Europe mulls open sourcing TETRA emergency services' encryption algorithms
Turns out secrecy doesn't breed security
The European Telecommunications Standards Institute (ETSI) may open source the proprietary encryption algorithms used to secure emergency radio communications after a public backlash over security flaws found this summer.
"The ETSI Technical Committee in charge of TETRA algorithms is discussing whether to make them public," Claire Boyer, a spokesperson for the European standards body, told The Register.
The committee will discuss the issue at its next meeting on October 26, she said, adding: "If the consensus is not reached, it will go to a vote."
TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations.
In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception.
The Midnight Blue researchers dubbed the bugs, which affected all TETRA networks, TETRA:BURST. The team waited one and a half years, as opposed to the usual six-month disclosure period, to make the flaws public because of the sensitive nature of emergency comms, and the complexity of fixing the issues.
At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."
It did, however, face criticism from the security community over its response to the vulnerabilities — and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system..
Security author Kim Zetter broke the story that ETSI was discussing making the TETRA algorithms public. She also quoted Matthew Green, a Johns Hopkins University cryptographer and professor, who said keeping algorithms secret is a dated idea that makes problems worse.
"This whole idea of secret encryption algorithms is crazy, old-fashioned stuff. It's very 1960s and 1970s and quaint," he said. "If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."
- TETRA radio comms used by emergency heroes easily cracked, say experts
- curl vulnerabilities ironed out with patches after week-long tease
- Cat accused of wiping US Veteran Affairs server info after jumping on keyboard
- European telco body looks into terahertz for future 6G comms
Zetter indicated that ETSI's recent security failures may have changed some members' minds about removing the cloak of secrecy around the technology. ETSI disclosed that intruders had exploited a vulnerability to breach its members-only portal and steal a database containing personal information.
It didn't provide any additional information about the flaw used to break into the portal, but noted "ETSI has fixed the vulnerability."
The disclosure also included a statement from ETSI Director-General Luis Jorge Romero, who said: "Transparency is at the root of ETSI, in our governance and technical work."
It looks like the real test of this will come later this month when the TETRA algorithms go to a vote. ®