3. Introduction - ITDS Consulting
● Tomáš Suchan, Marek Sebera
● Based in Prague
● https://www.itds-consulting.cz
● TETRA, GSM, TETRAPOL, DMR
● TETRA Toolkit - Monitoring and forensic tool
● GSM Toolkit - Mobile networks security tool
4. What is TETRA
● TErrestrial Trunked RAdio
● Designed by ETSI since 1990
● Mission-Critical Digital Radio System
● Private / Professional Mobile Radio (PMR)
● DAMM, Sepura, Rohde & Schwarz, EADS, Motorola, …
● Transport, Airports, Police/Fire/Ambulance, Army, …
● SCADA systems (nuclear plants, power stations, …)
9. Slovak Republic
● TETRAPOL
● Project: SITNO - Ministerstvo Vnútra SK
● Built in years 1999 - 2008
● Working since 2008
● Firefighters, Police, Customs, 112 Emergerency
10. Disclaimer
● Properly secured TETRA network is hard to crack
● We’re talking about unsecured or badly secured
networks
11. TETRA Network Security
● Transport
Air-Interface encryption
● SwMI (Infrastructure)
Restrict MS by TEI + ISSI combo
● Application
End-to-End transport encryption
13. Missing Air-Interface Encryption
We can:
● Read text / binary data (SDS)
● Decode voice transports (even Group Calls)
● Map network structure
● Identify users, clients, applications
● Intercept (MITM) communication
● Fake both directions of data transport
14. No Air-Interface Encr. , TEI + ISSI registration restricted
We can still do everything, it’s just bit harder :-)
15. Missing Air-Interface Encryption, added E2E
encryption
● Correlate communication groups
● Map infrastructure
● Scan / Penetrate application endpoints
● Communication fuzzing and DoS attacks
19. Tetra Toolkit ® ITDS Consulting
● Requirements
○ 4-core 2.5GHz computer, 8GB DDR3
○ RTL-SDR USB dongle
○ Linux OS
● Attack time < few minutes
● Decode voice, text and data communication
● Map infrastructure,