TETRA Networks Security Tomáš Suchan, Marek Sebera ITDS Consulting
TETRA Networks SecurityTomáš Suchan, Marek Sebera
ITDS Consulting
Schedule
● Introduction● What is TETRA● Who does use TETRA● Security options● Dangerous decisions● Demo● Q & A
Introduction - ITDS Consulting
● Tomáš Suchan, Marek Sebera● Based in Prague● https://www.itds-consulting.cz● TETRA, GSM, TETRAPOL, DMR● TETRA Toolkit - Monitoring and forensic tool● GSM Toolkit - Mobile networks security tool
What is TETRA
● TErrestrial Trunked RAdio● Designed by ETSI since 1990● Mission-Critical Digital Radio System● Private / Professional Mobile Radio (PMR) ● DAMM, Sepura, Rohde & Schwarz, EADS, Motorola, …● Transport, Airports, Police/Fire/Ambulance, Army, …● SCADA systems (nuclear plants, power stations, …)
WORLDTETRAUSAGE
TETRA - Czech Republic
Praha, Brno, Liberec, České Budějovice, Chemopetrol Litvínov, Hyundai Nošovice, Pardubice, Přerov, ...
Radio Band:410MHz - 430MHz
Slovak Republic
● TETRAPOL● Project: SITNO - Ministerstvo Vnútra SK● Built in years 1999 - 2008● Working since 2008● Firefighters, Police, Customs, 112 Emergerency
Disclaimer
● Properly secured TETRA network is hard to crack
● We’re talking about unsecured or badly secured networks
TETRA Network Security
● Transport Air-Interface encryption
● SwMI (Infrastructure) Restrict MS by TEI + ISSI combo
● Application End-to-End transport encryption
Attacks on TETRA
Missing Air-Interface Encryption
We can:
● Read text / binary data (SDS)● Decode voice transports (even Group Calls)● Map network structure● Identify users, clients, applications● Intercept (MITM) communication● Fake both directions of data transport
No Air-Interface Encr. , TEI + ISSI registration restricted
We can still do everything, it’s just bit harder :-)
Missing Air-Interface Encryption, added E2E encryption
● Correlate communication groups● Map infrastructure● Scan / Penetrate application endpoints● Communication fuzzing and DoS attacks
Only Air-Interface encrypted
● Obtain auth key for network● ???● PROFIT
Only Air-Interface encrypted (ver 2)
● Build 80-bit TEA (symmetric stream cipher) cracker● Obtain auth key for network● ???● PROFIT
Recommendation
● Encrypt Air-Interface● Use End-to-End encryption● Don’t skimp on security
Tetra Toolkit ® ITDS Consulting
● Requirements○ 4-core 2.5GHz computer, 8GB DDR3○ RTL-SDR USB dongle○ Linux OS
● Attack time < few minutes● Decode voice, text and data communication● Map infrastructure,
Attack Demo
Thanks to our Partners
Questions & Answers
TETRA Networks SecurityThank you !