about a decade ago at this point.
As far as PoC for TETRA goes: TETRA is a highly sensitive system, and at least here in Germany, all data that isn't publicly accessible is classified as a state secret when it comes to TETRA data. Now, the researchers weren't from Germany, so legalities might differ, but I feel like legal issues are the major issue at play here.
I would say it's just a common sense of researchers. For one you're dealing with algorithms implemented in microcode and often dependent on hardware. This is not like your CI/CD deploy the fix and your on prod next few minutes. Secondly you have all the governments adding their pressure.
@@BobbyBike Read "So this was s how they tell me the world ends" and you may become as cynical as I am. Now that it's out there lots of people are probably reproducing their work anyway. Security though obscurity doesn't work.
Actually this group did an enormous amount of research over 2 years and their responsible disclosure plan and ethical disclosure plan should serve as a more or less very good template for others to follow. 20 years this has been in use and it controls vital infrastructure including train switching so the fact that this group in Amsterdam has finally found these very awful implementation glitches and at least two of the levels of encryption on Tetra have probably saved lives in addition there was something off about the most extreme level of encryption but they weren't mathematic experts but without question something seemed really wrong and so they put it out there for the encryption experts in the mathematicians to have a look at...
The code was not released for the TETRA vulnerability probably to give places that will upgrade time to do so. From a radio perspective, TETRA is the primary method of emergency communications used for a lot of places such as the entirety of the UK. There's probably serious and credible national security concerns about releasing that proof-of-concept code. Honestly my best guess is that we will NEVER see the original proof-of-concept for the TETRA vuln released publicly due to how critical that system is to the national defense of several major countries!!
Hash, This format has med this the best channel on RUclips! I eagerly await each week for a new drop to hear what you have found and review it! You woman shure dresses you nice!
lol. Here is a conspiracy theory for you: radio manufacturers leaked this vulnerability in order for everyone to discard old radios and buy new generation radios from them.
If that was true Motorola would have responded to Wired’s request for comment with the replacement part numbers everyone should purchase 😂 instead of not responding at all.
We never learn, do we. Obfuscation is NEVER the way to protect encryption. Open code and peer review is the only way, and as the narrator pointed out, it's not just check and forget, it needs continuous scrutiny. Good video, thank you. 🙂
re: " We never learn, do we." Wasted bandwidth comment; TETRA, an early system, was not capable of greater encryption b/c of the limited microprocessors available. Everyone has amnesia, or anachronistic fallacy and assume what can do TODAY we could do 25 years ago (in 1998). So there is that.
If I could ever tell you list all the things that I've had to go through and the things that have happened to my life they're both beautiful and tragic
If you don't tip-toe through life, take risks, you may miss some of the other people's discoveries which may appear after you die ... prematurely (or even timely) ... and that's a major downer for curious people. I guess the way to win in life is to rise above all wants, including curiosity - a want for information.
I do agree, tetra POC would be abused, imagine everyone simulating basestations with a few hundred dollar hack rf, spamming police with tetra text messages.
There's a great presentation along these lines titled: "All cops are broadcasting: Obtaining the secret TETRA primitives after decades in the shadows" Weird it was recommended to me about 2 hrs before seeing this video.
I guess this means somebody could make a police scanner that works again since the switch away from analog. Just a matter of getting the right software to go with an SDR receiver.
Check out the OP25 project, the BoatBod version I used with a RaspberryPi and a RTL-SDR a while back to listen to unencrypted trunked radio in North Texas.
will see ya in heaven rest in peace we will miss ya😢some friends can never be forgot,he whas one of ouer rare club of elites,had hard life ...that stood up in the many,will miss ya forever,hope y smile and find peace now
This pretty much means that everyone and their uncle (who haven't yet hacked Tetra) will now be doing it. Most hobbyists and researchers probably can't but this has now shown all the ways in which TETRA is broken and where determined entities should go looking. There are many well funded and determined entities in this world.
all this to bother some coppers meanwhile hunter biden's laptop which is totally unencrypted is shrouded in mystery. what is the point of destroying the law enforcement system while those at the top remain untouchable? you will never achieve anything with this other than helping some criminals and hackers screw up an investigation
I've just got into 'listening' to video cables via SDR radio software called Tempest. It's crazy! My antenna is in no way tuned (I am building one as I speak) I can only pick my own video signals at the moment but it's madness you can allegedly (according to a comment on here (I know!!! 😆) pick up signals from up to 200ft with a properly tuned Yagi antenna 🤞🏼🤞🏼
Video cables? HDMI? Or you talking about coax? If so yeah they all transmit on certain frequencies and we can tune in. With a yagi you increase your receive range. Any time cable TV developes a leak it's been known to cause all kinds of problems because it's usually on or nearby a frequency used by other services. I can take you to area in remote East Texas where a strong signal is on 2 Meter Ham frequency. It's not a problem because no Hams live near there, otherwise it would have been fixed years ago if a complaint was filed. But I was told a local Cable TV company is the culprit.
