Standards Body Considers Uncloaking Secret Encryption Algorithms
The European standards body that created secret encryption algorithms for use in TETRA radio communications is weighing whether to make new algorithms public, following backlash over its secrecy.
A European standards body that found itself in hot water this summer over flaws in encryption algorithms it created to secure radio communications of police, military and critical infrastructure, is now discussing whether to make its new algorithms public as a result of the backlash, I’ve learned.
The European Telecommunications Standards Institute (ETSI) has put the question to members and is seeking consensus this month on whether new proprietary algorithms it has created for the TETRA radio protocol should be made public so that independent researchers and government agencies that rely on the algorithms to protect their communications can examine them for security flaws. If members can’t come to a consensus informally, the group is expected to put the matter to a vote on October 26.
ETSI spokeswoman Claire Boyer confirmed that the group is weighing whether to make the new algorithms public.
“The question as to whether TETRA algorithms will be made public is still open at this time,” she wrote in an email. “Resolution is expected from ETSI TCCE technical committee in charge of TETRA by the end of the year.”
Matthew Green, a Johns Hopkins University cryptographer and professor, welcomed the news, saying that ETSI’s previous decision to keep its algorithms secret was out of touch. He likened it to serving formally dressed dinner guests a Jello salad.
“This whole idea of secret encryption algorithms is crazy, old-fashioned stuff. It’s very 1960s and 1970s and quaint,” he says. “If you’re not publishing [intentionally] weak algorithms, I don’t know why you would keep the algorithms secret.”
ETSI, which is based in France, was hit with intense criticism in July after Dutch researchers — Carlo Meijer, Wouter Bokslag, and Jos Wetzels of the Dutch cybersecurity consultancy Midnight Blue — found major flaws in four algorithms the standards body had created in the 90s to secure radios used by police, military and critical infrastructure around the world.
It’s a “welcome development and a serious change in attitude from ETSI that would go a long way in making amends for the damage done by secret algorithms in multiple standards through the years.”
— Jos Wetzels of Midnight Blue
ETSI had kept the cryptographic algorithms secret for more than twenty-five years, carefully controlling who got to examine them and requiring a signed NDA from anyone ETSI did let view them. This prevented independent security experts from examining the algorithms for vulnerabilities.
The Dutch researchers bypassed this restriction by extracting the four algorithms from a Motorola radio they purchased online and reverse-engineering them. They found numerous critical flaws in the algorithms that would allow adversaries to intercept radio communications, decrypt them and even alter and spoof them. The flaws included what the researchers describe as an intentional backdoor — a purposely weakened algorithm — designed, presumably, to make it easier for parties who know about the flaw to intercept and decrypt radio communications. You can read details about the flaws in this story I wrote for WIRED in July
In an interview I conducted at the time with Brian Murgatroyd, chair of the technical body at ETSI responsible for developing the TETRA standard and algorithms, he revealed that the group had intentionally weakened that algorithm as a condition of export.
“[W]e would have preferred to have as strong a key as possible in all respects. But that just wasn’t possible because of the need for exportability,” Murgatroyd said. He revealed that prior to developing the algorithms, ETSI consulted with the UK government, who made “strong recommendations” that ETSI keep the algorithms secret.
This meant, however, that customers who purchased radio equipment from Airbus, Motorola, Damm, Hytera and others that use the algorithms weren’t aware of the flaws.
The algorithm with the backdoor is used primarily by critical infrastructure to secure data and commands in pipelines, railways, and the electric grid, including at least two dozen critical infrastructures in the US. Among them are electric utilities, a state border control agency, an oil refinery, chemical plants, an East Coast mass transit system, and three international airports, and a US Army training base.
The algorithm is also used by some police agencies and military around the world. Publicly, the algorithm with the backdoor is advertised as using a key with 80 bits of entropy, but the researchers found that it contained a secret feature that reduces it to just 32 bits of entropy. The researchers were able to crack the key in less than a minute using a standard laptop.
Malicious actors who crack the key would be able to snoop on police communications or intercept critical infrastructure communications to study how these systems work. And they could also potentially inject commands to the radios to trigger blackouts, halt gas pipeline flows, or re-route trains.
