Tetra network security
Hello my fellow freaks, phreakers and hackers. Its nice to see you all here.
The questions/discussion Id like to address here is about Tetra network security. Tetra is used currently atleast in Holland, Finland, Hong Kong and Greece for police and public safety officials. The airway is usually encrypted (TEA1, TEA2, TEA3 or TEA4) and it is possible to use end-to-end encryption (IDEA or admins choice). The encryption keys are stored in message centers, pretty much the way it is done in GSM networks.
Unlike the GSM, Tetra encryption algorithms appear to be solid and as far as currently known, cannot be cracked by any other mean except brute force. Which isnt that hard really, since efficient keylenght for most ciphers is 80bits. Well, it is beyound casual hacker, but not beyound NSA or FAPSI. End-to-end encryption algorithms are even harder to crack if proper ones are used. However, since end-to-end keys are generated by the network, it is clear that the actual network itself seems to be the weakest link in the chain.
But there are other too
For example, most TETRA devices are used with handsfree systems, usually wireless, usually bluetooth. Anyone with any knowledge about bluetooth knows that its security is very poor. Usually you can crack it open by simply guessing the default PIN of 1234 or 0000 but even if you dont have that there are ways to crack it open and listen the handsfree system. Well, yes, you say, this isnt really a hack on the TETRA network but its more like "going around the problem".
As I told earlier, the TETRA networks message centers are gold mine for anyone trying to compromise TETRA security. If there centers are not protected with enought physical and EM protection, the entire network is entirely insecure. Many times the physical protection is ok, but EM protection isnt. For most hackers out there even slightest EM protection (read: No open WLAN with open computers that have encryption keys plain text inside) is enought, but not for anyone seriously on the job. Even simple things like emissions to ground can be detected in many CC:s
There are also ways to get around the TETRA network by simply listening to communications that go from CC to other CC. Usually they go via microwave links totally unencrypted. Yippee. Well, to listen to police radio you have to put up a mast or use helium balloon to get to the link, but anyway it can be done.
Ofcourse you can always just play really bad and jamm the whole thing. If they have proper antennas, then its not very efficient but if they are stuck with low-cost all-around-radiating antennas, the system can pretty easily be jammed of the air. This forces them to move back to analog radio systems, that can be eavesdropped easier.
Well, I dont want to tell you all the little secrets on how to listen to it, Im kinda hoping for some more info about the subject myself too. For example:
- Are there any known problems with terminals that can be exploited? You know, send in viruses to conquer them etc.
- Are there any known exploits in the PRNG:s that are usually used in the terminals and in the CC:s? Any luck of getting that effective keylenght from 80->60 bits range?
- I havent read a single paper describing any efficient attack against TEA1 to TEA4 ciphers. Have you?
- Anything else viable?
Couple short answers:
- Well, if the OS the terminal uses is, for example, Symbian versionX, then ofcourse its vulnerable for security holes on versionX Symbian. I have no idea what OS different "smart" terminals use however, I guess it varies from vendor to vendor.
- Since the PRNG:s used are not well documented (I guess trade secrets), its almost impossible to say anything about them. But lets just say, that getting "very" random numbers from any kind of computer, not to mention small one, is extremely difficult.
My computer security & privacy related homepage »www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.