Europe Mulls Open Sourcing TETRA Emergency Services' Encryption Algorithms (theregister.com) 18
Jessica Lyons Hardcastle reports via The Register: The European Telecommunications Standards Institute (ETSI) may open source the proprietary encryption algorithms used to secure emergency radio communications after a public backlash over security flaws found this summer. "The ETSI Technical Committee in charge of TETRA algorithms is discussing whether to make them public," Claire Boyer, a spokesperson for the European standards body, told The Register. The committee will discuss the issue at its next meeting on October 26, she said, adding: "If the consensus is not reached, it will go to a vote."
TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations. In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception. At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."
At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks." It did, however, face criticism from the security community over its response to the vulnerabilities -- and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system. "This whole idea of secret encryption algorithms is crazy, old-fashioned stuff," said security author Kim Zetter who first reported the story. "It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."
TETRA is the Terrestrial Trunked Radio protocol, which is used in Europe, the UK, and other countries to secure radio communications used by government agencies, law enforcement, military and emergency services organizations. In July, a Netherlands security biz uncovered five vulnerabilities in TETRA, two deemed critical, that could allow criminals to decrypt communications, including in real-time, to inject messages, deanonymize users, or set the session key to zero for uplink interception. At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks."
At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks." It did, however, face criticism from the security community over its response to the vulnerabilities -- and the proprietary nature of the encryption algorithms, which makes it more difficult for proper pentesting of the emergency network system. "This whole idea of secret encryption algorithms is crazy, old-fashioned stuff," said security author Kim Zetter who first reported the story. "It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret."
Duplicate text (Score:4, Funny)
At the time ETSI downplayed the flaws, which it said had been fixed last October, and noted that "it's not aware of any active exploitation of operational networks.
Appears twice in the slashdot and only once in The Register version.
Hopefully slashdot can afford to hire editors that have "copy and paste" not "copy and paste and paste" skills.
Europeans (Score:2)
It's very 1960s and 1970s and quaint. If you're not publishing [intentionally] weak algorithms, I don't know why you would keep the algorithms secret.
They're Europeans, duh. More than likely, using AES offends French pride, so there's no way they'd consider it.
Re: (Score:2)
Why, because it's Belgian?
Re: Europeans (Score:2)
Well the guy is Flemish, not Walloon. Maybe that's why :).
WRT EU's Cyber Resilience Act? (Score:5, Interesting)
Isn't this the same Europe that is proposing the Cyber Resilience Act [wikipedia.org] that indirectly has the potential for great effect on open source, where they propose to send this algorithm? There could be some interesting effects here.
Re: (Score:2)
There interesting effects here. The legislation makes open source vendors responsible for security. Closed source providers are already responsible for security. Before open source ETSI was responsible for bugs. After open source ETSI is responsible for bugs.
There's lots to be said about the Cyber Resilience Act, but it has no bearing on this specific case of potential open sourcing at all.
Re: WRT EU's Cyber Resilience Act? (Score:2)
It's not cause your product is open source that you should be unaccountable.
Given that OS is superior this is a non-issue.
Tautology (Score:2)
> Europe, the UK
The UK is in Europe.
Re: (Score:1)
UK has always been treated independently. Brexit cemented this.
Re: (Score:2)
The UK is in Europe.
You'd be surprised how many people in the UK don't know this.
Re: (Score:3)
> Europe, the UK
The UK is in Europe.
One pedant deserves another...
When an article states, for example, "Europe mulls <doing something>..." it's pretty clear that 'Europe' is being used as a shorthand for 'The European Union', or more accurately yet 'The legislative branch* of the European Union', as 'Europe' itself is a continent, and has no will nor ability to do anything (well, except float serenely on a sea of lava at a pace of about 3cm / year).
Once one arrives at this realisation the apparent tautology (if indeed it is such, rather
Re: (Score:2)
Both sides like to pretend otherwise.
Telegram says "Hi" (Score:1)
This whole idea of secret encryption algorithms is crazy, old-fashioned stuff
The "we pinky-swear-promise it's super-awesome secure and magical" thing has never been true. Ever.
OWS/Signal is there for all to see, berate, prod and abuse.... to the betterment of all. This is not by accident.
Re: (Score:2)
Re: (Score:1)
Signal invades privacy
Provably false but the assertion is adorable.
Re: Telegram says "Hi" (Score:2)
The provable is the best part.
Re: (Score:2)
The secrecy was all about controlling who got the good encryption, who got the crap encryption and who got no encryption at all.
Same as happened with various cellular standards like GSM where the encryption algorithms were kept secret to ensure the bad guys couldn't have GSM with the good encryption.
Wrong response (Score:4, Insightful)
I don't need to see the source code to some crappy algorithm that's likely insecure, but won't get the thousands of hours of analysis required to confirm that. It's essentially security through obscurity, and we all know how good that is.
What I need instead is for these systems to use *already* published, *already* considered secure algorithms. You can keep the source code closed if you do that - if you're using AES256 (for example), then that's good enough for me, I don't need to see the source. Yes, it might be a crappy implementation of AES and might have a flaw in it, but in truth, this is about as good as security gets unless you really do spend a lot of money on it.