Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Radio. Show all posts

Exposed Secrets: Backdoor Vulnerabilities in Worldwide Radio Systems

 


The world has been secretive for over 25 years about a technology used for critical data and voice radio communication around the globe. No one could closely examine its security properties to detect vulnerabilities. A small group of researchers in the Netherlands have compiled a research study on the subject. Now, due to their efforts, it is publicly airing. It was discovered that its viscera, including a deliberate backdoor, had serious flaws, which they worked around. 

Vendors who sell radios have known the encryption algorithm baked into them for years by vendors who sell the technology. Customers have not necessarily known this backdoor. A pipeline, a railway, an electric grid, a mass transit system, or a freight train could send encrypted data and commands via this technology. If someone has access to these communications, they could snoop on them and find out how they work. The command could then be relayed to the radios, triggering a blackout, stopping gas pipeline flows, or rerouting trains. This would eliminate the problem at hand. 

An additional vulnerability was found in a different part of the same radio technology that is used in more specialized systems used only by police forces, prisons, military personnel, intelligence agencies, and emergency services that were sold exclusively to police forces, prison personnel, military personnel, and emergency services. 

The Dutch police, fire brigades, ambulance services, and the Ministry of Defense utilize the C2000 communication system for mission-critical voice and data communication to manage their business. Someone could exploit the flaw to decrypt the encryption of voice and data communications and send fraudulent messages. This could be done to spread misinformation during times of national crisis or to redirect personnel and forces during that period. 

A Dutch security firm, Midnight Blue, has discovered five vulnerabilities in the Terrestrial Trunked Radio system (TETRA), which is used by governments, law enforcement agencies, emergency services organizations, etc. In many countries in Europe, the United Kingdom, and other parts of the world. 

Several innovations have been brought about by TETRA development because it is an open standard with competition between vendors. There is no doubt that TETRA solutions from Airbus can achieve outstanding coverage. This is because they use the same frequency band and output power as cellular systems seen today. 

It seems that all TETRA radio networks are affected by the flaw, named TETRA: BURST. An attacker may have access to these vulnerabilities to decrypt communications in real-time or later, inject messages, deanonymize users, or set the session key to zero so that a backdoor could be set for interception on the uplink. 

Two of the flaws have been classified as critical, which means they require immediate attention. It can be used for decrypting text, voice, or data communications to reveal their contents during an attack (CVE-2022-24401). Air Interface Encryption (AIE) keystream generator relies on public and unencrypted network time, which encrypts sensitive data at transmission. 

A second vulnerability (CVE-2022-24402) that the researchers detected is not technical - the TEA1 [PDF] encryption algorithm, they claim, "has a backdoor that can be exploited to reduce the original 80-bit key size to a size that can be easily brute-forced on consumer hardware in minutes." There seems to be a consensus among the Midnight Blue team that the backdoor, as they call it, stems from deliberately designed.

 In most cases, encryption technology must be weakened under various rules and regulations to be used for export purposes: for instance, under certain rules and regulations, it may be necessary to weaken the security to allow the shipment. 

An attacker could read the encrypted message through a radio if they targeted a radio that could transmit the message. This shows that the message would be intercepted in a demonstration video demonstrating CVE-2022-24401. There is no way for you to gain access to a key in any of the circumstances under which this vulnerability is exploited by Midnight Blue founder Wouter Bokslag. He says, “The only thing you will receive is the keystream, which is the key stream you need to decrypt, arbitrary frames, or arbitrary messages that pass through the network.” 

CVE-2022-24402 can be demonstrated in a second demo video, which exposes a backdoor in the TEA1 algorithm that can affect networks that rely on TEA1 concerning both confidentiality and integrity, due to the backdoor. The TEA1 algorithm used in this case also has an 80-bit key that allows an attacker to brute-force it to listen in undetected to the communications as well as a brute-force attack to intercept them. 

Bokslag admits he may seem overly sensitive about his use of the word backdoor, but he thinks the term is justified here. The TEA1 decryption process involves inserting an 80-bit key into it. That 80-bit key is then reduced by a reduction step, leaving it with only 32 bits of key material left, which it can use in the decryption process. 

What is the Suitability of TETRA for Telemetry? 


