If you’ve been silently uncovering cryptographic bugs in a private police radio system for the past two years, you might be wondering how to handle the disclosure of your research. The researchers at Midnight Blue, a boutique Dutch cybersecurity consultancy, have a unique approach. They have planned a world tour of conference appearances in the US, Germany, and Denmark, including events like Black Hat, Usenix, DEF CON, CCC, and ISC. They have also turned their findings into a BWAIN (Bug With An Impressive Name), complete with its own logo, PR-friendly website, and custom domain name.
Their research, called TETRA:BURST, focuses on the vulnerabilities in TETRA (Terrestrial Trunked Radio), a widely used communication system for law enforcement, emergency services, and some commercial organizations. TETRA offers advantages like fewer base stations and longer range, making it useful in remote areas. However, its encryption algorithms, developed in 1995, have not received much research attention compared to newer systems like AES, SHA-256, and TLS.
The researchers discovered five vulnerabilities in TETRA, which have been assigned CVE numbers dating back to 2022. They have been working with TETRA vendors to address these issues and plan to present their findings at the Black Hat 2023 conference. While they have provided some advance information, they are withholding full details for maximum impact.
The researchers highlight three important cryptographic principles based on their findings. First, they emphasize the importance of not relying on trade secrecy for cryptographic security. Instead, trusted algorithms that have undergone public scrutiny should be used. Second, they recommend not relying on unverified data and ensuring that proper data authentication processes are in place. Finally, they caution against building in backdoors or deliberate weaknesses that could compromise security.
Overall, the researchers at Midnight Blue have taken a unique approach to disclosing their findings, combining conference appearances with a BWAIN to generate awareness and interest in their research. By following established cryptographic principles, they aim to raise awareness about the vulnerabilities in TETRA and encourage improvements in its security.