TETRA:BURST and 2TETRA:2BURST — Why Critical Radio Systems Remain Vulnerable

Red Dog Security

4 min read
TETRA:BURST and 2TETRA:2BURST — Why Critical Radio Systems Remain Vulnerable

In 2023, researchers dropped a bombshell on the world of secure communications. They revealed TETRA:BURST, a set of vulnerabilities in the Terrestrial Trunked Radio (TETRA) standard — the digital radio system used by law enforcement, the military, and operators of critical infrastructure in more than 100 countries.

The flaws meant that supposedly secure police radios, power grid controls, and even airport communications could be intercepted or manipulated. At the time, the European Telecommunications Standards Institute (ETSI), which oversees TETRA, recommended that users bolt on end-to-end encryption (E2EE) to compensate.

Now, just two years later, those very protections have been torn apart. At Black Hat USA 2025, the Dutch security firm Midnight Blue disclosed five new vulnerabilities in what they call 2TETRA:2BURST — and the findings raise fresh concerns about how secure the world’s most trusted radio systems really are.

A Standard Under Fire

TETRA was introduced in 1995 and quickly became the backbone of secure communications for governments and utilities. Police forces in Europe rely on it daily. In the U.S., it underpins at least 20 critical infrastructure systems, from electric power grids and pipelines to airports and even an Army training base.

But TETRA was designed in an era when encryption was subject to strict export controls. Key lengths were intentionally weakened — a compromise between security and politics that is now coming back to haunt users.

When Midnight Blue first exposed TETRA:BURST in 2023, one of the headline flaws (CVE-2022-24402) boiled down to the deliberate downgrading of key strength, leaving traffic open to brute-force attacks. Even then, researchers warned that “not all of the discovered problems could be fixed with patches.”

2TETRA:2BURST — Five New Cracks in the Armor

Fast forward to 2025. After reverse-engineering Sepura radios bought on the open market, Midnight Blue showed that the E2EE layer ETSI recommended is itself riddled with holes.

Here’s what they found:

  • CVE-2025-52940: E2EE voice has no replay protection. Attackers can replay or inject live voice traffic without ever knowing the key. Midnight Blue demonstrated this live — their injected voice was broadcast as if it came from a trusted officer.
  • CVE-2025-52941: AES-128 keys are compressed to 56 bits, slashing effective security and allowing brute-force decryption in hours on commodity hardware.
  • CVE-2025-52942: Encrypted SDS (short text/data) messages have no replay protection, leaving both human and machine-to-machine messages open to spoofing.
  • CVE-2025-52943: Multi-cipher networks reuse the same key across algorithms. Crack the weak TEA1 key and you can decrypt TEA2 or TEA3 traffic.
  • CVE-2025-52944: No message authentication at the TETRA protocol level. This makes it possible to inject arbitrary packets — voice or data — into supposedly secure networks.

On top of that, researchers noted that ETSI’s earlier patch for a keystream recovery flaw (CVE-2022-24401) was ineffective; the bug remains exploitable under the temporary identifier MBPH-2025-001.

Why This Keeps Happening

The recurring theme is clear: security by obscurity. For decades, TETRA algorithms were kept secret under NDAs and trade-secret protections, never opened to academic review. Midnight Blue’s work only became possible because they bought radios on eBay, extracted the firmware, and spent months reverse-engineering the algorithms.

As the researchers put it, “Kerckhoffs’ principle” — the idea that cryptographic security should rest on keys, not secret algorithms — was ignored. Add in political pressure from export controls that capped key sizes at 56 or 80 bits, and you get a system that looks strong on paper but collapses under scrutiny.

Who’s at Risk

The impact is global and serious. Vulnerable radios are in use by:

  • Law enforcement and intelligence agencies.
  • Critical infrastructure operators — electricity, gas, pipelines, and rail.
  • Airports and public transit systems.
  • Military units in Europe, the U.S., and allied nations.

End-to-end encryption was supposed to be the safety net for high-risk users like covert teams and special forces. Instead, it may have given them a false sense of security.

What Can Be Done

There are no simple fixes. Midnight Blue notes that firmware patches are planned for some physical access flaws in Sepura radios later in 2025, but the five new CVEs remain unpatched. For now, experts recommend:

  • Disable TEA1 in any multi-cipher network.
  • Rotate all air-interface keys (SCK/CCK) regularly.
  • Layer TLS or VPN tunnels on top of TETRA for data traffic.
  • Audit E2EE deployments — verify that radios aren’t using the weakened 56-bit mode.
  • Consider migration strategies for the long term, especially for operators of critical infrastructure.

As Midnight Blue starkly demonstrated in Las Vegas:

“We showed live voice injection on stage; users heard an attacker’s words come out of their own radios and had no way to tell they were fake.”

The Bigger Picture

The TETRA saga is more than a story about broken encryption. It’s about how secrecy, politics, and legacy technology can collide to put essential services at risk. From police radios to power grids, these networks are assumed to be secure. The reality is more troubling: many are vulnerable by design.

And while ETSI has now opened TETRA algorithms to academic research, the damage is done. What was once thought to be an unassailable standard is now a case study in why cryptography cannot be left to closed committees.

For agencies and operators worldwide, the message is simple: assume compromise is possible — and start building security on top of it.

Read more