@@BeatboxNorwichyears ago, I assumed all video and USB cables were shielded. Wrong I was! Not many are! I found this out making some cables for my Ham radio. All radio cables are shielded. So that explained why many times electronics act crazy around transmitters. Every wire is resonant at a specific frequency depending on its length. Any metal actually. As much RF I have floating around my Ham Shack I'm very lucky I don't have more problems! =]
your like listening to a lawyer, only im not facing any trouble! thank you, I needed that! BTW I dont know a thing about hacking, but .... I guess its for some people!
they don't need to release it to the wild, they just need to release it to the manufactures , what is this fak up fallacy you're implying if they don't release their proof of concept. the manufacture can purchase it if it for sell or get it for free if they doing to help everyone
I don’t care if manufacturers have it and/or fix it. I care that the vulnerable systems in the wild are fixed, something they generally won’t do unless it’s widely known it’s easy to hack and code exists to do it freely.
When I think of TETRA I think of municipal grade crypto like the one in MotoTRBO or something like that. P25 is the one selected for DoD and federal level of protection in North America. I dont even think you are allowed to buy TETRA if youre a federal agency, because its european. people have been trying to break AES256 for a long time, I dont think its quantum resistant though.
The 100+ countries using it for police/military would tend to disagree with you, along with all the manufacturers selling it to them. Seems you might be right though!
"Selected"? sure, with Moto holding the feds hands 😄. Despite being a TETRA and P25 manufacturer Moto always fought against the introduction of TETRA in the US to ensure the market supremacy of P25. TETRA deployment is quite limited in the US, with perhaps the largest in NJ Transit but i wonder whether they use TEA1 or TEA3 (the export version of the more secure algorithm). I am guessing TEA1 is used.
@LD-vl7cu TETRA radios are cheap, a completely different product line with no guarantees of any type of actual security standard. I think you'll find that there are no TETRA subscriber units any kind of FIPS rating to begin with and draw the rest of your conclusions from there.
@@mk12pickle " I think you'll find that there are no TETRA subscriber units any kind of FIPS rating to begin with and draw the rest of your conclusions from there." That's because TETRA is a European standard and the US government wants all their agencies to use their own standard, P25, instead. They're not going to be certifying competing technologies when they don't want agencies using them.
A tetra based local Rakel system is used by police in sweden, when they launched it, it was expensive and complicated and had problems at the roll out like signal would suddenly just get lost and a lot of policemen were didn't like it to begin with, but the benefit was going to be that at least it was digital encryption. Even cusoms, the military (for certain things, obviously they have higher standards) use rakel which is derived from Tetra. It's gonna be costly and a hassle to change... i mean in the military there are already other systems but for the rest, not cheap, but on the other hand, until back then you could just listen in on police radio if you got your hands on a police radio, and it wasn't the hwole world, and also the tetra based system was supposed to be phased out in 2027-2028, so they already have some idea what to replace it with, they'll just do it faster than initially planned.
It hasnt been hacked. Its now theoretically closer. Theres still a part of it that no one can figure out yet, meaning that it still has close to 32 bit encryption left.
The potential for abuse is actually a valid point since tetra is used for emergency services and it really could cause harm for civilians if people start doing ddos/spam attacks towards it
What fixes that is upgrading a vulnerable system. When drives the upgrade is the NEED to upgrade because of issues. No PoC, no upgrade… Just vulnerable systems waiting around for serious attacks
@@RECESSIM it will not, if it took 30+yrs to discover and patch them; and this is not the only case: openssh, then the intel and amd specter, bugs all of them discover too late if there was a zero day bug or virus, and then there are not a lot of opensource developers that will do this for free, you're repeating a myth that is not true, hacker work for companies that post bounties to check for these buug in their systems nothing is free
i think this is such a big legacy system that you shouldn't leak the implementation. just letting people know it's possible will tip off motivated criminals. i think a delay makes sense tbh.
