Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Jul 27 17 tweets 4 min read Twitter logo Read on Twitter
🚨 Woah. An intentional backdoor discovered in encrypted radio comms used globally for over 25 years.

Buckle up!
The technology in question is a European radio standard called TETRA (Terrestrial Trunked Radio).

It's used in radios made by Motorola, Damm, Hytera, and others and is embedded in critical infrastructure like pipelines, railways, and the electric grid. Image
TETRA is also used in specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services.

This includes the C2000 system used by Dutch police, fire, ambulance, and the Ministry of Defense. 🚓🚑 Image
The encryption algorithms used in TETRA were kept secret until a group of Dutch researchers got their hands on them and found severe flaws, including a deliberate backdoor.

This backdoor could allow someone to snoop on communications and potentially send harmful commands.
The researchers also found a second vulnerability that could let someone decrypt encrypted voice and data communications and send fraudulent messages.

This could be used to spread misinformation or redirect personnel and forces during critical times. 📡
These vulnerabilities are not just theoretical.

TETRA radios are used in 2+ dozen critical infrastructure systems in the US.

- Electric Utilities
- A State border control agency
- An oil refinery
- Chemical plants
- A major mass transit system on the East Coast. Image
The researchers discovered these vulnerabilities in 2021 but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations.

BUT

Not all of these issues can be fixed with a patch.
It's not clear which manufacturers have prepared them.
The researchers plan to present their findings at the BlackHat

They plan to release a detailed technical analysis and the secret TETRA encryption algorithms that have been unavailable to the public until now. Image
TETRA was developed in the ’90s by the European Telecommunications Standards Institute (ETSI)

The standard includes four encryption algorithms—TEA1, TEA2, TEA3, and TEA4
The first vulnerability the researchers found was the backdoor in TEA1.

All four TETRA encryption algorithms use 80-bit keys, but TEA1 has a feature that reduces its key to just 32 bits.

The researchers were able to crack it in less than a minute using a standard laptop
The second major vulnerability isn’t in one of the secret algorithms... it affects all of them.

The issue lies in the standard itself and how TETRA handles time syncing and keystream generation.

This could allow an attacker to intercept and decrypt communication.
As for fixes...

ETSI fixed the keystream/timestamp issue in a revised TETRA standard published last October, and they created three additional algorithms for vendors to use, including one that replaces TEA1

However, the problem with TEA1 cannot be fixed with an update
A worrying detail:

We don’t know if the vulnerabilities they found are being actively exploited.
They found evidence in the Edward Snowden leaks that indicate the NSA and UK’s GCHQ intelligence agency targeted TETRA for eavesdropping
Thanks, @KimZetter, for this incredible story.

Read the whole article here: wired.com/story/tetra-ra…
@KimZetter And my favorite response so far:
If you like news like this, you'll love my free newsletter:

Join over a thousand security pros here:

mattjay.com/newsletter

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Jul 18
🔥 Thousands of container images on Docker Hub are leaking confidential secrets!

We've seen this a lot on GitHub repos, but it seems there is another growing way to accidentally publish private keys... Your container images.

Let's look at what's going on:
Docker Hub is a cloud-based repository where the Docker community stores, shares, and distributes Docker images.

These images are blueprints for deploying applications in Docker. Image
The German researchers from RWTH Aachen University analyzed 337,171 images from Docker Hub and thousands of private registries.

The shocking finding?

8.5% of these images contain sensitive data such as private keys and API secrets. 😱
Read 12 tweets
Matt Johansen Profile picture
Jun 13
🚨 Over 250,000 Fortinet firewalls publicly accessible on the Internet.

They just dropped a patch for a major Remote Code Execution vulnerability.

...and then announced the vuln may have been used in attacks already.

Lets dive in 👇 Image
The vulnerability, CVE-2023-27997, was discreetly fixed in the latest FortiOS firmware updates.

The vuln wasn't mentioned in the patch notes but security researchers figured it out. Image
This flaw allows a threat actor full access to infiltrate via the VPN, even if MFA is activated.

It is a heap overflow bug that can be exploited unauthenticated if SSL-VPN is enabled. Image
Read 13 tweets
Matt Johansen Profile picture
Jun 6
🧵 HUGE Update around the active exploitation of MOVEit 0day!

From @HuntressLabs - CVE-2023-34362 is not just SQLi - they reversed it and found full RCE as well... Image
The attack chain STARTS with a SQL injection in the MOVEit Transfer web app

But! Newly discovered it also leads to arbitrary code execution!

Attackers can now gain admin access, steal files, and execute malicious code.
Wildly impressed with this reversing research!

@HuntressLabs has released a video demo of the exploit.

Watch as the attacker gains shell access, escalates to NT AUTHORITY\SYSTEM, and unleashes cl0p ransomware. Image
Read 12 tweets
Matt Johansen Profile picture
May 30
🚨 Woah. Crazy new research paper I just read.

Remotely and inaudibly issue commands to Alexa, Siri, Google Assistant, etc.

"allows attackers to deliver security-relevant commands via an audio signal between 16 and 22 kHz (often outside the range of human adult hearing)" 🔊 Image
Diving into the world of Voice Control Systems (VCSs)

Inaudible & audible attacks on VCSs already exist. Inaudible attacks need the attacker and the victim to be close. Audible attacks can be remote but are noticeable.

How about this new attack?
It's the worst of both worlds for security - inaudible AND remote! 😱

Imagine an attacker embeds malicious commands into near-ultrasound inaudible signals in an app or website.

You open it, your VCS picks up the commands, but you can't hear a thing! Image
Read 12 tweets
Matt Johansen Profile picture
May 15
🚨 A new vulnerability found in Telegram that can grant access to your camera and microphone.

Found by an engineer at Google, reported to Telegram and they haven't addressed it.

So now we get a detailed public disclosure!

How this works and what it means for your privacy 👇
Even macOS Root users can't access the microphone or screen recording unless the app has direct user consent or manually granted permissions.

But this newly discovered weakness in Telegram's macOS application can sidestep that security measure.
The weakness was discovered in February, and despite attempts to alert Telegram's security team, the issue remains unresolved.

The vulnerability was publicly disclosed today after the grace period with VINCE expired.
Read 12 tweets
Matt Johansen Profile picture
Mar 22
🎓A masterclass in vulnerability chaining to achieve a much more impactful exploit:

XSS -> Steal everyone's cleartext passwords.

This one is from the archives - a 2018 bug. But it demonstrates some concepts important even today.
McDonalds AngularJS app had a fairly simple XSS bug in its search parameter. It required a sandbox escape but it was a widely known one at the time and was built into Burp:

{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
The next thing McDonalds did wrong was store the user's password client side with some weak crypto libraries.

Just an overall bad idea.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(