A new wave of security vulnerabilities has been uncovered in the Terrestrial Trunked Radio (TETRA) communication standard — widely used by law enforcement, military, critical infrastructure, and transportation sectors — exposing sensitive communications to potential interception and manipulation.

The findings, presented at the Black Hat USA 2025 conference by cybersecurity researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels from Midnight Blue, detail flaws collectively named 2TETRA:2BURST. These issues affect TETRA’s proprietary end-to-end encryption (E2EE) and make it possible for attackers to launch replay attacks, execute brute-force decryption, and even inject malicious traffic into secured networks.

Background on TETRA

Developed by the European Telecommunications Standards Institute (ETSI), TETRA is the backbone of secure mobile radio communication in many countries. It employs four main encryption algorithms — TEA1, TEA2, TEA3, and TEA4 — to protect voice and data traffic.

This new disclosure comes just over two years after Midnight Blue revealed the original TETRA:BURST vulnerabilities, which included what the researchers described as an “intentional backdoor” enabling potential data leaks.

Key Newly Reported Vulnerabilities

The 2TETRA:2BURST flaws involve weaknesses in packet handling, encryption key management, and message authentication. The most notable issues include:

• CVE-2025-52940 – Vulnerability in E2EE voice streams allows replay attacks and injection of fake audio indistinguishable from legitimate communications.
• CVE-2025-52941 – A deliberately weakened AES-128 variant reduces key entropy to 56 bits, making brute-force attacks feasible.
• CVE-2025-52942 – Lack of replay protection in encrypted SDS messages enables message duplication toward users or automated systems.
• CVE-2025-52943 – Use of identical network keys across multiple encryption algorithms can allow a TEA1 key compromise to impact TEA2/TEA3 traffic.
• CVE-2025-52944 – Absence of message authentication allows injection of arbitrary voice or data messages.

Additionally, the previously released fix for CVE-2022-24401 was found to be ineffective against keystream recovery attacks (placeholder ID MBPH-2025-001).

Potential Impact

The risks vary depending on each network’s configuration and usage. Systems leveraging TETRA for data transmission are especially vulnerable to packet injection, enabling adversaries to intercept or insert malicious data traffic.

Replay or voice injection attacks could cause operational confusion during critical situations, while weakened encryption variants open the door to brute-force decryption. Even encrypted networks can process injected plaintext downlink traffic, widening the attack surface.

Mitigation Recommendations

Since no comprehensive patches are currently available (aside from an upcoming fix for MBPH-2025-001), Midnight Blue advises:

• Migrating to thoroughly reviewed, secure E2EE implementations.
• Avoiding weakened encryption variants.
• Disabling TEA1 support and rotating all network keys.
• Adding a TLS or VPN layer when using TETRA for data transmission.

Additional Device-Level Threats

The researchers also disclosed three vulnerabilities affecting Sepura SC20 series mobile TETRA radios:

• CVE-2025-52945 – Weak file management restrictions.
• CVE-2025-8458 – Low entropy in SD card encryption keys.
• MBPH-2025-003 – Inherent design flaw enabling exfiltration of all TETRA and E2EE key material (except the device-specific key).

Exploitation of these flaws could allow attackers with physical access to execute unauthorized code, exfiltrate encryption keys, or implant persistent backdoors.

Strategic Security Takeaway

These discoveries reinforce the urgent need for continuous security audits, especially for systems supporting critical and emergency communications. Relying solely on proprietary encryption is insufficient — layered defenses, strong key management policies, and modern encryption practices must be implemented to maintain confidentiality, integrity, and availability in mission-critical networks.

Source: https://thehackernews.com/2025/08/new-tetra-radio-encryption-flaws-expose.html