ETSI dismisses claims of ‘backdoor’ vulnerabilities in TETRA standard

ETSI is pushing back against claims of major vulnerabilities in its Terrestrial Trunked Radio (TETRA) standard and said work had already begun working on enhancing the standard before researchers revealed a series of vulnerabilities.

In a statement, the European Telecommunications Standards Institute (ETSI) also said there is an ongoing maintenance program to ensure standards remain sound in an evolving security landscape.

This led to revised standards for TETRA being released in October 2022. “To adapt to technology innovations and potential cybersecurity attacks, including from quantum computers, the ETSI technical committee TCCE has completed work on new algorithms designed to secure TETRA networks,” the standards body said in a statement. Two new specifications, ETSI TS 100 392-7 and ETSI TS 100 396-6, were developed by TCCE with experts from ETSI’s quantum safe cryptography group.

Researchers from Midnight Blue this week disclosed a series of backdoor vulnerabilities in TETRA that allow communications to be intercepted and monitored by reducing 80-bit keys to a more breakable 32 bits. They will discuss their findings in greater detail in a talk at Black Hat USA next month.

Where Is the Backdoor?

Midnight Blue founding partner Wouter Bokslag says the term backdoor in CVE-2022-24402 was justified and believes there are lots of different parties affected by this backdoor.

For its part, ETSI dismissed this claim and said it doesn’t constitute a backdoor. Bokslag countered with Wikipedia’s definition: a covert method of bypassing normal authentication or encryption. Intentional weakening without informing the public seems like the definition of a backdoor, he adds.

To read the complete article, visit Dark Reading.