Article Details

New TETRA Radio Encryption Flaws Expose Law Enforcement Communications. Cybersecurity researchers have discovered a fresh set of security issues in the Terrestrial Trunked Radio (TETRA) communications protocol, including in its proprietary end-to-end encryption (E2EE) mechanism that exposes the system to replay and brute-force attacks, and even decrypt encrypted traffic. Details of the vulnerabilities – dubbed 2TETRA:2BURST – were presented at the Black Hat USA security conference last week by Midnight Blue researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels. TETRA is a European mobile radio standard that's widely used by law enforcement, military, transportation, utilities, and critical infrastructure operators. It was developed by the European Telecommunications Standards Institute (ETSI). It encompasses four encryption algorithms: TEA1, TEA2, TEA3, and TEA4. The disclosure comes a little over two years after the Netherlands-based cybersecurity company discovered a set of security vulnerabilities in TETRA standard called TETRA:BURST, counting what was described as an "intentional backdoor" that could be exploited to leak sensitive information. The newly discovered issues relate to a case of packet injection in TETRA, as well as an insufficient fix for CVE-2022-24401, one of the five TETRA:BURST issues, to prevent keystream recovery attacks. The identified issues are listed below - Midnight Blue said the impact of the 2TETRA:2BURST depend on the use-cases and configuration aspects of each particular TETRA network, and that networks that use TETRA in a data-carrying capacity are particularly susceptible to packet injection attacks, potentially allowing attackers to intercept radio communications and inject malicious data traffic. "Voice replay or injection scenarios (CVE-2025-52940) can cause confusion among legitimate users, which can be used as an amplifying factor in a larger-scale attack," the company said. "TETRA E2EE users (also those not using Sepura Embedded E2EE) should in any case validate whether they may be using the weakened 56-bit variant (CVE-2025-52941)." "Downlink traffic injection is typically feasible using plaintext traffic, as we found radios will accept and process unencrypted downlink traffic even on encrypted networks. For uplink traffic injection, the keystream needs to be recovered." There is no evidence of these vulnerabilities being exploited in the wild. That said, there are no patches that address the shortcomings, with the exception of MBPH-2025-001, for which a fix is expected to be released. Mitigations for other flaws are listed below - "If you operate or use a TETRA network, you are certainly affected by CVE-2025-52944, in which we demonstrate it's possible to inject malicious traffic into a TETRA network, even with authentication and/or encryption enabled," Midnight Blue said. "Also, CVE-2022-24401 likely affects you, as it allows adversaries to collect keystream for either breach of confidentiality or integrity. If you operate a multi-cipher network, CVE-2025-52943 poses a critical security risk." In a statement shared with WIRED, ETSI said the E2EE mechanism used in TETRA-based radios is not part of the ETSI standard, adding it was produced by The Critical Communications Association's (TCCA) security and fraud prevention group (SFPG). ETSI also noted that purchasers of TETRA-based radios are free to deploy other solutions for E2EE on their radios. The findings also coincide with the discovery of three flaws in the Sepura SC20 series of mobile TETRA radios that allow attackers with physical access to the device to achieve unauthorized code execution - Patches for CVE-2025-52945 and CVE-2025-8458 are expected to be made available in the third quarter of 2025, necessitating that users are advised to implement enhanced TETRA key management policies. MBPH-2025-003, on the other hand, cannot be remediated due to architectural limitations. "The vulnerabilities enable an attacker to gain code execution on a Sepura Gen 3 device," the company said. "Attack scenarios featuring CVE-2025-8458 involve persistent code execution through access to a device's SD card. Abuse of CVE-2025-52945 is even more straightforward as it requires only brief access to the device's PEI connector." "From the premise of code execution, multiple attack scenarios are viable, such as exfiltration of TETRA key materials (MBPH-2025-003) or the implantation of a persistent backdoor into the radio firmware. This leads to the loss of confidentiality and integrity of TETRA communications."