Regarding Tetra, once people know the roughest of details, it will be repeated by someone who isn't getting paid under an NDA. Only a matter of time before a public proof of concept will be out.
Love the channel!
The dude at google is TAVIS, not Travis.
en.wikipedia.org/wiki/Tavis_Ormandy
Yeah, it’s a common error. I think people confuse his name with Travis Goodspeed.
Thanks for the correction, I should have caught it when I saw the Twitter handle was Tavis 🤦🏽
Password doesn't matter if you mistyped the username.
Clever.
Great info, but get rid of the music.
Our police and emergency services are still using unencrypted tetra. When the dude who found this 'feature' a few years ago told them the data can be easily sniffed and extracted, they arrested him.
How dare you tell us there's a flaw in our system!
@@poisonouspotato1 freedom of speech, baby.
@@NeverGiveUpYo Arrest this man and subpoena his medical records and search history!!!
Three issues regarding TETRA:BURST... First, the researchers live in Europe, and there may be significant legal entanglements that they would face if they released PoC code prematurely. Second, this is a structural flaw with the TEA1 Cipher. The other TEA2, 3, and 4 ciphers are licensed differently. This is a design flaw, not a patch. They need an entirely new encryption system. That brings me to my third point: phasing in that new encryption scheme means updating all the radios, the base-stations, and all other infrastructure. It's like upgrading from 4G to 5G. Essentially, the TETRA users need to replace their entire systems.
I wish this were as simple as patching the microcode in a processor on your desk. But that's NOT what's going on here.
Thanks for taking the time to comment
TETRA is heavily regulated here.
I'm a (voluntary, not full-time) firefighter here in Germany, and as such have had training on TETRA handsets as part of my radio certification.
Anything that's not openly accessible is a state secret (that includes TETRA encryption), and as such can come with harsh fines.
TETRA stations, if disturbed, alarm the Gebirgsjäger (basically, they're the military police), and they are (as far as I know) authorized to use lethal force without prior warning.
Safe to say TETRA is one hell of a hornet's nest to kick.
@@vincentguttmann2231 That's why you release the PoC anonymously.
@@paulie-g Do you think anonymity is that good? They know there are researchers looking into this, and they will subpoena their ass.
Remember, here in Germany the infrastructure is protected by military police, and they're allowed to use lethal force without warning. Do you really think that they wouldn't be able to unmask the "anonymous" publishers?
I'm involved with the fire service in Germany as well and so the first thing I checked was whether we use the vulnerable encryption. Thankfully it's TAE-2. So we can spend our money on something other than replacing radios yet again...
A lot of companies and TLAs think that obfuscation is a valid replacement for encryption.
The question is not whether communications can be decrypted, it is whether it can be done within a reasonable time. When Tetra was designed the algorithms needed to be simple enough for legitimate users to be able to communicate in real time while preventing casual eavesdropping by unauthorised third parties. The components needed to be cheap and capable of mass production while allowing for a “decent” level of security to prevent casual third party interception. Any radio communication is broadcast to everyone within reception range of the transmitter, so is inherently insecure.
I was one of the people applauding at the beginning of the video. Bravo!
It's been +10 years since I've used a tetra/sine radio. Not surprised it's been unsafe since implementation.. Government loves spending money claiming 'uncompromiseable'.
If anything they bought some time - used to be completely open on analog.
The belief that the new radios where safe increases likelyhood it'll be used for more critical communication. I wonder what has been given away..
This implementation of TETRA is not used in the UK by the gov. The system used in the UK uses the more secure TE2 encryption and is Airwave encoded. It's also already on the way out the door.
They used to have anolog radio scrambling
@@noname-wo9yy I broke that while in HS in the 1970's using a Knight Kit sig gen and a Hallicrafters SW SSB capable radio ... 'speech inversion' was the technical name, inverted audio, selecting opposite sideband was the effect. That was then sent via FM to the other radios.
@uploadJ Yeah, not saying it was amazing. You could make out some words over the air. MASC was a pretty good one they used in the 80s and 90. It's literally mandated that stores have to send any second hand radios with it to police
Thanks for bringing up Kevin. Following him through 2600 during the hay days was amazing. Another great video Hash.
