Critical Zero-Day Vulnerabilities Expose Industrial Communications to Threats

August 8, 2023

The TETRA communications protocol, which powers industrial control systems worldwide, has been found to contain multiple zero-day vulnerabilities. These vulnerabilities were discovered in a Motorola base station and system chip, both of which are essential for running and decrypting the TETRA communications algorithm. This could potentially lead to the exposure of sensitive information. TETRA, or Terrestrial Trunked Radio, is a global standard for encrypted two-way communications. It was developed by public safety experts under the guidance of the European Telecommunications Standards Institute (ETSI). TETRA systems are widely used in public safety and industrial-commercial sectors, including utility companies, rail and metro lines, power stations, oil refineries, and chemical plants.

Wouter Bokslag, a founding partner of Midnight Blue, revealed these vulnerabilities at the Black Hat USA conference. He explained that the Motorola base station has a trusted execution environment (TEE) designed to protect cryptographic primitives and keys from exfiltration. However, by performing a side channel attack on the TEE, his team was able to decrypt the module and acquire an AES key. This key could be used to further decrypt communications passing through the equipment. Bokslag stated, "That allows us to extract a Motorola key from the radio that can then be used to decrypt the module that implements all that traffic security features." He clarified that the researchers did not break the TETRA algorithm at any point, but were able to extract the decryption key.

The research led to the discovery of four zero-day bugs, two of which are critical or high severity and are specific to a Motorola MTM5400. Bokslag suggested that these vulnerabilities could be exploited by attackers with physical access to a Motorola radio to extract sensitive key material, allowing them to listen to the TETRA network undetected until the next key change. He added, "This kind of attack would work regardless of the TEA (TETRA Encryption Algorithm) cipher used and is possibly less involved to pull off than the decryption oracle attack on the protocol (CVE-2022-24401), although it does require brief physical access."

Three other zero-days, all rated as critical, were found in the OMAP-L138 system-on-chip used in the Motorola radio. This chip is popular among TETRA basebands from multiple vendors and is also used in other products. As part of developing a proof of concept (PoC) exploit, Midnight Blue converted a TETRA base station into an attack platform, leading to the discovery of five additional zero-days in the Motorola MBTS TETRA base station, three of which are rated as high severity. Bokslag pointed out that these vulnerabilities could be exploited by an attacker with temporary physical access to a base station to extract key material or even leave persistent implants in the radio infrastructure, allowing for persistent interception capabilities across key rollovers.

Bokslag warned that the security issues found in the TETRA infrastructure are not exclusive to Motorola, but are indicative of an industry-wide problem. He stressed, "It's a classical embedded systems environment, and while it's dealing with security-critical stuff, the engineering is not as if security is a top priority."

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.