Encryption Backdoor in Military/Police Radios

I wrote about this in 2023. Here’s the story:

Three Dutch security analysts discovered the vulnerabilities­—five in total—­in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

There’s new news:

In 2023, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of security firm Midnight Blue, based in the Netherlands, discovered vulnerabilities in encryption algorithms that are part of a European radio standard created by ETSI called TETRA (Terrestrial Trunked Radio), which has been baked into radio systems made by Motorola, Damm, Sepura, and others since the ’90s. The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms.

[…]

But now the same researchers have found that at least one implementation of the end-to-end encryption solution endorsed by ETSI has a similar issue that makes it equally vulnerable to eavesdropping. The encryption algorithm used for the device they examined starts with a 128-bit key, but this gets compressed to 56 bits before it encrypts traffic, making it easier to crack. It’s not clear who is using this implementation of the end-to-end encryption algorithm, nor if anyone using devices with the end-to-end encryption is aware of the security vulnerability in them.

[…]

The end-to-end encryption the researchers examined recently is designed to run on top of TETRA encryption algorithms.

The researchers found the issue with the end-to-end encryption (E2EE) only after extracting and reverse-engineering the E2EE algorithm used in a radio made by Sepura.

These seem to be deliberately implemented backdoors.

Tags: , , , ,

Posted on August 26, 2025 at 7:06 AM14 Comments

Comments

TimH August 26, 2025 10:46 AM

Sadly, the gov reaction is likely to making reverse-engineering proprietary encryption algos illegal, under trade secret or copyright excuse.

Peter A. August 26, 2025 10:51 AM

There are several “levels” of standardized encryption algorithms in TETRA, and the higher levels are just not sold to some “inferior” nations or agencies. This is deliberate insecurity engineering.

Joseph Kanowitz August 26, 2025 12:12 PM

ב”ה, does the INTC-USG merger create opportunity for an “iPhone Xi” product to Apple Wallet smart passports and associated runtime-modified software?

Joseph Kanowitz August 26, 2025 3:00 PM

ב”ה, no obvious legal barrier to National Guard handing out DoD cash directly in an evidence-based crime prevention technique. It is a shame persons of Jewish heritage are left out as usual, if true.

This may have bearing on Lisa Cook’s inertia.

Joseph Kanowitz August 26, 2025 3:05 PM

ב”ה, from this perspective, DC and Chicago martial law become tax refunds for those too busy or marginalized to have filed or recognized their entire income including immediate contributions on their behalf to tourism.

Joseph Kanowitz August 26, 2025 3:07 PM

ב”ה, does DoD have enough forensic accountants on staff for this workload or will it be a real world test of “AI”?

Anonymous August 26, 2025 3:50 PM

@lurker

Nice link to more Midnight Blue research.

In their FAQ for Sepura device vulnerabilities, they say two CVEs are scheduled to be patched, but an unassigned vuln is “deemed by Sepura to be a design decision and as such, shall not be fixed.”

They say this key exfiltration vuln cannot be patched due to architectural limitations. How do you deal with that?

(These three vulns are specifically related to Sepura’s particular Embedded E2EE solution, right?)

lurker August 26, 2025 5:06 PM

@Anonymous, ALL

“deemed by Sepura to be a design decision and as such, shall not be fixed.”
“… cannot be patched due to architectural limitations.”

I read this as a proper fix will require a new, better handset, and Sepura have made a management decision to not impose that on their customers. I long ago made a management decision to stay away from people like that.

Note that exploitation requires, even briefly, physical access, so some people may describe that device as lost or stolen and block its access to their network (if possible). But those device owners seem to have a more basic security failure.

Clive Robinson August 26, 2025 7:06 PM

@ Bruce,

The original driver behind weak crypto in ETSI was the French Government Agencies as I’ve mentioned before.

The idea of “compressing keys” comes from William Friedman and later the NSA in military “field ciphers” and got taken to extraordinary lengths in the design of Clipper / Capstone.

Originally the idea was to have relatively few “strong keys” and mostly “weak keys”. The keys used by allied troops were centrally issued by the NSA through administration levels to the various command levels.

Behind this was the realisation that,

Weak keys in field ciphers were back then not an issue. Because by the time they were broken the information was not just “stale” but probably known to the adversary by physical circumstances.

Further if as was very likely if a mechanical field cipher was captured by a “less sophisticated adversary”it would be used by them directly or copied with little or no change. Further the tricks in the design that made strong keys was deliberately not obvious and any changes would end up weakening all keys.

The actual realisation behind the weak key idea being that an inexperienced adversary who copies the then mechanical system would end up up by random selection using the weak keys 80% or more of the time. Thus the decrypt people would break the adversaries messages quickly.

However in addition the British had developed two separate techniques to significantly amplify these breaks to make attacking even strong keys very much easier.

Firstly they built a card index database with as much information as possible to build up “probable plaintext” as “cribs”. But this was not just based on broken messages, it was based on Traffic Analysis and similar techniques including semi/public information like “officer / promotion” lists and transfers…

Traffic analysis often gave near immediate “actionable intelligence” without having to know the plain text of the encrypted message.