Yea, he was a really creative hacker. Glad you enjoyed the video!
Working in two way radio for many years I was shown a very simple device many years ago that could take down an entire Tetra network. Sadly people that specialise in computer and cryptography technology rarely understand the RF part. (I have seen this happen before with data over radio).
Breaking crypto is an intellectual challenge, however it may not the best way to intercept communications. If for instance your "target" is using a secure link just break it and force them onto another medium. Rather than intercepting my cell phone traffic just jam it and force me into using a conventional landline.
100% people get all bent out of shape over the wrong things. And they don’t get exactly what you said. The RF side, perhaps other data that is sent in the clear they can’t see, exploiting the system to fall back to no crypto, or just force the person onto a different tech that CAN be snooped.
This is why I think it’s important to drop the PoC’s so people can SEE the systems can be exploited EVEN IF they have XYZ unbreakable encryption blah blah blah.
This comment reminded me of the days when the POTUS aircraft were using a 'high security' algorithm to scramble phone calls, not realising that anyone with a communications receiver plus Human Ears and Brain, Mark 1.0, could decipher every word of it.
As an engineer with SDR industry experience I think it's 100% plausible that software would be licensed and incorporated without anyone reading any of the source code. That seems to be standard practice for anything classified or under an NDA, but in the case of open software, it's a safe bet that there just isn't enough time for programmers to be doing "fun side projects" like learning about the code they're incorporating. The backlog is too big and the whole software team is already on mandatory OT.
Or you'll be in a board room and hear something like, "It's a P25 bug, not our firmware. [competitor's] handheld has the same problem. Nobody knows how to fix it. The customer doesn't care, they just want GPS to work. " There's no spirit of excellence when it comes to licensing third-party software. Costs too much.
Im kinda curious if any of the flaws are shared with P25. I realize it is a different standard, but if the manufacturers were lazy enough to throw tetra out in that state there may have been some copy pasta going on when engineering P25.
@@D3M3NT3Dstrang3r I wish I'd gotten a look at the source, maybe I could have told you! :D
'I think it's 100% plausible that software would be licensed and incorporated without anyone reading any of the source code""
As a consumer of video games in 2023 YOU THINK SO?!?!?
Look at Diablo 4... Copy pasting code from a 20+ year old game. This is a Triple A studio btw.. not some indie devs... A triple A studio being bought by Microsoft no less...
Love that summary, "no spirit of excellence". Truly applicable in many corners of the tech sphere today.
I don't think the dudes here know that AES256 is available for the P25 product nowadays. That used to be the function of an add-on module that was TMS320 based in the EF Johnson radios for instance ... and that was back in the 2006 time frame.
RIP Kevin. The guy was a legend in every sense of the word.
The original TETRA project implementation in the UK (Airwaves) was carried out by O2 (BT Cellnet), under BT control (British Telecom). And in case you weren't aware BT has been doing UK government communications "projects" for a very long time. Which means that the UK government likely had full access to all the source code from day 1. In fact it was probably a mandatory requirement that they did for it to be rolled out. It was probably also a requirement that the encryption algos remained available to the 5 eyes network so they could snoop on everyone else's emergency services whenever they needed to
Loving this weekly RE news. Keep going Hash :)
What!!!!!!!! Kevin Mitnick is dead and I’m just finding Out 👀👀👀WTF damnnn R.I.P🙏
You forgot to mention Intels latest leak. High number of server processors are subject to data leak through the processor itself!
I just assume that all hardware has multiple back doors. If you want security, design your own from the hardware down.
True, and even that is hard as Bunnie Huang has found.
What I want to know is when are getting soft to decrypt tetra if it's not in the wild nothing will change.
👆🏽 This guy gets it
Those security flaws doesn't have any impact on the kind of Tetra that is used by law enforcement or critical infrastructure. They use a different encryption (not TEA1) and they also have a second layer on top of that encryption which requires physical connection to a security chip (looks like a sim card). So it doesn't really have any impact on anything important. Also TEA1 is only one of four encryption variants used in Tetra and it is one of the two that are used by the public.
So it doesn’t impact Law Enforcement, Military or Critical Infrastructure… But they were gagged for a year and a half from even mentioning the flaws and either can’t release a Proof of Concept, or refuse to due to the “Potential for Abuse.”
All because these flaws really don’t affect anyone, and aren’t a big deal… Your logic seems sound.
