TETRA Encryption Vulnerabilities are Unlikely to be Attempted to be Exploited with Malicious Intent, according to DSB
Users of the Nødnett TETRA network in Norway, who use end-to-end encryption, have additional protection against the vulnerabilities that have been mapped.
In a statement on their website The Norwegian Directorate for Civil Protection (DSB) said that they are aware that vulnerabilities linked to algorithms in the TETRA technology have been uncovered. The Norwegian Public Safety Communications network, Nødnett, is built on TETRA and some of the mapped vulnerabilities are relevant to Nødnett.
TETRA has been developed to meet the needs for critical communication and is in use in many countries around the world, both by emergency services and in businesses with particularly high requirements for communication.
It is emphasized that no attacks on TETRA technology have been detected in operational networks. The vulnerabilities have been uncovered by consultants who have challenged the TETRA technology under controlled conditions in the laboratory.
DSB takes the findings seriously and has informed Nødnett users' operating organizations and other affected actors. Measures have been taken that will reduce or remove the vulnerabilities. The vulnerabilities can be largely removed by implementing new software for Nødnett radio terminals. DSB is aware that several of the manufacturers of radio terminals have developed or are in the process of developing new software. Users can contact their operating organization for further information on upgrade options.
Nødnett users who use end-to-end encryption have additional protection against the vulnerabilities that have been mapped.
DSB considers it unlikely that the vulnerabilities will be attempted to be exploited with malicious intent. In order to exploit the vulnerabilities, fake base stations must be put into operation and very good technical insight into the necessary systems is required.
If the vulnerabilities were nevertheless to be exploited, a consequence could be that users with radio terminals near a fake base station connect to it, and that they thus experience that they cannot communicate over Nødnett. It will not be possible for unauthorized persons to eavesdrop on conversations in Nødnett.
DSB said it believes Nødnett is safe for operational use. Efforts are made continuously to maintain good security in Nødnett. Updating equipment and software, both in the network and in connected equipment, is part of the daily work.