Although no exploits have ever been divulged, some of the vulnerabilities could well have been behind major unexplainable communications leaks.

Earlier this week, major eavesdropping vulnerabilities that had existed undisclosed for over 20 years in TETRA radio code encryption services, were finally brought to light.

The Terrestrial Trunked Radio encryption code in question is sold for commercial use, in particular, to critical infrastructure. In this case, a secret encryption cipher (a backdoor) was baked into the radio systems and used by pipelines, railways, electric grad, mass transit and trains. 

Also found was a separate flaw in radio systems sold exclusively to the police, prison personnel, military, intelligence agencies and emergency services. In total, five problematic critical flaws were disclosed: CVE-2022-24400, CVE-2022-24401, CVE-2022-24402, CVE-2022-24403 and CVE-2022-24404.

Thanks to a small group of researchers in the Netherlands, these backdoors and flaws are now made known, and the latter is sending shockwaves to generations of people who had used the affected secure equipment but none-the-wiser.

A backdoor to any system represents an opportunity for a cybercriminal to compromise the operational-technology environments of customers who are themselves often providers of critical infrastructure to communities. While some systems might benefit from multiple management interfaces as a form of redundancy, if those management interfaces aren’t known to customers and aren’t designed with a risk-based approach to cybersecurity, then the user of the device or system is assuming an unknown and unmanaged level of risk.

– Tim Mackey, Principal Security Strategist, Cybersecurity Research Centre

Mackey said that any developer who creates a backdoor, or any vendor that ships software with known backdoors, is placing the perceived operational requirements of their system above the risks and threats their customers face.

A cryptographer and professor at Johns Hopkins University, Matthew Green, has called the weakened key a “disaster” that is “very, very bad.”

TETRA’s creators — the European Telecommunications Standards Institute (ETSI) — have played down the severity and intentions behind the flaws. For now, the key is for manufacturers and organizations to apply updates where possible and take other urgent security measures.