With TETRA, you are assured of the highest levels of reliability which can be an invaluable advantage for critical applications. The majority of telemetry transactions are composed of a few bytes taken from varying sources, so they can be relatively small. 

TETRA offers several powerful Short Data Services (SDS). It is possible to deliver SDS messages on several channels, such as the control channel, during the speech, or on dedicated data transmission channels. TETRA systems from Airbus can also address a single message to multiple devices at the same time as you send it. There will be significant savings in capacity and time due to this. 

In cases where the volume of data to be transferred is high, it is recommended to use the IP Packet Data service. As long as the spectrum is limited, it may make sense to use State Messaging (16 bytes), SDS messages (140 bytes without concatenation), and IP Packet Data together as a means of communication. 

As a result of the weakening of the cipher, Bokslag says an attacker could search exhaustively through all 32 bits of the cipher. He could also decrypt all traffic with very cheap hardware as a result of the attack. In many cases, the attacker would have permanent access to communications since they only needed a $10 USB dongle to receive signals. They would have access to those communications until the key changed. In many cases, however, the key never changes, which means that the attacker can attack communications at any time they want.   

Can TV and Radio Broadcasts Be Hacked?


In today's interconnected world, where technology permeates every field, the security of communication channels is paramount. People rely heavily on TV and radio broadcasts for information and entertainment. So, can TV and radio broadcasts be hacked? The answer is yes.

How Can Digital Broadcasting Be Hacked?

With the transition to digital broadcasting, new attack vectors emerged, making broadcasts more vulnerable to hackers. Encryption algorithms and protocols play a critical role in securing broadcasts. However, a weak encryption algorithm or protocol can make broadcasts vulnerable to unauthorized access and manipulation.

For example, some old or outdated encryption methods are easier to successfully attack and allow criminals to crack passwords. Also, flaws or bugs in some protocols may allow attackers to spoof or modify broadcasts. These vulnerabilities allow intruders to post unauthorized content, disrupt broadcasts, or transmit misleading information.

Insufficient Security Measures During Transition

Another major factor in hacking TV and radio broadcasts is inadequate authentication measures. Authentication is an important step in protecting broadcast equipment from unauthorized access. However, some equipment has insufficient authentication mechanisms or does not use authentication at all.

Attackers, for instance, can gain control of broadcast equipment by physically accessing it or infiltrating systems over the network by bypassing weak authentication measures. In this case, attackers can disrupt broadcasts, post misleading content, or even stop real broadcasts.

How Can Radio Be Hacked?

The open nature of radio waves and the easy accessibility of key infrastructure cause security vulnerabilities in broadcast systems. Because radio waves are inherently open and accessible, it becomes easier for attackers to gain unauthorized access or intrude on radio broadcasts.

Broadcast Frequencies Are Unregulated

A rapidly increasing threat to intercept broadcast signals, hackers take advantage of the erratic nature of broadcast frequencies. Broadcasters and media organizations cannot be effectively protected against hackers because of insufficient regulations and control mechanisms for current frequencies. 

Hacking is becoming more common, especially in regions where analog broadcast systems are still used. These attacks can disrupt broadcast signals, causing the spread of illicit content or the manipulation of original content.

TV and radio broadcasts can be hacked due to various vulnerabilities in digital broadcasting systems and insufficient security measures during the transition from analog to digital broadcasting. It's important for broadcasters and media organizations to take proactive steps to ensure the integrity and reliability of their broadcasts in the face of potential hacking threats.


Radio Pakistan Website hacked


The website of state broadcasters Radio Pakistan was hacked for a brief period of time on Sunday and was restored successfully. The hackers displayed the following message on the website

“Hello Admin, you are very secured. Appreciated your security. We got an eye on you. Expect us. Pakistan zindabad.”

According to the reports, the group of hackers who call themselves ‘Crash Rulers’ have accepted the ownership of the attack. The news of the hacking was released on twitter through the twitter handle name @TheCrashRulers.

The user behind the twitter handle which led to the attack has not been known yet. According to the tweets by the same twitter handle over the last three months, it claims to have attacked various government agency websites, business websites, some of them includes Public Procurement Regulatory Authority Pakistan, Pakistan Cricket Board, Bahauddin Zakariya University and Zoom Petroleum Pakistan among others.

Though the claims have not been authenticated yet.