@@RECESSIM I work with a guy who administrates the Tetra system here in Germany. He checked if the system is affected and it isn't. As I said it uses a second layer of protection and so do many more countries. Did the radio you used have a sim card for protection?
@@RECESSIMTEA1 is the "export version" which was made dumb enough to be exported to any country regardless of export restrictions. You can buy a TEA1 network from any vendor right now, granted that you have your local radio operator qualification if required by law. TEA2 on the other hand, has some extra tricks up its sleeves. The WIRED article and a few Twitter threads I read all pointed out that the 32-bit TEA1 was popped, and let's be real, that's the one you are sending to countries you don''t exactly like in a political sense. It's not a secret that the TEA1 system is so massively dumbed down that there have been tools to listen into it for 20-something years.
When it comes to TEA2, the additional layers of physical security and location-based administration with a chain of trust make it more resilient. You'd also need to get all the keys for the active base station, even the ones not being transmitted, to actually fully monitor the whole group of handsets. But, I'm sure someone will eventually come up with a way to spoof themselves as an authorized network node, just like Active Directory has had a way to add a rogue node for the last 15 years.
@@drcyb3r
The sim card is not for protection😂😂 is for convenience....so that you can transfer your network preveligies using the sim card on another radio if yours fails.
TETRA is for deliveries and truckers to upgrade from terrible analog trunking.
But GSM killed TETRA plans (industry doesn't buy stupid perfomance lacking stuff) so the only costumer are governments (they use our money and are out of control, so no problem😂).
Military personnel using TETRA is as ridicolous as them using GSM (they do).
@@jplacido9999 The sim card is definitely used for protection. It stores keys used for an extra layer of protection. Without it BOS Tetra devices (here in Germany) are unable to connect to the network at all. Also the ID of the card is used to define which groups that Tetra device is allowed to use and which privileges it has. If you lock the card, you also can't connect to the network anymore. I kind of work in that industry, so I know a bit about it.
Thanking you from England
Agent Smith (from The Matrix) must be TETR-ified.
Can anyone show me a working Spectre or Meltdown that can extract data from a process running by different user? In other words, a real example and not a prepared environment
As far as i am concerned ANYTHING used in the public domain radios cameras SPEED CAMERAS if they are used against the public then ANY/ALL code and schematics MUST be in the public domain .
Content good. Tie? Also, good. Is that suit wool? It must be.
HARRIS is top worst in my opinion, used to work for them back in the 80's in florida.... am surprised they still are in operation.
Wow, I didn't expect that comment on HARRIS...can you elaborate without putting your life at risk ?
It's not twitter anymore, it's "The Dumpster Fire Formerly Known As Twitter" now
😂
Interesting. I signed a NDA so no further comment. Pretty sure it was on behalf of my old company that no longer exists, but sticking with no comment.
You’ve already said too much
@@RECESSIM I think it's more worrying that the Google algorithm plucked this video out of millions and thought it might be interesting to me. We're talking about a decade ago at this point.
As far as PoC for TETRA goes: TETRA is a highly sensitive system, and at least here in Germany, all data that isn't publicly accessible is classified as a state secret when it comes to TETRA data.
Now, the researchers weren't from Germany, so legalities might differ, but I feel like legal issues are the major issue at play here.
Danke! I’m sure legal and vendor pressure was quite strong.
Germany uses TAE-2 encryption in their TETRA system for authorities and organizations with security tasks (BOS).
The wikipedia page linked under the video states that the exploit was known since 2006 and TETRA was considered unsafe
Thanks for the video 👍
Wonder if someone paid to get the POC delayed. I've heard it happens.
I didn’t want to call it out, but I’m sure there came some lucrative “pentesting” work for not sharing it.
I would say it's just a common sense of researchers.
For one you're dealing with algorithms implemented in microcode and often dependent on hardware. This is not like your CI/CD deploy the fix and your on prod next few minutes.
Secondly you have all the governments adding their pressure.
@@BobbyBike Read "So this was s how they tell me the world ends" and you may become as cynical as I am. Now that it's out there lots of people are probably reproducing their work anyway. Security though obscurity doesn't work.
