Broken by Design: Critical Flaws Found in TETRA Radio Encryption
Radio communications used by intelligence agencies, law enforcement, and military forces across dozens of countries have been found vulnerable to interception — and the flaw lies not only in outdated algorithms, but also in encryption schemes once touted as robust and secure. Security experts from Midnight Blue, who previously uncovered a deliberate backdoor in the TETRA standard, have now identified a serious weakness in its end-to-end encryption system, which was intended to guard against exactly such threats.
The problem originated with the TEA1 algorithm, embedded in TETRA — a European radio communication standard deployed since the 1990s and used in radios from Motorola, Sepura, Damm, and other manufacturers. Designed for export outside Europe, TEA1 deliberately incorporated a key-weakening mechanism: though nominally 80 bits in length, its effective strength is only 32 bits, allowing it to be cracked in mere seconds.
To mitigate this flaw, the European Telecommunications Standards Institute (ETSI) in 2023 recommended the adoption of an additional protective layer — an end-to-end encryption system developed by the SFPG working group within The Critical Communications Association (TCCA). Yet, this safeguard also harbors a fundamental weakness: in at least one implementation studied, the algorithm begins with a full 128-bit key but truncates it to just 56 bits in actual use, rendering it far easier to break.
The concern is heightened by the fact that these systems secure the communications of elite units, intelligence services, and defense agencies. Radios equipped with this technology are used by police in Belgium, across Scandinavia, in Eastern Europe — including Bulgaria and Serbia — and in parts of the Middle East such as Iran, Lebanon, and Syria. However, it remains impossible to determine precisely where the end-to-end encryption is enabled, and where it relies on weakened keys.
Midnight Blue researchers state they were able to uncover the flaw only after extracting and analyzing the end-to-end algorithm from a Sepura radio. Their findings indicate that the vulnerability stems not from any single vendor’s implementation, but from the TCCA protocol itself — meaning the risk of forging voice messages or replaying legitimate commands extends to all users, regardless of manufacturer.
Both TCCA and ETSI have deflected responsibility, noting that encryption parameters are negotiated between vendor and client, and that the ETSI standard itself does not incorporate end-to-end encryption. Nonetheless, the two bodies work closely together, and the authors of TEA2 and the end-to-end algorithm appear to be one and the same.
The situation is further clouded by the secrecy surrounding TCCA specifications: technical documents are accessible only to manufacturers under strict non-disclosure agreements. Yet, identifiers in radio firmware can reveal the key length in use, indirectly confirming that TCCA offers variants with 56-, 64-, and 128-bit keys.
Sepura has declined to comment on the issue. However, experts remain skeptical that government clients in the Middle East or Eastern Europe — who spend millions on such equipment — are aware that their devices may be running encryption weak enough to be broken on an ordinary laptop.
Particularly troubling is the potential to broadcast falsified messages. In a crisis, forged orders or repeated commands could sow chaos within security operations. While the standard’s developers may assume that relevant authorities are informed, evidence suggests otherwise: no public disclosure has been made regarding the extent of the encryption downgrades, and manufacturers’ marketing materials make no mention of it.
Thus, a safeguard designed as a “second layer” of security for government communications has, in some deployments, proven just as fragile as the base layer it was meant to reinforce — at far greater cost to the states that implement it. Researchers are set to present their full findings at the upcoming Black Hat conference in Las Vegas, and the TCCA end-to-end algorithm now risks following TEA1’s path: becoming a cautionary emblem of encryption meant to protect, but ultimately failing to do so.
