Interception of TETRA radio
SUMMARY
In this write-up we cover interception and demodulation of unencrypted TETRA radio signals in the 380 - 430 MHz band. We will be using HackRF One hardware and SDR# software for the job. OpenEar SDR is also mentioned, although this software has not been deeply investigated since this software does not support HackRF One (only supports RTL-SDR hardware).
Regarding encrypted TETRA, we will have a look at TETRA:BURST, a collection of five vulnerabilities disclosed in 2023, including a theoretical backdoor affecting the TEA1 cryptographic algorithms.
KEYWORDS
TETRA, ETSI, HackRF One, SDR#, OpenEar, TETRA:BURST.
REFERENCES
https://www.rfwireless-world.com/Terminology/TETRA-vs-TETRA2.html
https://www.cryptomuseum.com/crypto/algo/tea/index.htm
https://www.cryptomuseum.com/crypto/algo/taa/index.htm
https://www.rtl-sdr.com/sdrsharp-plugins/
https://archive.org/details/SDRSharp_Collection
https://www.itu.int/rec/T-REC-E.212/en
https://www.etsi.org/deliver/etsi_en/300300_300399/30039202/03.08.01_60/en_30039202v030801p.pdf
https://www.etsi.org/deliver/etsi_en/300300_300399/30039207/03.05.01_60/en_30039207v030501p.pdf
https://www.youtube.com/watch?v=1dVJCExTqQ0
https://drive.google.com/file/d/1IJsPDXn678yKm8GZs7u0MMTtX95zrPtx/edit
https://cs.ru.nl/~cmeijer/publications/All_cops_are_broadcasting_TETRA_under_scrutiny.pdf
https://www.midnightblue.nl/research/tetraburst
https://github.com/MidnightBlueLabs/TETRA_crypto
INTRODUCTION
What is TETRA
TErrestrial Trunked Radio (TETRA) is a digital radio standard defined by the ETSI (European Telecommunications Standards Institute) in mid-1990's. It is used by civil services such as police, fire fighting, emergencies, transportation and industrial machine-to-machine in more than 100 countries, mainly European, for voice and data transmission communications.
The main TETRA features to highlight are:
Works with relatively low frequencies, therefore it relies on a network infrastructure separated from public telephone mobile networks. Also, with low frequencies geographic coverage is wider with less number of stations.
It can work in network mode or in direct terminal-to-terminal mode.
Works in duplex or semi-duplex modes.
Supports wide variety of terminals such as handheld (mobile devices similar to smartphones), walkies-talkies and devices for vehicles or base stations.
How TETRA works
TETRA makes use of the 380 - 430 MHz band, and uses four duplex channels with a space between carriers of 25 kHz. The channel access is managed by means of a TDMA (Time-Division Multiple Access) scheme. In short, the bandwidth is dynamically allocated (trunked) into discrete time slots to each channel. This way, users share the channel in a sequential manner without interfering each other, and increasing the spectrum efficiency.
At a network level, TETRA provides four interfaces:
Air interface. For authentication in the network.
TEI (Terminal Equipment Interface). Between equipment and terminals.
ISI (Inter-System Interface). Interconnects TETRA networks.
DMO (Direct Mode Operation). For direct-mode operation
Regarding data transmission speeds, maximum transfer rate in voice+data is 7.2 kbps and 36 kbps in data only. In 2020, a new version TETRA2 was released capable of achieving up to 691.2 kbps, thanks to 64-QAM modulation and new channel bandwidths (50 kHz, 100 kHz, and 150 kHz).
Security
TETRA uses two main cryptographic suites: the TEA (TETRA Encryption Algorithm) suite and the TAA1 (TETRA Authentication Algorithm) suite.
TEA (TETRA Encryption Algorithm). This suite is responsible for Air Interface Encryption (AIE), securing and encrypting the data transmitted over the air. The TEA suite consists of several 80-bit stream ciphers, each designed for different use cases and security levels. TEA1 and TEA4 are intended for commercial use and restricted export scenarios; TEA2 is reserved for civil and emergency services in Europe and TEA3 is similar to TEA2 but for non-European countries. In 2022, additional algorithms, TEA5, TEA6, and TEA7 were introduced for future protection against quantum attacks.
TAA1 (TETRA Authentication Algorithm). This suite is responsible for authentication and key distribution, ensuring that only authorized devices can access the network and that secure keys are distributed for encryption. During the authentication process, the 80-bit private keys are negotiated.
In addition to them, End-to-End Encryption (E2EE) solutions can be deployed on top of AIE, encrypting the data at the source and decrypting it at destination.
SIGNAL TRACKING
Antenna calculation
For the signal interception we will use an ANT-500 antenna and a HackRF One connected to a laptop USB port in HackRF mode.
