Now that I am done solving Germany’s IT Skill gap single handedly, I am going to focus on another recent series of events that caught my eye. A bunch of Dutch security researchers found five CVEs in TETRA. TETRA is infamous for its security by obscurity stance – little security literature has been publicized about it, and there have been cases that security researchers have been apprehended just for looking at it – dissemination of relevant cryptographic literature is bound to a limited number of well-known parties with strict NDAs in place. These are not theoretical CVEs – they are CVEs that allow interception and manipulation of traffic within the means of consumer hardware. Feel free to refer to the relevant website for more details, keeping in mind this is a protocol used by law enforcement agencies and the military, such as our friends, the Greek Police.
When examining the vulnerabilities themselves, they are not beyond the reach of your average security code review or examination of decompiled binaries. By limiting access to your cryptographic scheme, you ensure two things:
- You will not get as many eyeballs as possible on your system.
- You make the life of the bad guys a lot, lot easier.
You see, bad guys do not play by the rules. If the stakes, and thus the incentives, are high enough they will devise a gazillion ways to get their hands into the cookie jar. “Security through obscurity never works” is a common aphorism in the security community, it is amazing that this cryptosystem not only was protected via NDAs but also by fear of prosecution. Quoting from the TetraBurst website, detecting these attacks in the wild ranges from difficult to impossible so who knows how long adversaries have compromised this system? I hope the successor to this will be an Open System, with publicized information and a welcoming stance towards the security community to test and test and test again the system. Our safety as EU citizens is on the line.
Athanasios Kostopoulos 