74 comments

[ 0.27 ms ] story [ 168 ms ] thread
It sounds like the encryption was limited intentionally, so government organizations could easily decrypt it.
Ding ding ding!

The dark unspoken part? They don't need to worry about you distributing it domestically, because anyone using it domestically is subject to extralegal rendition and rubber-hose cryptography without a warrant.

That's been formally legal since the passage of the PATRIOT Act (and from the infinite renewal of the NDAA), but even Lincoln ended Habeas Corpus on a whim when he found it convenient.

We don't live in a constitutional democratic republic, we live in a totalitarian surveillance state LARPing as a constitutional democratic republic.

The United States has many negative things about it, and its democracy is flawed at best, but you don't get combo points for tacking on adjectives. It is plain by reading the dictionary that the US is not totalitarian.
Very few people seem to make any effort to distinguish between totalitarian and authoritarian, and even authoritarian is used very loosely.
I think the tin-foil man is saying that you wouldn't know a totalitarian state if it were successfully masquerading as a democracy.

"Successfully" is the real loaded term here. Those that claim to see the cabal behind the curtain unfortunately have woefully underdeveloped facts to support it.

There's no hiding totalitarianism, totalitarian governments exercise total control over virtually every aspect of the private lives of their subjects. Under totalitarianism, you can forget about choosing your school or career. You might -MIGHT be allowed to choose your mate, but even that isn't certain because totalitarianism is characterized by such an extreme lack of individual liberty that the state may even tell you who to marry.

A subverted liberal democracy secretly run by a cabal of oligarchs but on the surface still playing hands-off with everyday people's lives is not totalitarianism. Totalitarianism is not some generic insult to describe any oligarchy or authoritarian government. Totalitarianism is the extreme absence of individual liberty.

I wonder if there are measurable personality differences that predict how well someone responds to hyperbolic rhetoric.

For instance, the US has been doing down on the Economist Democracy Index in recent years. "Flawed democracy" is not totalitarian, but it's trending away from "full democracy" and cries of totalitarianism may well be responding to real concerns.

In the abstract, I wonder if it's better to raise such issues with incremental language and small arguments, or to raise them with hyperbolic claims, or to tailor to your audience, or some other combination.

> I wonder if there are measurable personality differences that predict how well someone responds to hyperbolic rhetoric.

You don't have to tell me that I'm weird, I already know.. Most people seem to think dictionaries are obsolete because spellcheck exists, not caring that the primary purpose of dictionaries is to look up the established meanings of words. I know I'm weird for thinking these established meanings should at least be acknowledged when deciding to stray from them. If people want to use hyperbole to make a point I think that's fine, and know that even if I didn't think it was fine it wouldn't matter because I couldn't stop them. But my personality is such that when I see somebody doing it without acknowledging the established meaning of the word, I feel compelled to remark on it. Particularly when people are doing it with serious words with heavy connotations, like totalitarianism or genocide.

As for the deteriorating state of American democracy, I share most of your concerns, but I don't see a trend to totalitarianism specifically. For instance the government now exercises less control over who people marry today than it did a generation ago, much less three or four generations ago. I do perceive disturbing trends in corruption, wealth distribution, and administrative competence. But a corrupt incompetent oligarchy is not synonymous with totalitarianism.

The US is owned by the small group of people who have the most money. I wouldnt call it a democracy or totalitarian it's most likely a cell system who regularly has many business deals "on behalf" of the country. Closer to an oligarchy. Basically Russia with a little more modern/recent success.
This article is discussing TETRA, an European system standardized by ETSI. How does US domestic politics apply to this?
he didn't read the article at all and just wants to rant about his favorite pet issue ofc
As usual. Made by an US company (Motorola)
Motorola is just one of many vendors. The Issues discussed are rooted in the standard, not Motorola's implementation.
The PATRIOT Act has been expired for three years now.

This is like when people tell you Flint doesn't have clean water (it's been fixed for four years.) Sometimes, time passes.

Yea they allowed it to expire because they can just buy our data from private industry's now... Who needs an act when the "free market" lets you invade anyone's privacy by the petabyte. Call up your local advertising startup and offer some cash, you'd be surprised what's on the table without even getting to the big companies (google, amazon, Facebook, etc).
The relevant provisions of the NDAA haven't!
No.

These are police radios. All of the transmissions are recorded at the dispatch center and routinely get audited and used in various ways.

Most police traffic isn’t secret and these radios replaced fully open radios that were commonly deployed just about everywhere.

The bigger security threat is that police will often have actual sensitive conversations on personal cellular devices and SMS.

This is just another example of the good old boys network of public safety gear selling bullshit products.

