Security researchers have found five vulnerabilities in TETRA, radio technology used in critical infrastructure. Hackers and cybercriminals could exploit the vulnerabilities to commit sabotage, shut down energy networks or cause other damage. Researchers say the findings could have serious consequences.
This is what security experts tell RTL News.
Vulnerabilities are serious for government and industry
TETRA is a form of radio communication used in vital or critical infrastructure. The port of Rotterdam uses it, as do various companies that are active in public transport. The communication system of the emergency services and parts of the Ministry of Defense are also based on this technology. Finally, TETRA is used worldwide to control important parts of critical infrastructure, such as high-voltage distribution boxes, oil and gas pipelines and railway protection.
TETRA thus plays an incredibly important role in our daily lives. That makes the study’s results very serious, Bart Jacobs, professor of computer security at Radboud University, told RTL Nieuws. “It is serious for the government and the business community. It concerns vital infrastructure, the functioning of which can be affected by serious attacks.”
‘A realistic scenario’
Hackers and cybercriminals with malicious intent can break into the TETRA network with simple hardware. They crack the signal, send malicious commands to industrial systems, and thus paralyze parts of society. Jos Wetzels of cyber security company Midnight Blue calls it ‘a realistic scenario’.He also thinks that the risks for the Netherlands are limited. TETRA is a system mainly used to communicate over long distances, while our country is relatively small. Wetzels does emphasize that malicious parties can eavesdrop on security services unnoticed.
Another risk we run is that hackers exploit the vulnerabilities to crack C2000 communications from the emergency services. Those with malicious intent can then, at any time, listen back to conversations that take place via a confidential communication system or intercept, manipulate or disrupt the communication that takes place via walkie-talkies and mobile phones.
Organizations do not always respond to researchers’ warnings
Researchers reported the vulnerabilities to the National Cyber Security Center (NCSC) in December 2021. They have informed organizations working with TETRA about this and advised them on the steps to secure their communication. The Ministry of Justice and Security tells RTL Nieuws that updates are available but that the police, Royal Netherlands Marechaussee, fire brigade and ambulance, among others, have yet to install them.
Three Dutch people – Jos Wetzels, Carlo Meijer and Wouter Bokslag – have discovered the vulnerabilities. Their investigation, called TETRA: BURST, took a year to complete. Informing organizations of their findings is difficult: they do not respond to their e-mails. As a result, they run the risk of having their systems compromised.
According to the security specialists, their research shows that the technology behind encryption should always be made public. “If one party keeps it a secret, researchers can’t see it, and vulnerabilities, like TETRA, quietly persist for decades,” they say.