If you’ve been quietly chasing cryptographic bugs in a proprietary police radio system since 2021 and have to wait until the second half of 2023 to make your research public, how do you deal with disclosure?
Perhaps you will, as researchers at a boutique Dutch cyber security consultancy do Midnight Blue Done: Assemble a world tour of conference presentations in the US, Germany, Denmark (Black Hat, Usenix, DEF CON, CCC, ISC) and turn your findings into a BWAIN.
The word BWAIN, if you haven’t seen it before, is an acronym for our own joke A bug with a catchy nameUsually with its own logo, PR-friendly website and custom domain name.
(An infamous BWAIN, named after the legendary musical instrument Orpheus’ lyre, even had a theme tune, albeit played on a ukulele.)
Introducing TETRA:BURST
The research is named TETRA:BURST, with the letter “A” looking like a broken radio transmission mast.
Tetra, if you haven’t heard of it before, is short for it Terrestrial trunked radioActually Trans-European Trunked RadioWidely used (outside North America, at least) by law enforcement, emergency services, and some commercial organizations.
Tetra Naked Security has previously featured when a Slovenian student received a criminal conviction for hacking the Tetra network in his home country after it was decided that his vulnerability reports were not taken seriously enough:
Trunked radio requires fewer base stations and has a longer range than mobile phone networks, helping in remote areas, and it supports point-to-point and broadcast communications, desirable when coordinating law enforcement or rescue operations.
The Tetra system was standardized in 1995, when the cryptographic world was very different.
At the time, cryptographic tools including DES, RC4 ciphers, and the MD5 message digest algorithm were still in widespread use, although all are now considered dangerously insecure.
DES was deprecated in the early 2000s because it uses encryption keys that are only 56 bits long.
Modern computers are fast enough and cheap enough that determined cryptocrackers can try everything possible 256 Different keys (known as A Brutal assaultfor obvious reasons) against intercepted messages.
RC4, which was supposed to turn input data with recognizable patterns (even a text string of the same character repeating itself over and over) into random digital shredded cabbage, was found to have significant anomalies.
These can be used to winkle out the plaintext input by performing a statistical analysis of the ciphertext output.
MD5 to generate a pseudorandom 16-byte Message digest From any input file, thus generating unforgettable fingerprints for files of any size, it also turned out to be a bug.
Attackers can easily trick the algorithm into changing the same fingerprint for two different files, which negates its value as a tamper-detection tool.
End-to-end encryption for personal online transactions is something we now take for granted on the web, thanks to secure HTTP (based on HTTPS and TLS, for short). Transport layer security), was new and unusual in 1995.
Transaction-based protection relies on a newer network-level protocol known as Secure Sockets Layer (SSL).Secure sockets layer), is now considered insecure enough that you’ll struggle to find it in use anywhere online.
Like the 1995 party
Unlike DES, RC4, MD5, SSL, and friends, TETRA’s 1995 encryption remains in widespread use today, but has received little research attention for two main reasons.
First, although it is used around the world, it is not an everyday service that pops up into all of our lives the way that mobile telephones and web commerce do.
Second, the underlying encryption algorithms are proprietary, protected as trade secrets under strict non-disclosure agreements (NDAs), and are therefore patent-free and lack the same level of public mathematical scrutiny as open-source encryption algorithms.
In contrast, cryptosystems such as AES (which replaced DES), SHA-256 (which replaced MD5), ChaCha20 (which replaced RC4), and various iterations of TLS (which replaced SSL) have all been analyzed, dissected, debated, hacked, and attacked over the years. Kerckoff’s principle.
Auguste Kerkhof was a Dutch-born linguist who ended up as a professor of German in Paris.
He published a pair of seminal papers in the 1880s under the name Military cryptographyHe suggested that no cryptographic system should ever rely on what we are just referring to Security through obscurity.
Simply put, if you want to keep the algorithm secret, the decryption key for each message, you’re in big trouble.
Your enemies will eventually, inevitably, catch on to that algorithm…
…and unlike decryption keys that can be changed at will, you’re stuck with the algorithm that uses those keys.
Use NDAs for commerce, not crypto
Commercial NDAs are not specifically intended to protect cryptographic secrets, especially for successful products that end up with more partners signed up under the NDA.
There are four obvious problems here, namely:
- More and more people are officially getting a chance to find exploitable bugs, They will never disclose if they stick to the spirit of their NDA.
- As more and more vendors get the chance to leak algorithms, If either of them violates their NDA by accident or design. As Benjamin Franklin, one of America’s best-known and best-known scientists, said, “If two of them die, three can keep the secret.”.
- Sooner or later, someone will see the algorithm legally without binding an NDA. That person is free to disclose the NDA without breaking its letter and trampling on its spirit if it happens to agree with Kerkhof’s principle.
- Someone not covered by the NDA will eventually discover the algorithm through surveillance. Interestingly, if that’s the right word, cryptographic reverse engineers can confirm that their analysis is correct by comparing the nature of their alleged implementation to the real thing. Even small inconsistencies can result in very different cryptographic outputs if the algorithm mixes, minces, shreds, diffuses, and scrambles its input in a sufficiently artificial manner.
The Dutch researchers in this story took the latter approach, legally acquiring a set of Tetra devices and figuring out how they worked without using any NDA-protected information.
Apparently, they found five vulnerabilities that will end up with CVE numbers starting in 2022 because of the time Tetra is involved in contacting vendors on how to fix the issues: CVE-2022-24400 until CVE-2022-24404 including
Obviously, they are now guarding the full details for maximum PR effect and their first public paper is scheduled for 2023-08-09 at the Black Hat 2023 conference in Las Vegas, USA.
what to do
The prior information provided by the researchers is sufficient to remind them that three cryptographic rules must be followed immediately:
- Do not violate Kerckhoff’s principle. Use NDAs or other legal tools to protect your intellectual property or try to maximize your licensing fees. But never use a “trade secret” in hopes of improving cryptographic security. Stick to algorithms that are more reliable than those that have survived serious public scrutiny.
- Don’t rely on data you can’t verify. CVE-2022-24401 relates to how Tetra base stations and handsets agree to encrypt each transmission. This means you can’t predict the keys to unscramble old data even if you’ve already intercepted it, or the keys to snooping on it in real time in the future. Tetra sets up its key based on timestamps transmitted by the base station, so a properly programmed base station should never repeat previous encryption keys. But there is no data authentication process to prevent a rogue base station from sending fake timestamps, thereby tricking the targeted handset into re-using keystream data from yesterday, or pre-leaking the keystream it will use tomorrow.
- Don’t build in back doors or other deliberate weaknesses. CVE-2022-24402 contains a deliberate security degradation trick that can be enabled on TETRA devices using commercial-grade encryption code (not applicable to devices officially purchased for law enforcement or first response use). This exploit replaces 80-bit encryption, where snoopers need to try 280 Different decryption keys in a brute-force attack, to 32-bit encryption. Since DES was deprecated 20 years before 56-bit encryption was used, you can bet that 32-bit keys will be much smaller in 2023.
Fortunately, CVE-2022-24401 appears to have already been canceled with firmware updates (assuming users applied them).
As for the rest of the damage…
… Full details and mitigations will have to wait until the TETRA:BURST tour begins.