The major reason why police radios are encrypted barring SWAT is so they can say racist things about the people the merc for laughs, adrenaline and clout. SWAT arguably has a public safety reason.
Yes, cryptography has often fallen under many countries weapons export restrictions for the same reason weapons do: to provide an advantage under times of war. There's nothing surreptitious about this, it is the entire point of these types of laws.
Closed, proprietary encryption algorithm is found to have serious, possibly intentional weaknesses: Shocked, shocked, I say!
Next up, our researchers investigate the properties of water. #3 is surprising.
*GASP*

Dihydrogen oxide is also used to contaminate our food, spike our industrial solvents and found in nuclear reactors!

Even in form of a pollutant that is being spewed out from those pesky hydrogen-fuel automobiles.

Its pervasiveness is worse than poisonous CO2!

There are also weak algorithms and weak key lengths which have been open-sourced and meet various countries export requirements. If export laws require radios to be sold with weak encryption it doesn't really matter whether the code is shared or not. When institutions buy COTS products, they almost always use it as is, especially when interoperability depends on it.
CVE-2022-24401: The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

CVE-2022-24402: The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

CVE-2022-24404: Lack of ciphertext authentication on AIE allows for malleability attacks.

CVE-2022-24403: The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.

CVE-2022-24400: A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.

"At its core, TETRA security relies a set of secret, proprietary cryptographic algorithms which are only distributed under strict Non-Disclosure Agreement (NDA) to a limited number of parties. These algorithms consist of the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes, and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE). The TEA suite consists of four stream ciphers with 80-bit keys: TEA1 to TEA4, where TEA1 and TEA4 were intended for commercial use and restricted export scenarios while TEA2 and TEA3 were intended for use by European and extra-European emergency services respectively. In addition, optional, vendor-specific end-to-end encryption (E2EE) solutions can be deployed on top of AIE."

[1] https://tetraburst.com

> > CVE-2022-24402: The TEA1 algorithm has a backdoor

When does a backdoor get promoted from bug? Does a backdoor require for to have been intentionally added? How do researchers prove intent?

From the page:

The vulnerability in the TEA1 cipher (CVE-2022-24402) is obviously the result of intentional weakning. While the cipher itself does not seem to be a terribly weak design, there is a computational step which serves no other purpose than to reduce the key's effective entropy. Similar weakened cryptography has played a part in flaws in GSM (A5/1, A5/2), GMR (GMR-1), GPRS (GEA-1), DMR ('Basic' and 'Enhanced' encryption), and P25 (ADP) and mostly results from export control practices (See: https://en.wikipedia.org/wiki/Crypto_Wars#PC_era) at the time of design. Unfortunately, in the decades that have passed since then, this cipher has remained in use both inside and outside Europe without loud and clear warnings being issued about its actual security posture.

It seems similar to the locks you buy in typical hardware stores. While not sold that way (rather the opposite!), they have widely known weaknesses that allow compromise by any motivated actor with minimal work, while providing the illusion of security.

And no one is interested in ‘fixing’ it near as I can tell, because it seems to work well enough most of the time, and is convenient for a number of parties. Weird huh?

Except here the key was weakened to satisfy export requirements, without telling users. So they advertise an 80bit key, but secretly and intentionally use something much weaker.

A back door

Should I not mention Masterlocks 'high security' line, which can usually be picked in seconds by anyone with a paperclip and 15 minutes to an hour of training?

Or the numerous 'high security' locks with trivial bypasses?

now do TSA locks
My favorite part of TSA locks is there are only 7 different keys. So if you lose your key in the airport, if you have more than a handful of people near you, you don't even need to know how to pick or break it. Someone has your key already! [https://techcrunch.com/2016/07/27/security-experts-have-clon...]

Or, just buy the replacement on amazon I guess [https://www.amazon.com/tsa-key/s?k=tsa+key]

Frankly, it's probably better to just use a random re-usable zip-tie. At least then you won't figure out you lost your 'key' somewhere inconvenient.

a TSA lock is nothing better than a fancy zip tie. except, when the TSA inspects your back, they will not use a new zip tie after cutting yours off. so you're SOL if you were hoping the zippers would stay together, but they will at least re-lock the TSA lock so the zippers will stay together.
Knapheide truck service bodies only have ten keys. I suspect this model is a lot more common than you might hope.
According to Lock Picking Lawyer, a wave rake or a comb are enough to defeat a MasterLock without training, suspicion or major cost...
He's not wrong. It does take a few minutes for most people to learn how to use the wave rake correctly (there are many bad ways), and if you want to learn how to do it for any arbitrary master lock reliably you'd need some practice. Occasionally you'll run across one that takes a little skill to get open, and it's always the one you expected to be easy.
Most masterlocks are even easier than that: tear an aluminum can in half (or if you're feeling civilized, cut a strip) and you've got a shim that works on most cheap padlocks. And that's not counting the ones that can be opened with a hard strike (say, from another masterlock). Any company competing in the cheap-tier lock segment shouldn't be trusted, for ANY of their locks. They'll leverage the name recognition they get from the cheap locks to try and get you to choose their more expensive, "higher security" locks, but in many cases they'll be selling you a just as shitty product.
Masterlocks aren't shit because the government makes them so with rules or regulations. Masterlocks are shit because people want a cheap lock and mostly don't know how to evaluate lock quality. The government is just going to cut the lock off, and if they want to go through your front door they're just going to kick it in. They don't bother with lock picking, not even on trivial locks.

There is no government conspiracy to compromise lock security, except in the specific case of "TSA locks"

I'm not saying it's a conspiracy. I'm saying there is no need for there to be a conspiracy. At least with physical locks, usually. If you think things like the S&G code books for their high security safe locks aren't widely available in certain gov't agencies, then you're not paying attention.

But the gov't also doesn't care to make it better except when it helps them (when they definitely could and frankly should if they cared for individuals rights or protection!), because the current situation is very convenient for them.

And if you think cops (or federal agents) don't occasionally 'take a peek' where they aren't supposed to look using that to their advantage (both physical locks using lock picking sometimes, but usually bypasses and the like, and crypto), we've got a LOT of evidence to contradict that. Some circumstantial, some, uh... not. [https://nypost.com/video/lock-picking-cops-charged-after-kic...]

They're usually not doing it while their body cameras are on though.

Assuming they're not that dumb, if they find something juicy, they'll of course figure out a way to come back with a warrant and bust the door down so they can admit the evidence, or 'luckily' show up a the right time to catch someone during a 'routine traffic stop' or similar. Assuming they're being above board. [https://en.wikipedia.org/wiki/Parallel_construction]

Being able to come up with Probable Cause on anyone is actively taught and a prized skill at most Police Academies.

A google search for S&G code Books turned up nothing. Any more info? Is that related to mechanical or electronic dials?
Sargent and Greenleaf (S&G) [https://en.wikipedia.org/wiki/Sargent_%26_Greenleaf] is the largest US based manufacturer of (actual) high security locks, including locks that are UL rated anti-burglary, and Gov't approved for protecting various levels of classified information.

They're definitely not the only one, but they're well known. [https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN31725-AR_380...] is the current (unclassified) standard I believe, Chapter 6 Section II, which points to the 'DoD lock program' [https://exwc.navfac.navy.mil/DoD-Lock-Program/], including their list of approved lock hardware [https://exwc.navfac.navy.mil/DoD-Lock-Program/Security-Hardw...]. Which has many interesting things there.

A classic 'common' example for a commercial safe that needs to be insurable to store significant quantities of cash or jewelry would be one of the group 1R models from the 8500 series [https://sargentandgreenleaf.com/product/8500-series/]

Every lock manufacturer has somewhere in their files a mapping of key codes, manufacturing codes, etc. to the information necessary to duplicate keys or unlock the combination lock for the default combination as it shipped, with VERY few exceptions, all of which are quite expensive. It's required for manufacturing, QA, and after-sales support. Those expensive models all generally require professional lock smiths.

In most cases with combination locks, this allows them to take the serial # (or for 99% of the safes most individuals ever interact with just model number) and know the combination it shipped with. Most folks never change it.

With keyed locks, it allows them to take the key code (usually a 4-8 digit number/alpha string) and produce an identical working version of the key without ever seeing or touching the key. Sometimes these codes are stamped directly on the lock. Sometimes they're stamped directly on the key. For better locks, it will not be present or impossible to access without compromising or unlocking the lock first. Generally, the better the lock the more inconvenient it is and impossible to non-destructively 'fix' if someone loses the key or combo.

It's almost always trivial to decode a key to get that info, and tools are made to do it for almost all types of locks.

Licensed lock smiths with relations with the manufacturer can acquire most (or all) of that information. Usually literal paper code books. Some of this info of course leaks and gets integrated into software.

Some of it gets controlled by the manufacturer so that the locksmith needs to provide per-customer info and they look it up directly, to control distribution.

Those 8500 series locks have resettable combinations, and any competent locksmith will change it as a matter of course before they let a customer use it. But things slip through the cracks, people get lazy, etc.

Many locks (truck/car keys, house keys, etc.) never get changed from whatever they came as from the factory/in the box, and aren't trivially changeable either.

[https://www.youtube.com/watch?v=pqr8lJWlFH0][https://lockcod...

For some examples of what i'm talking abo...

This is fascinating. When I was a kid I came across these very code books for Master Lock combination locks. The kind that every kid has on their locker.

