New security flaws have been identified in the TETRA radio standard, putting law enforcement, military and government communications at risk of interception, even when encrypted.

Midnight Blue's 2TETRA:2BURST research disclosed six vulnerabilities, four rated critical, allowing attackers to break encryption, replay calls, and inject voice messages and data into the system.

Despite TETRA’s closed-off backend, researchers said the “often sensitive nature of communications, and TETRA’s dubious track record, highlight the necessity of a thorough independent assessment.”

2TETRA:2BURST vulnerabilities

CVE-2025-52940 - TETRA end-to-end encrypted voice streams are vulnerable to replay attack. Furthermore, an attacker with no knowledge of the key may inject arbitrary voice streams, that are played back indistinguishably from authentic traffic by legitimate call recipients.

CVE-2025-52941 - TETRA end-to-end encryption algorithm ID 135 refers to an intentionally weakened AES-128 implementation which has its effective traffic key entropy reduced from 128 to 56 bits, rendering it vulnerable to brute force attacks.

CVE-2025-52942 - End-to-end encrypted TETRA SDS messages feature no replay protection, allowing for arbitrary replay of messages towards either humans or machines.

CVE-2025-52943 - TETRA networks that support multiple Air Interface Encryption algorithms are vulnerable to key recovery attacks since the SCK/CCK network key is identical for all supported algorithms. When TEA1 is supported, an easily recovered TEA1 key (CVE-2022-24402) can thus be used to decrypt or inject TEA2 or TEA3 traffic on the network.

CVE-2025-52944 - The TETRA protocol lacks message authentication and therefore allows for the injection of arbitrary messages such as voice and data. Message injection is possible regardless of whether client authentication is enforced by the network.

MBPH-2025-001 (not yet granted a CVE) - ETSI's fix for CVE-2022-24401 (that found its way to firmware updates) is ineffective in the prevention of keystream recovery attacks.

To skirt NDAs protecting the proprietary technology, the cybersecurity company reverse engineered the Sepura Embedded end to end encryption (E2EE) solution for TETRA to find the bugs for research it first published at the 2025 Blackhat conference.

Given TETRA's use in law enforcement operations, Midnight Blue warned voice replay and injection attacks could be "used as an amplifying factor in a larger-scale attack."

A global problem?

Short for Terrestrial Trunked Radio, TETRA is a mobile radio standard designed for sensitive organisations by the European Telecommunications Standards Institute (ETSI) in 1995 and now used in more than 250 networks.

It includes seven encryption algorithms, TEA1-7, and can be bolstered by an additional E2EE mechanism, not governed by ETSI but defined by The Critical Communications Alliance (TCCA) and implemented by private vendors such as Sepura, Airbus and Motorola.

Midnight Blue said it can’t verify whether the vulnerabilities it identified affect all TETRA E2EE versions, but considers “it likely they are affected by these or similar issues” given its assumption Sepura's tech closely adheres to TCCA’s implementation advice.

See also: Are CISOs overlooking mobile security?

The critical flaws found include an “intentionally weakened” version of the AES-128 algorithm reducing its effective traffic key entropy from 128 to 56 bits, and a vulnerability to key recovery attacks thanks to the similarity of SCK/CCK network keys across different algorithms.

The report also said the TETRA protocol lacked message authentication, opening the door for arbitrary messages to be entered into the system even if client authentication is enforced by the network

A second round of vulnerabilities

The set of issues, dubbed 2TETRA:2BURST, follow Midnight Blue’s TETRA:BURST research in July 2023 covering a separate set of five TETRA vulnerabilities, which ETSI had claimed were often covered by E2EE.

Researchers were particularly concerned by the discovery that an ETSI fix for an initial TETRA:BURST vulnerability (CVE-2022-24401) was “ineffective in the prevention of keystream recovery attacks.”

Despite the security disclosures, TETRA has remained widely popular across the globe, with Spain’s cybersecurity organisation describing it as “the best option” for communications in critical organisations.

Its use could soon be on a downward trend though, with the UK looking to move off its TETRA-based Airwave emergency services system as it embraces next-generation 4G and 5G technologies.

The link has been copied!