New TETRA Radio Vulnerabilities Risk Law Enforcement Communications

New Security Vulnerabilities in TETRA Protocol Exposed

Overview of the TETRA Protocol

A recent announcement from cybersecurity researchers has raised concerns over significant security flaws in the Terrestrial Trunked Radio (TETRA) communications protocol. This protocol is extensively utilized across various sectors, including law enforcement, military, transportation, and utilities, chiefly due to its robust encryption features. Developed by the European Telecommunications Standards Institute (ETSI), TETRA incorporates four distinct encryption algorithms: TEA1, TEA2, TEA3, and TEA4. However, the newly discovered vulnerabilities suggest that the system may not be as secure as previously believed.

Discovery of Vulnerabilities: 2TETRA:2BURST

The vulnerabilities, identified as 2TETRA:2BURST, were unveiled by researchers from Midnight Blue—Carlo Meijer, Wouter Bokslag, and Jos Wetzels—at the Black Hat USA conference. These flaws primarily affect TETRA’s proprietary end-to-end encryption (E2EE), leaving the system susceptible to replay and brute-force attacks. Such weaknesses could potentially allow unauthorized individuals to decrypt sensitive communications, posing a significant threat to users of the protocol.

Significant Vulnerabilities in Detail

The 2TETRA:2BURST vulnerabilities comprise several critical issues:

1. CVE-2025-52940: This vulnerability enables attackers to exploit end-to-end encrypted voice streams through replay attacks. Malicious actors can inject arbitrary voice streams that mimic legitimate traffic, leading to confusion for legitimate users.

2. CVE-2025-52941: The encryption algorithm known as ID 135 employs a deliberately weakened AES-128 implementation, reducing the effective traffic key entropy from 128 bits to a mere 56 bits. This significant reduction enhances the risk of brute-force attacks.

3. CVE-2025-52942: TETRA’s secured Short Data Service (SDS) messages lack replay protection, allowing attackers to arbitrarily replay messages directed toward both individuals and automated systems.

4. CVE-2025-52943: Multiple Air Interface Encryption algorithms in TETRA networks face potential key recovery attacks. Notably, the network key is identical across all encryption algorithms, amplifying security risks.

5. CVE-2025-52944: The TETRA protocol currently lacks message authentication, permitting the injection of unauthorized messages, including voice and data transmissions.

6. Additionally, the fix ETSI proposed for a prior vulnerability, CVE-2022-24401, has proved ineffective against keystream recovery attacks.

Implications of the Vulnerabilities

The implications of the 2TETRA:2BURST vulnerabilities vary significantly depending on the configuration of each individual TETRA network. Notably, those that utilize TETRA for data transmission are increasingly prone to packet injection attacks. As a result, these networks may witness attackers intercepting radio communications or injecting harmful data traffic.

According to Midnight Blue, scenarios involving voice replay can create confusion among legitimate users, which could exacerbate the situation, potentially facilitating larger-scale attacks. They also emphasized that TETRA E2EE users should verify whether they might be utilizing the weakened AES variant.

Suggested Mitigations and Next Steps

As of now, there have been no documented instances of these vulnerabilities being exploited in real-world scenarios. Nevertheless, users are encouraged to take the following actions:

• For CVE-2025-52940 and CVE-2025-52942, transitioning to a secure E2EE solution is advised.
• For those affected by CVE-2025-52941, migrating to a stronger E2EE variant is essential.
• To counter CVE-2025-52943, it is recommended to disable TEA1 support and rotate associated Air Interface Encryption keys.
• For CVE-2025-52944, a TLS/VPN layer should be implemented when operating TETRA in data-carrying capacities.

Manufacturer Responses and Future Considerations

ETSI has stated that the E2EE mechanisms used in TETRA radios are not part of its standard but were developed by The Critical Communications Association’s security group. Therefore, users are advised they can opt for alternative E2EE solutions.

Moreover, the vulnerability disclosure coincides with the revelation of additional flaws in the Sepura SC20 series of mobile TETRA radios, which could allow unauthorized code execution via physical access to the device. Notably, these include:

• CVE-2025-52945: Issues with file management restrictions.
• CVE-2025-8458: Insufficient key entropy for SD card encryption.
• An identified risk of exfiltration concerning TETRA and E2EE key materials.

Planned patches for the above issues are anticipated in the third quarter of 2025. Nonetheless, a lack of solutions for some vulnerabilities emphasizes the need for improved key management policies among users.

In conclusion, full awareness of these vulnerabilities is crucial for organizations utilizing TETRA networks to ensure robust security measures are implemented to safeguard sensitive communications.