Three Dutch researchers have discovered vulnerabilities in TETRA – a radio technology used worldwide to control vital infrastructure like energy networks, gas pipelines, and railway safety systems. Malicious hackers could relatively easily use the vulnerabilities to cause massive damage, researchers Job Wetzels, Carlo Meijer, and Wouter Bokslag explained to RTL Nieuws.
In the Netherlands, the port of Rotterdam, the public transport companies GVB, RET, and HTM, and various airports use TETRA. The C2000, the communication system for the emergency services and parts of the Ministry of Defense, is also based on TETRA.
Other places in the world use TETRA to control critical infrastructure like high-voltage distribution boxers, railway safety devices, and oil- and gas pipelines. “Attackers could relatively easily send malicious commands to high-voltage substations, causing the power to be cut off to large parts of a country,” researcher Wetzels of the cybersecurity company Midnight Blue told the broadcaster.
The same applies to oil and gas lines or train safety systems. If attackers start tampering with TETRA, the consequences could be enormous. According to the researchers, over 120 countries use TETRA. “TETRA is currently a risk just about everywhere in the world,” Wetzels said.
In the Netherlands, the risk to critical infrastructure is more limited than in the rest of the world, Wetzels said. “TETRA is a system that is mainly used to work over large distances, while the Netherlands is a small country,” he explained.
The risk in the Netherlands lies in criminals eavesdropping on or disrupting police or emergency services communications. The C2000 communications network uses a different kind of TETRA technology that would take more effort to hack, but it is by no means impossible. Such a hack would allow malicious hackers or governments to listen in on communications from the police and the Ministry of Defense, among others. “It works with both text and voice communication,” Wetzels said.
The researchers reported the vulnerabilities to the National Cyber Security Center (NCSC) in December 2021. The organization informed the national government and vital organizations about the vulnerabilities and what steps to take to secure the radio technology.
The Ministry of Justice and Security confirmed this to RTL Nieuws, saying that updates are available that should protect the C2000 network against vulnerabilities found. According to the Ministry, the updates have yet to be installed by the police, the Koninklijke Marechaussee, the fire brigade, and the ambulance service.
The researchers also informed affected organizations of the vulnerabilities, but many have not responded to their emails, they told RTL Nieuws.
The European Telecommunications and Standardization Institute (ETSI) told RTL that it is currently not aware of any abuse of the vulnerabilities discovered by the Dutch researchers.