If you’d been quietly chasing down cryptographic bugs in a proprietary police radio system since 2021, but you’d had to wait until the second half of 2023 to go public with your research, how would you deal with the reveal?
You’d probably do what researchers at boutique Dutch cybersecurity consultancy Midnight Blue did: line up a world tour of conference appearances in the US, Germany and Denmark (Black Hat, Usenix, DEF CON, CCC and ISC), and turn your findings into a BWAIN.
The word BWAIN, if you haven’t seen it before, is our very own jocular acronym that’s short for Bug With An Impressive Name, typically with its own logo, PR-friendly website and custom domain name.
(One notorious BWAIN, named after a legendary musical instrument, Orpheus’s Lyre, even had a theme tune, albeit played on a ukulele.)
Introducing TETRA:BURST
This reserch is dubbed TETRA:BURST, with the letter A stylised to look like a shattered radio transmission mast.
TETRA, if you’ve never heard of it before, is short for Terrestrial Trunked Radio, originally Trans-European Trunked Radio, and is widely used (outside North America, at least) by law enforcement, emergency services and some commercial organisations.
It’s featured on Naked Security before, when a Slovenian student received a criminal conviction for hacking the TETRA network in his own country after deciding that his vulnerability reports hadn’t been taken seriously enough:
Trunked radio needs fewer base stations and has a longer range than mobile phone networks, which helps in remote areas, and it supports both point-to-point and broadcast communications, desirable when co-ordinating law enforcement or rescue efforts.
The TETRA system, indeed, was standardised back in 1995, when the cryptographic world was very different.
Back then, cryptographic tools including the DES and RC4 ciphers, and the MD5 message digest algorithm, were still in widespread use, though all of them are now considered dangerously unsafe.
DES was superseded at the start of the 2000s because it uses encryption keys just 56 bits long, and modern computers are sufficiently fast and cheap that determined cryptocrackers can fairly easily tryout all possible 256 different keys (what’s known as a brute force attack, for obvious reasons) against intercepted messages.
RC4, which is supposed to turn predictable input data with recognisable patterns (even a text string of the same character repeated over and over) into random-looking garbage, was found to have signficant imperfections that could be used to used to winkle out plaintext input by performing statistical analysis of ciperhtext output.
MD5, which is supposed to produce pseudorandom 16-byte “message digest” from any input file, thus generating an unforgeable fingerprint for files of any size, turned out to be easy to trick into churning out the same fingerprint for two very different files, annihilating its value as a tamper-detection tool.
End-to-end encryption for individual online transactions, which we now take for granted on the web thanks to secure HTTP (HTTPS, based on TLS, short for transport layer security), was both new and unusual, and relied on the brand-new-at-the-time network-level protecion protocol known as SSL (secure sockets layer), now considered sufficiently insecure that you’ll struggle to find it in use anywhere online.
Party like it’s 1995
TETRA’s 1995-era encryption remains in use to this day, and hasn’t received much attention, apparently for two main reasons.
Firstly, even though it’s widely used around the world, it’s not an everyday service that pops up in all our lives, unlike mobile telephones and web commerce.
Secondly, the underlying encryption algorithms are proprietary, guarded as trade secrets under strict non-disclosure agreements (NDAs), so it simply hasn’t had the levels of global, objective mathematical scrutiny that unpatented, open source encryption systems have.
In contrast, cryptosystems such as AES (which replaced DES), SHA-256 (which replaced MD5), ChaCha20 (which replaced RC4), and various iterations of TLS (which replaced SSL) have all been analysed, dissected, discussed, hacked, attacked and critiqued in public for years, following what’s known in the trade as Kerckhoff’s Principle.
Auguste Kerckhoff was a Dutch-born linguist who ended up as a professor of the German language in Paris, who published a pair of seminal papers in the 1880s under the title Military Cryptography, in which he proposed that no cryptographic system should rely on what we now refer to as security through obscurity.
Simply put, if you need to keep the algorithm secret, as well as the decryption key for each message, you’re in deep trouble, because your enemies will ultimately, and inevitably, get hold of that algorithm…
…and, unlike decryption keys, which can (and should) be changed at will, the algorithm only needs to be revealed once.
And, as Benjamin Franklin, one of America’s best-known and wackily well-remembered scientists, is supposed to have said, “Three people may keep a secret, if two of them are dead.”
Use NDAs for commerce, not for crypto
Commercial NDAs are peculiarly purposeless for keeping cryptographic secrets, especially for successful products that end up with more and more commercial partners signed up under NDA.
There are four obvious problems here, namely:
- More and more programmers and analysts get the time and opportunity to figure out exploitable bugs, which they will never disclose if they stick to the spirit of their NDA.
- More and more vendors get the chance to leak the algorithms anyway, if any one of them decides not to stick to the letter of their NDA.
- Sooner or later, someone is likely to receive the algorithm legally without a binding NDA in place. That institution or person is then free to disclose it without breaking the letter of the NDA, and without trampling on its spirit if they happen to agree with Kerckhoff’s Principle.
- Sooner or later, someone not under NDA is likely to figure out the algorithm by observation. Amusingly, if that is the right word, cryptographic reverse engineers can be pretty sure they have their analysis right by comparing the behaviour of their alleged implementation against the real thing, because even small inconsistencies are likely to result in wildly different cryptographic outputs.
The Dutch researchers in this story took the last approach, legally acquiring a bunch of compliant TETRA devices and figuring out how they worked internally.
Apparently, they discovered five vulnerabilities that ended up with CVE numbers, dating back to 2022 because of the time involved in liaising with TETRA vendors on how to fx the issues: CVE-2022-24400 to CVE-2022-24404 inclusive.
Obviously, they’re now holding out on full details for maximum PR effect, with their first public paper scheduled for 2023-08-09 at the Black Hat 2023 conference in Las Vegas, USA.
What to do?
Advance information that the resesrchers have revealed is enough to remind us of three cryptographic must-follow rules right away:
- Don’t violate Kerckhoff’s Principle. Use NDAs or other legal instruments if you want to protect your intellectual property or to try to maximise your licensing fees. But never use “trade secrecy” in the hope of improving cryptographic security. Stick to trusted algorithms than have already survived serious public scrutiny.
- Don’t rely on data you can’t verify. CVE-2022-24401 relates to how TETRA base stations and handsets agree on how to encrypt each transmission so that each burst of data gets encrypted uniquely. This means you can’t work out the keys to unscramble old data, even if you’ve already intercepted it, or predict the keys for future data so you can snoop on it in real time. TETRA apparently does its key setup based on timestamps transmitted by the base station, so a properly programmed base station should never repeat previous encryption keys. But there’s no data authentication process to prevent a rogue base station from tricking a targeted handset into either reusing keystream data from yesterday, or leaking in advance the keystream it will use tomorrow.
- Don’t built in backdoors or other deliberate weaknesses. CVE-2022-24402 covers a deliberate security downgrade trick that can be triggered in TETRA devices using the commercial-level encryption code (this apparently doesn’t apply to devices bought officially for law enforcement or first responder use). This exploit allegedly turns 80-bit encryption, where snoopers need to try are 280 different decryption keys in a brute-force attack, into 32-bit encryption. Given that DES was banished more than 20 years ago for using 56-bit encryption, you can be sure that 32 bits of key is far too small for 2023.
Fortunately, it looks as though CVE-2022-24401 has already been quashed with firmware updates (assuming users have applied them).
As for the rest of the vulnerabilities…
…we’ll have to wait until the TETRA:BURST tour kicks off for fuill details and mitigations.
from Naked Security https://ift.tt/MAg4idu
0 comments:
Post a Comment