The researchers found another flaw in the standard itself that would allow similar decryption capabilities in TETRA-based radio systems sold only to police, prisons, military, intelligence agencies, and emergency services. Exploiting the flaw would let someone not only decrypt communications but also potentially send fraudulent messages to police, fire brigades, military troops and others to spread misinformation or direct the movement of personnel.
By the time the researchers discovered the flaws, ETSI was already three years into a project to replace the 1990s algorithms with new ones. After the researchers reported the flaws in the old algorithms to ETSI, the standards group incorporated changes into the new algorithms to address them.
“There were three mitigations that were necessary as a result of the researchers’ work, and we’re very grateful for that, because they showed us three vulnerabilities that we weren’t really aware of,” Murgatroyd told me.
He acknowledged the value in having independent experts outside of ETSI examine the algorithms for flaws, but insisted in July that the new algorithms would be kept secret like the old ones, despite the fact that this secrecy had prevented ETSI from learning about and fixing flaws in the old algorithms.
Here’s Murgatroyd’s comments at the time.
KZ: Who’s requiring that the algorithms be kept secret? Who’s making that decision?
BM: I wouldn’t say requiring; it’s a strong recommendation — from governments.
KZ: ETSI is keeping the algorithms secret because the government requested it?
BM: Because some of the algorithms involve critical national security, in terms of public safety.
KZ: But, as the researchers point out, an algorithm should be secure whether or not it’s public. It shouldn’t base its security on being kept secret.
BM: Yeah. I don’t know quite what the answer is. The fact is that these were private, and the fact is the new ones are also private. So that’s the state-of-play at the moment. Whether that changes in the future I don’t know.
KZ: If you’re saying that the only reason they’re secret is because the government has advised it, can ETSI decide on its own to make them public?
BM: I’d have to say yes.
KZ: So why don’t you?
BM: I don’t know.
KZ: Have there been any discussions in ETSI about making them public? Creating an algorithm a quarter of a century ago and keeping it secret might have been the right thing to do in 1995, but is it the right thing to do in 2023?
BM: Well I think that might be the basis of a discussion within ETSI. I’m not sure that anything is going to change that quickly. When we went to the ETSI board to form the new special committee to develop these [new] algorithms, it was explained then that [these algorithms] would be secret on the grounds of national security. And the board accepted that.
KZ: There was no pushback.
BM: Not that I’m aware of.
KZ: Is there any discussion going forward about at least bringing in independent researchers to do full analysis, with the understanding that the findings they uncover can be made public? You could fix the problems they encounter, and after they’ve reviewed your fixes, they can make their findings public, while the algorithms remain secret.
BM: That would have been a great idea with the researchers this time. But they decided to release the algorithms as well [in addition to their findings]. But yeah scrutiny is very important.… I can’t see anything wrong with what you just said, apart from the fact that we’d rather if someone came in to do an independent review of the algorithms … that they wouldn’t then go and just give the information out.
That exchange brought heavy criticism from the security community, customers, and even some of its own members. Members who previously opposed making the old algorithms public have begun to reconsider that stance for the new algorithms.
Notably, ETSI announced recently that it had been hacked. The intruders used an unpatched vulnerability in its members-only web portal to access a database containing information about members. ETSI said it had engaged the French National Cybersecurity Agency to investigate the breach, but no further details were provided.
Boyer told me the attack did not damage the IT system and ETSI had fixed the vulnerability and “undertaken additional security actions and significantly strengthened its IT security procedures.”
She said ETSI does not know who was behind the breach.
Wetzels, who was among those criticizing ETSI after his team discovered the vulnerabilities in the 90’s algorithms, says that making the new algorithms public would be a “welcome development and a serious change in attitude from ETSI that would go a long way in making amends for the damage done by secret algorithms in multiple standards through the years.”
ETSI has about 900 members around the world, which include governmental bodies, telecoms, tech companies and hardware manufacturers, network operators, research bodies, academics and others, according to its web site. Only a very small subset of these belong to the TETRA group and will have the ability to decide whether the new TETRA algorithms will remain secret or be made public.
See also: