BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//orangecon-2026//speaker//RZDXM7 BEGIN:VEVENT UID:pretalx-orangecon-2026-ZTJRDS@pretalx.com DTSTART:20260604T154000Z DTEND:20260604T164000Z DESCRIPTION:NOTICE: While this is on the workshop track\, this is more of a non-interactive talk.\n\nIn this talk\, we will present the first public security analysis of TETRA end-to-end encryption (E2EE) used for the most sensitive communications - such as those by intelligence agencies and spec ial forces.\n\nIn all-new material\, we present seven security vulnerabili ties pertaining to TETRA and its E2EE\, three of which are critical.\n\nTE TRA is a European standard for trunked radio used globally by police and m ilitary operators. Additionally\, TETRA is widely deployed in industrial e nvironments such as harbors and airports\, as well as critical infrastruct ure such as SCADA telecontrol of pipelines\, transportation and electric a nd water utilities.\n\nWhile we previously reverse-engineered and publishe d the then-secret algorithms underpinning TETRA cryptography\, the vendor- proprietary E2EE solution (which enjoys significant end-user trust) intend ed for the most critical use cases remained undisclosed and proved quite h ard to obtain.\n\nGiven the opaque nature of this solution and TETRA's his tory of offering significantly less security than advertised (including ba ckdoored ciphers)\, we decided to undertake the effort of reverse-engineer ing a TETRA E2EE solution.\n\nWe did this by extracting it from a popular Sepura radio and discovering several critical 0-day vulnerabilities in the radio in the process\, presenting additional key extraction and covert im planting vulnerabilities.\n\nWe will publish the E2EE design along with a security analysis\, identifying several severe shortcomings ranging from t he ability to inject voice traffic into E2EE channels and replay SDS messa ges to an intentionally weakened E2EE variant\, which reduces its 128-bit key to only 56 bits.\n\nIn addition\, we will discuss new findings related to multi-algorithm networks and official patches\, relevant for asset own ers mitigating the TETRA:BURST vulnerabilities previously uncovered by us. \n\nFinally\, we will demonstrate the E2EE voice injection attack as well as the previously theoretical TETRA packet injection attack on SCADA netwo rks. DTSTAMP:20260525T192644Z LOCATION:Workshops 4 SUMMARY:2 Cops 2 Broadcasting: TETRA End-To-End Under Scrutiny (Talk) - Jos Wetzels\, Wouter Bokslag URL:https://pretalx.com/orangecon-2026/talk/ZTJRDS/ END:VEVENT END:VCALENDAR