For the antenna length calculation, we use the built-in Mayhem application. Turns out the optimum length for an ANT-500 working in the 390 MHz band is one element.
SDR# with TETRA plugin
TETRA demodulation is supported by SDR# by means of a dedicated x86 plugin. To use this plugin we need an x86 version of SDR#, so both the application and the plugin are compatible. In this case, we will use version 1784 x86.
To install the plugin, extract both plugin files SDRSharp.Tetra.dll and tetraVoiceDec.dll in the SDR# root folder. Then open file Plugins.xml and add the magic line.
This is the Plugins.xml file after modification (version 1784 x86).
Open SDR# and verify plugin is successfully installed.
Once everything is ready, we can start capturing signals.
To hear the audio, choose the output audio device and, in the radio settings, select WFM (wide FM). Then tune the frequency in the 390 MHz band and select a 32 kHz bandwidth.
If there is a TETRA signal nearby you will see the spikes in the audio spectrum. When a call is intercepted, the demodulator indicates which one of the four channels is active. Click on the demodulator tick to activate it and on the desired channel so you can hear the audio.
The demodulator plugin supplies information about the signal.
MCC (Mobile Country Code). A three-digit code that identifies the country of the mobile subscriber as per ITU-T E.212.
MNC (Mobile Network Code). A two or three-digit code that identifies the specific mobile network within that country.
LA (Location Area). Used in TETRA networks to manage the location of mobile devices.
Color Code. A code to ensure that transmissions on a given channel are only received by the intended endpoints and prevent cross calls.
Shortly after, we receive a reply to this call on channel 3.
By navigating to Network Info → Current Cell button we find additional info about the cell. It is decoded from the digital TETRA message.
I found explanation to most of the in the TETRA Air Interface protocol specification and in the TETRA Security specification.
System Code. Indicates if the system is a Voice + Data system or is in Direct Mode transmission.
Main Carrier. Carrier frequency as per channel allocation table.
Cipher Key. Identification for the key in use.
Air Interface Encryption. Indicates if encryption is available in the cell.
Authentication Required On Cell. Self-explanatory. Cells broadcast this information so the mobile stations know whether they can select the cell or not. For example, a mobile station that does not support authentication should not select a cell that broadcasts this parameter as 0.
Security Class Supported. These flags indicate whether the cell supports security class 1 or security class 2 or 3 (both are mutually exclusive). In the security specification we see what each type of security class consists of.
In the tab Network Info → Neighbour Cell, we find similar info about neighboring cells.
In any case, by listening to the captured demodulated audio we should be able to determine whether the call is encrypted or not. Encrypted calls sounds garbled and unintelligible.
OpenEar
Another SDR tool that should provide a quick win in demodulating TETRA signals is OpenEar, which in version 1.70 provides native support for TETRA signals. It has not been tested though, since it seems designed for RTL-SDR and does not support HackRF One.
TETRA:BURST
Midnight Blue is a group of researchers that since 2021 have managed to reverse-engineer the TAA1 and TEA algorithms. The result of their investigation was published in a white paper, and the vulnerabilities found were disclosed as a set of five CVEs called TETRA:BURST. The researchers have also published the C reverse-engineered source code in GitHub.
CVE-2022-24400. The parameter Derived Cipher Key (DCK) used in authentication can be set to 0. This may lead to loss of authenticity and partial loss of confidentially. It can be remediated by upgrading to TEA2.
CVE-2022-24401. Initialization Vectors (IV) used in Air Interface Encryption is based on network time, which is publicly broadcast in an unauthenticated manner. This allows for oracle attacks. The vulnerability is remediated by installing a firmware upgrade.
CVE-2022-24402. The TEA1 algorithm reduces the original 80-bit key to 32-bit key, a size which is trivially brute-forceable on consumer hardware in minutes. ETSI responded to this CVE, indicating it is not really a vulnerability but a design choice needed to comply with export control regulations. This is remediated by adding additional E2EE encryption on top of TEA1.
CVE-2022-24403. A vulnerability in the identity encryption function allows adversaries to encrypt or decrypt arbitrary identities. This vulnerability is remediated by adding additional E2EE encryption on top of TEA1.
CVE-2022-24404. Lack of ciphertext authentication on AIE allows for malleability attacks. This can be remediated by installing a firmware upgrade.
WRAPPING UP
We have been able to install and configure a platform to intercept TETRA radio signals based on our HackRF One, and to demodulate and hear unencrypted signals. Regarding encrypted signals, we have investigated TETRA:BURST set of vulnerabilities. It has been demonstrated that by exploiting these vulnerabilities TEA1 algorithm keys can be cracked.
Last updated