Actually this group did an enormous amount of research over 2 years and their responsible disclosure plan and ethical disclosure plan should serve as a more or less very good template for others to follow. 20 years this has been in use and it controls vital infrastructure including train switching so the fact that this group in Amsterdam has finally found these very awful implementation glitches and at least two of the levels of encryption on Tetra have probably saved lives in addition there was something off about the most extreme level of encryption but they weren't mathematic experts but without question something seemed really wrong and so they put it out there for the encryption experts in the mathematicians to have a look at...
The code was not released for the TETRA vulnerability probably to give places that will upgrade time to do so. From a radio perspective, TETRA is the primary method of emergency communications used for a lot of places such as the entirety of the UK. There's probably serious and credible national security concerns about releasing that proof-of-concept code. Honestly my best guess is that we will NEVER see the original proof-of-concept for the TETRA vuln released publicly due to how critical that system is to the national defense of several major countries!!
"There's probably serious and credible national security concerns about releasing that proof-of-concept code" - more like being caught with pants down
Hash, This format has med this the best channel on RUclips! I eagerly await each week for a new drop to hear what you have found and review it! You woman shure dresses you nice!
Thanks a lot!
Love this new series
i love TETRA!!!! its so useful for me!!! i use it for authenticating my marine equipement when they arrive at destination to open door!!! at bay!!!!
lol. Here is a conspiracy theory for you: radio manufacturers leaked this vulnerability in order for everyone to discard old radios and buy new generation radios from them.
If that was true Motorola would have responded to Wired’s request for comment with the replacement part numbers everyone should purchase 😂 instead of not responding at all.
@@RECESSIM Well, of course, if they would respond, the conspiracy would no longer become a conspiracy. It would become too obvious then 😁
We never learn, do we.
Obfuscation is NEVER the way to protect encryption.
Open code and peer review is the only way, and as the narrator pointed out, it's not just check and forget, it needs continuous scrutiny.
Good video, thank you. 🙂
re: " We never learn, do we."
Wasted bandwidth comment; TETRA, an early system, was not capable of greater encryption b/c of the limited microprocessors available. Everyone has amnesia, or anachronistic fallacy and assume what can do TODAY we could do 25 years ago (in 1998). So there is that.
If I could ever tell you list all the things that I've had to go through and the things that have happened to my life they're both beautiful and tragic
If you don't tip-toe through life, take risks, you may miss some of the other people's discoveries which may appear after you die ... prematurely (or even timely) ... and that's a major downer for curious people. I guess the way to win in life is to rise above all wants, including curiosity - a want for information.
That's been kind of a problem across several of the new processor and microprocessor designs.
I'm sure you are sitting there in your suit top with no pants on...is all I could think thru the vdo 😂
Security through obscurity 😆
@@RECESSIM
Very well put Sir !
I do agree, tetra POC would be abused, imagine everyone simulating basestations with a few hundred dollar hack rf, spamming police with tetra text messages.
There's a great presentation along these lines titled: "All cops are broadcasting: Obtaining the secret TETRA primitives after decades in the shadows" Weird it was recommended to me about 2 hrs before seeing this video.
I guess this means somebody could make a police scanner that works again since the switch away from analog. Just a matter of getting the right software to go with an SDR receiver.
Check out the OP25 project, the BoatBod version I used with a RaspberryPi and a RTL-SDR a while back to listen to unencrypted trunked radio in North Texas.
So ur saying u can listen to police trying to understand all this help me out
We have the exact same board and probably the exact same processor I would bet.
This video would be so much better without the music. It's ever repeating 10 second annoy the heck out of me and is really distracting.
Using closed source hardware and software for communication, that's basically malpractice if your anything more important than a hot dog stand.
will see ya in heaven rest in peace we will miss ya😢some friends can never be forgot,he whas one of ouer rare club of elites,had hard life ...that stood up in the many,will miss ya forever,hope y smile and find peace now
this video only autoplayed to let me know Kevin Mitnick is free from this world. RIP legend!
You expect a radio to use a 4096 bit RSA key? That would take forever to transmit over the air.
The sharpest-looking RUclipsr
👊🏽
There is only one system in the US that I know of that Uses TETRA.. it's mostly in Europe
This pretty much means that everyone and their uncle (who haven't yet hacked Tetra) will now be doing it. Most hobbyists and researchers probably can't but this has now shown all the ways in which TETRA is broken and where determined entities should go looking. There are many well funded and determined entities in this world.
all this to bother some coppers meanwhile hunter biden's laptop which is totally unencrypted is shrouded in mystery. what is the point of destroying the law enforcement system while those at the top remain untouchable? you will never achieve anything with this other than helping some criminals and hackers screw up an investigation
BTW what ever happened to anonymous? we could sure use a little of that in these times of woe and want?
