tetra networks security
TRANSCRIPT
![Page 1: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/1.jpg)
TETRA Networks SecurityTomáš Suchan, Marek Sebera
ITDS Consulting
![Page 2: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/2.jpg)
Schedule
● Introduction● What is TETRA● Who does use TETRA● Security options● Dangerous decisions● Demo● Q & A
![Page 3: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/3.jpg)
Introduction - ITDS Consulting
● Tomáš Suchan, Marek Sebera● Based in Prague● https://www.itds-consulting.cz● TETRA, GSM, TETRAPOL, DMR● TETRA Toolkit - Monitoring and forensic tool● GSM Toolkit - Mobile networks security tool
![Page 4: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/4.jpg)
What is TETRA
● TErrestrial Trunked RAdio● Designed by ETSI since 1990● Mission-Critical Digital Radio System● Private / Professional Mobile Radio (PMR) ● DAMM, Sepura, Rohde & Schwarz, EADS, Motorola, …● Transport, Airports, Police/Fire/Ambulance, Army, …● SCADA systems (nuclear plants, power stations, …)
![Page 5: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/5.jpg)
![Page 6: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/6.jpg)
![Page 7: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/7.jpg)
WORLDTETRAUSAGE
![Page 8: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/8.jpg)
TETRA - Czech Republic
Praha, Brno, Liberec, České Budějovice, Chemopetrol Litvínov, Hyundai Nošovice, Pardubice, Přerov, ...
Radio Band:410MHz - 430MHz
![Page 9: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/9.jpg)
Slovak Republic
● TETRAPOL● Project: SITNO - Ministerstvo Vnútra SK● Built in years 1999 - 2008● Working since 2008● Firefighters, Police, Customs, 112 Emergerency
![Page 10: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/10.jpg)
Disclaimer
● Properly secured TETRA network is hard to crack
● We’re talking about unsecured or badly secured networks
![Page 11: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/11.jpg)
TETRA Network Security
● Transport Air-Interface encryption
● SwMI (Infrastructure) Restrict MS by TEI + ISSI combo
● Application End-to-End transport encryption
![Page 12: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/12.jpg)
Attacks on TETRA
![Page 13: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/13.jpg)
Missing Air-Interface Encryption
We can:
● Read text / binary data (SDS)● Decode voice transports (even Group Calls)● Map network structure● Identify users, clients, applications● Intercept (MITM) communication● Fake both directions of data transport
![Page 14: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/14.jpg)
No Air-Interface Encr. , TEI + ISSI registration restricted
We can still do everything, it’s just bit harder :-)
![Page 15: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/15.jpg)
Missing Air-Interface Encryption, added E2E encryption
● Correlate communication groups● Map infrastructure● Scan / Penetrate application endpoints● Communication fuzzing and DoS attacks
![Page 16: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/16.jpg)
Only Air-Interface encrypted
● Obtain auth key for network● ???● PROFIT
![Page 17: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/17.jpg)
Only Air-Interface encrypted (ver 2)
● Build 80-bit TEA (symmetric stream cipher) cracker● Obtain auth key for network● ???● PROFIT
![Page 18: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/18.jpg)
Recommendation
● Encrypt Air-Interface● Use End-to-End encryption● Don’t skimp on security
![Page 19: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/19.jpg)
Tetra Toolkit ® ITDS Consulting
● Requirements○ 4-core 2.5GHz computer, 8GB DDR3○ RTL-SDR USB dongle○ Linux OS
● Attack time < few minutes● Decode voice, text and data communication● Map infrastructure,
![Page 20: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/20.jpg)
Attack Demo
![Page 21: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/21.jpg)
Thanks to our Partners
![Page 22: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/22.jpg)
![Page 23: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/23.jpg)
![Page 24: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/24.jpg)
![Page 25: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/25.jpg)
Questions & Answers
![Page 26: TETRA Networks Security](https://reader033.vdocuments.mx/reader033/viewer/2022051300/587161bb1a28ab8e5b8b7b6b/html5/thumbnails/26.jpg)
TETRA Networks SecurityThank you !