At one point for the British they found other tricks became possible. For instance some “messages” like ‘weather and warning’ messages ‘to all ships’ were identical in several different cipher systems. One of the weakest of which was the “Dockyard Cipher”. Thus breaking this gave a “probable plaintext” for all the other cipher systems thus assisting in key recovery thus breaking of other much higher value ciphers.

Thus the idea of “weak keys” in the “key space” became a standard technique for SigInt agencies to inflict on others.

Involved with this was a German Company Siemens and a Dutch company Philips. Likewise two UK companies ITT and Plessey PLC and ITT Ltd as was. All involved with making fully electronic cipher systems and the chips that went inside them.

It’s known that the CIA significantly influanced Siemens and the NSA Phillips, with GCHQ influencing the British based companies. The usual trick was to “ease export licencing”…

So I would personally assume anything that comes via this sort of organisation without full and cerifiable open documentation is at best questionable.

Anything with a “French Vote” or “technical input” will from French law be hamstrung in some way as a matter of policy.

So anything from European entities such as ETSI, Cen-CenElec, GSMA, 3GPP and the new “private standards groups” for ICT are almost certainly going to have “weak key” or similar built in “for export” and that weakness can be turned on remotely almost certainly.

The big problem of course is non of the managment side will use Post-Quantum encryption and these products will have upto a half century product life at least.

But then I’ve said all of this for quite a period of time now, especially to do with “smart grids”.

But note whilst “End to End Encryption”(E2EE) can be secure…

There are certain requirements you must do first. The big one I’ve mentioned repeatedly is ensuring you get your “end points” correct.

If your “communications end point” is beyond your “encryption/privacy/security end points” then an adversary can simply do an “end run attack” around the E2EE or disable it.

Further if an adversary can run software etc on the user side beyond the endpoints then they can do user/client side scanning” of all plaintext.

To mittigate these potential vulnerabilities you need strong “segregation”.

You don’t get “strong segregation” in consumer or commercial communications equipment “by design” perhaps it’s well past time people started asking awkward questions about this…

Clive Robinson August 26, 2025 7:37 PM

@ Bruce, ALL,

Something else you might want to have a sniff around.

I’ve mentioned when talking about the UK “Online Safety Act”(OSA) that it’s doomed to fail because of gaps in the verification chain.

The two major ones veing,

1, Between biologic and sensor.
2, Between Sensor and processing.

Whilst there is little or nothing currently that can realistically be done about the first.

The second is starting to appear in theory to stop “CSAM” being produced.

Most are aware of the yellow dots from printers that embed a serial number and other information using a variation of last centuries “Digital Rights Management”(DRM) techniques based on “Low Probability of Intercept”(LPI) techniques.

Well… It appears there is a push to get the existing gap closed in that it will be actually built into the sensor chip. Look on it like “rifling marks on bullets” for photos and other images.

It’s been said that the push will come under “AI-Safety” systems that will be pushed on alleged idea it will protect people etc from “Deep-Fakes”…

Expect Deep-Fake-AI to be used like “think of the children” as a way to stop arguments against heavy handed universal surveillance.

In the UK we’ve already seen a UK “no-nothing Minister” accuse people who are against OSA of being alined / on the side of pushers of the worst of p0rn and CSAM producers/products.

The man (Peter Kyle MP) is clearly not fit to hold the post he does and should be dismissed. The fact he has not tells a story about who is actually behind the idea of Universal Surveillance.

https://www.bbc.co.uk/news/articles/cgery3eeqzxo

“Minister Peter Kyle claims that by opposing online safety laws the Reform UK leader is siding with sex offenders.”

Based on the behaviour of past moralistic tub thumping politicians, one has to ask,

“When is Peter Kyle MP or his cronies going to get caught with their pants down?”

Ismar August 27, 2025 1:51 AM

So it would only be fair for the device manufacturers to pay Midnight Blue researcher costs incurred during the reverse engineering and analysis of the vulnerabilities and maybe even have them pen test their products from now on?

ResearcherZero August 28, 2025 3:36 AM

Sni5Gect framework for targeted pre-authentication 5G communication interception.

‘https://asset-group.github.io/Sni5Gect-5GNR-sniffing-and-exploitation/#/

Message sniffing (up/down) and injection in real-time via a novel downgrade attack, due to lack of encryption during messaging between user equipment and base station. The targeted device can also be fingerprinted, or the modem of the device can be crashed.
https://isc.sans.edu/diary/32202

Vik S August 30, 2025 9:37 PM

@Clive Robinson,ALL • re your:August 26, 2025 7:06 PM

…”if an adversary can run software etc on the user side beyond the endpoints then they can do user/client side scanning of all plaintext.”…

and

…”perhaps it’s well past time people started asking awkward questions about this”…

No doubt man. You are discribing nearly every divice on the planet lately.

Try convincing your friends to run their encryption inside an seif cage, beyond the endpoint, before uploading them to their phone for transmission. Easy maybe…

But ya, I stopped believing in Santa too.
We are pawns without rights.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.