Aww, I didn't hear that till now. Rest in Peace Kevin! Loved all of your books.
That's exactly the opposite of how I approach life
That's exactly the opposite of how I approach life
Quote for the day security by obscurity is stupidity!
Tetra has been primed for a popping since it's inception. Glad someone finally showed what it is worth!
I've just got into 'listening' to video cables via SDR radio software called Tempest. It's crazy! My antenna is in no way tuned (I am building one as I speak) I can only pick my own video signals at the moment but it's madness you can allegedly (according to a comment on here (I know!!! 😆) pick up signals from up to 200ft with a properly tuned Yagi antenna 🤞🏼🤞🏼
Video cables? HDMI?
Or you talking about coax? If so yeah they all transmit on certain frequencies and we can tune in. With a yagi you increase your receive range.
Any time cable TV developes a leak it's been known to cause all kinds of problems because it's usually on or nearby a frequency used by other services.
I can take you to area in remote East Texas where a strong signal is on 2 Meter Ham frequency. It's not a problem because no Hams live near there, otherwise it would have been fixed years ago if a complaint was filed. But I was told a local Cable TV company is the culprit.
I've picked up wifi networks over 6 miles from sea. Yagi antennas are great. Put a rifle scope on it and a bipod for better aiming. ;)
@@WW5RM It works on HDMI, VGA and also laptop screens, obvs the longer the cable the better. It's mad! Still haven't made my yagi but I'll get there!
@@BeatboxNorwichyears ago, I assumed all video and USB cables were shielded. Wrong I was! Not many are!
I found this out making some cables for my Ham radio. All radio cables are shielded. So that explained why many times electronics act crazy around transmitters.
Every wire is resonant at a specific frequency depending on its length. Any metal actually.
As much RF I have floating around my Ham Shack I'm very lucky I don't have more problems! =]
Keep up, the panic started in 2012 when schoolkids doing research noticed the flaws in Tetra and Dejan Ornig got prison time for blowing the whistle.
A new radio system has been slated for the UK since about 2012, but, delays have drawn out the cutover date to a few more years hence.
First Dan Kaminsky, than Mitnick... not good times.
your like listening to a lawyer, only im not facing any trouble! thank you, I needed that! BTW I dont know a thing about hacking, but .... I guess its for some people!
It’s like climbing a digital mountain… Exciting, hard, fraught with peril, and BADASS when you get to the top 😁
Very Nice I enjoyed that, Thanks $@)
Dude, this show is AWESOME! you are an amazing presenter, and you actually know what you are talking about.
Thanks man! That’s a great complement, glad you enjoy it!
they don't need to release it to the wild, they just need to release it to the manufactures , what is this fak up fallacy you're implying if they don't release their proof of concept.
the manufacture can purchase it if it for sell or get it for free if they doing to help everyone
I don’t care if manufacturers have it and/or fix it. I care that the vulnerable systems in the wild are fixed, something they generally won’t do unless it’s widely known it’s easy to hack and code exists to do it freely.
When I think of TETRA I think of municipal grade crypto like the one in MotoTRBO or something like that. P25 is the one selected for DoD and federal level of protection in North America. I dont even think you are allowed to buy TETRA if youre a federal agency, because its european. people have been trying to break AES256 for a long time, I dont think its quantum resistant though.
The 100+ countries using it for police/military would tend to disagree with you, along with all the manufacturers selling it to them. Seems you might be right though!
"Selected"? sure, with Moto holding the feds hands 😄. Despite being a TETRA and P25 manufacturer Moto always fought against the introduction of TETRA in the US to ensure the market supremacy of P25. TETRA deployment is quite limited in the US, with perhaps the largest in NJ Transit but i wonder whether they use TEA1 or TEA3 (the export version of the more secure algorithm). I am guessing TEA1 is used.
@LD-vl7cu TETRA radios are cheap, a completely different product line with no guarantees of any type of actual security standard. I think you'll find that there are no TETRA subscriber units any kind of FIPS rating to begin with and draw the rest of your conclusions from there.
