ETSI & TCCA Provide Statement on TETRA Security Algorithms Research Findings Publication
The research uncovered some general areas for improvement in the TETRA protocol, as well as weaknesses in the TEA1 algorithm, which is classified for general use.
The European Telecommunications Standards Institute (ETSI) and The Critical Communications Association (TCCA) are the proud authorities and custodians of the ETSI TETRA (Terrestrial Trunked Radio) technology standard, one of the world’s most secure and reliable radio communications standards.
With more than 120 countries using dedicated TETRA networks for mission- and business-critical communications, we continually evaluate our standards and procedures – with input from members of industry – to ensure the TETRA standard remains robust in the face of evolving threats.
ETSI has an ongoing programme of maintenance to ensure standards remain fit for purpose in an evolving security landscape. Work on enhancing the TETRA standard was in progress before the researchers discussed their findings with ETSI. Revised standards were released in October 2022. As with all technology standards, work continues to support the standards implementation in the market.
The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption. These regulations apply to all available encryption technologies. As the designer of the TETRA security algorithms, ETSI does not consider that this constitutes a “backdoor”.
ETSI welcomes research efforts that help strengthen standards. We are pleased that this research affirmed the overall strength of the TETRA standard, finding no weaknesses in the TEA2 and TEA3 algorithms following extensive analysis. The research uncovered some general areas for improvement in the TETRA protocol, as well as weaknesses in the TEA1 algorithm, which is classified for general use. These have been addressed or are in the process of being addressed as follows:
- Software patches from TETRA providers and migration to the new algorithm set, that includes TEA5, TEA6 and TEA7, released in October 2022 mitigate the potential to discover the identities of mobile radio terminals by intercepting control messages from base stations and the potential to compromise encrypted keystreams by posing as base stations.
- Use of end-to-end encryption mitigates a weakness in the TEA1 algorithm.
ETSI and TCCA are not at this time aware of any exploitations on operational networks. Together with the TETRA industry community, we continue to invest in and develop the ETSI TETRA standard so that it remains safe and resilient for the public safety, critical infrastructure and enterprise organisations that rely on it every day.