@@mk12pickle " I think you'll find that there are no TETRA subscriber units any kind of FIPS rating to begin with and draw the rest of your conclusions from there." That's because TETRA is a European standard and the US government wants all their agencies to use their own standard, P25, instead. They're not going to be certifying competing technologies when they don't want agencies using them.
@@radiosification Yes precisely!
In the uk the only the police use a tetra network.
This is one of those videos that causes me to insta-sub a channel within 30 seconds.
Appreciate that!
Kenwood radios are not secure. Sure.
A tetra based local Rakel system is used by police in sweden, when they launched it, it was expensive and complicated and had problems at the roll out like signal would suddenly just get lost and a lot of policemen were didn't like it to begin with, but the benefit was going to be that at least it was digital encryption. Even cusoms, the military (for certain things, obviously they have higher standards) use rakel which is derived from Tetra. It's gonna be costly and a hassle to change... i mean in the military there are already other systems but for the rest, not cheap, but on the other hand, until back then you could just listen in on police radio if you got your hands on a police radio, and it wasn't the hwole world, and also the tetra based system was supposed to be phased out in 2027-2028, so they already have some idea what to replace it with, they'll just do it faster than initially planned.
RF is mostly security by obscurity
Russian spies dislike this
7950x?
It hasnt been hacked. Its now theoretically closer. Theres still a part of it that no one can figure out yet, meaning that it still has close to 32 bit encryption left.
Great presentation on very interesting subjects.
Thanks for including references for further reading.
Subscribed.
Revenge engineering
TetrA UP's
nice cheers
Kevin was not a hacker, rather a sociosth. BTW cracking is bad, hacking is good, in the end.
RIP Kevin.
Tetra HA HA HA
I guess a lot of countries will switch sooner then thought to 5 g for critical services
Not sure... The. Walkie Talkie companies have a LOT of money and friends in high places...
5G is even worst than TETRA...😂😂😂😂
I used to smoke you a lot.
P.S. I had to sub because this channel is QI.
In AMD fx series, h265 encoding on ffmpeg is more performance than intel gen 12. it's a very strange situation
No way? What??
This is like hearing a wall talk to you
Where you live? I wanna move to a place with sexy walls
The potential for abuse is actually a valid point since tetra is used for emergency services and it really could cause harm for civilians if people start doing ddos/spam attacks towards it
What fixes that is upgrading a vulnerable system. When drives the upgrade is the NEED to upgrade because of issues. No PoC, no upgrade… Just vulnerable systems waiting around for serious attacks
Nice comment about Kevin. Thanks.
Those cufflinks are fire! That tie clip is too.
one out of 4 used standards is grilled!
I can't go without my weekly news! Hope you have an awesome week ahead.
🙏 Hope you do too!
Flaw or feature? :)
This is a misleading title.
It was hacked and according to Wikipedia it’s used in over 100 countries. Don’t know what else I could have called it.
Export laws - this is a design feature.
this is why it is irrelevant whether source code is open and close if someone is proactively looking to hacked the system
No, if it’s open these issues are found immediately, or very quickly at the very least. Not 20+ years later
@@RECESSIM it will not, if it took 30+yrs to discover and patch them; and this is not the only case: openssh, then the intel and amd specter, bugs all of them discover too late if there was a zero day bug or virus, and then there are not a lot of opensource developers that will do this for free, you're repeating a myth that is not true, hacker work for companies that post bounties to check for these buug in their systems nothing is free
@@RECESSIM Heartbleed vulnerability in OpenSSL took 2 years to discover
Naff title
Blimey!
@@RECESSIM That's one way to get on the do not recommend list!
i think this is such a big legacy system that you shouldn't leak the implementation. just letting people know it's possible will tip off motivated criminals. i think a delay makes sense tbh.
Already scanning with my sdr... ;)
Never trust a guy in a suit ;-)
👆🏽 This is not bad advice 😈
@@RECESSIM I knew you would agree 🙂
Discord invite is invalid
Anyone else confirm that? Works fine for me
@@RECESSIM Link in the description is working fine
Never trust anyone that wears a suit or tie.
👆🏽 Generally speaking, this is solid advice 😁
To bad here in the former colonies we don't see tetra that much.
Awesome stuff. Thank you for this.
Regarding Tetra, once people know the roughest of details, it will be repeated by someone who isn't getting paid under an NDA. Only a matter of time before a public proof of concept will be out.
Look forward to helping them test it 😀
I’m all for watching companies who try to avoid upgrading their systems squirm