The book came from a friend of a friend of a friend and was really a stack of photocopied pages from a book. Photocopied so many times that many of the combinations were blurry beyond legibility.

When it did work though it was incredible.

There's no reason to fix those locks because 1. if they were actually unpickable you could drill them out or cut them off and 2. you can replace the core yourself if you want to.

It's harder than LPL makes it look though.

Kinda. I'm well aware of the why - I first learned to pick locks long before LPL went into law school, and have taught a lot of other folks how to pick too.

Drilling and cutting shows signs of entry. Picking usually doesn't (at least not unambiguously or in a way a typical person will notice). Despite the old detective novels claiming otherwise.

And replacing the core (which I often do!) requires knowledge and (minor) capital outlay that most folks just don't have.

Notably, out of the box in the US, the locks generally 'work'. Everything is low density, there are alternative means of defending oneself against day to day criminal acts (guns), and generally a gov't that ignores folks - until they come down with unstoppable force on specific targets. There is not (yet) pervasive oppression like a Stasi/East Germany, China/Hong Kong, Gestapo/Reich Era Germany, Franco/Spain, etc.

Notably, European and Asian residences have dramatically higher lock standards and stronger doors.

Both regions are denser, and also have significant history of gov't unrest and a history of much more, shall we say, 'uncomfortable' relations between the gov't and the population. Doing a 'no knock raid' on a residence in any European or Asian city is going to look a lot more like this [https://www.youtube.com/watch?v=wqN7KpcpBLU] for instance than in the US where it's a solid kick and they're in. (random click-baity youtube video, you've been warned!)

I suspect both regions have real, practical security concerns + the population is willing to pay for them because culturally they've learned.

Most American ones at the moment, haven't/don't have those concerns yet. And that is convenient for many parties.

Americans also have a stupid amount of faith in the words on the box. Every lock says it is secure, so most people buying locks think they are secure. There's no real legal definition that contradicts the "secure" on the box, because Masterlock can very well deem "Pickable by a novice and drillable in seconds" as "secure"
Yup. And frankly, learning enough to have a chance of figuring out if it's bullshit or not just... results in you spending a lot of time and effort, and then spending more on locks? Which maybe helps, but realistically doesn't unless you're doing some other odd things.

Most people don't have anything worth stealing by anyone who has something to lose. And anyone who doesn't have anything to lose might as well just mug you outside your front door or bash a window in anyway.

Never Says Anybody : Never roll your own crypto, as a large org.
No, this is different.

What you are talking about are things like bump keys which exploit known physical limitations in those types of locks in general. There is no way to fix this other than switching to an entirely different internal mechanism.

What is being discussed here is the intentional disabling of existing security features within a locking mechanism which further reduces its effectiveness. This is regardless of the effectiveness of the class of lock overall.

An example would be going to the hardware store and buying a 7-pin tumbler lock but only 5-pins are installed. Yes, all tumbler locks are vulnerable to bump keys but an additional hidden (and fraudulent) act was performed which further compromised my wishes for a "more secure" tumbler lock.

In the case of cryptography, the locks are much stronger and there is vastly more at stake so it's important not to be too casual with the analysis. The 'fix' is to remove all doubt that any such malfeasance ever took place.

Eh. I'm not sure it's so different.

For instance, security pins are inexpensive and dramatically increase picking difficulty while not impacting costs by more than a few cents/unit (at most!) or maintenance concerns by any noticable amount.

The all plastic logout/tagout masterlock [https://www.amazon.com/Government-Safety-Lockout-Padlock-Zen...] for instance has all security pins and is a real challenge to pick for most folks (including myself!), and makes it much harder to bump too. It isn't sold as high security. It's cheap, but also has a brass core and brass security pins, etc. so it's not like the core is skimping on things, or could be a major cost. The total (retail!) cost of the lock is a fraction of the 'high security' locks, even though those locks are much much easier to pick and bypass.

The masterlock 'high security' pro series locks didn't have any security pins at ALL and were super easy to pick (or bump, likely) up until VERY recently. By very recently, I mean I just saw it when I checked out their current lineup - and a year or two ago they definitely did not have it!. It looks to have a SINGLE spool pin in it. They're now heavily promoting it as 'bumpstop' tech. I'm guessing LPL or similar finally made some sort of impact, or maybe word of mouth after contractors have all their shit stolen.

Similar locks sold by the 'American Lock' brand (same ownership now) has always had at least one security pin, usually 3 in even their most basic padlocks for as long as they've existed I believe. 100 years?

And that isn't even talking about bypasses which maybe fit what you're describing better. Many of the common commercial and residential locks sold today still have trivial bypasses or decoding that can be done with some practice in seconds by tools sold online. Such as this bad boy [https://www.amazon.com/Master-Lock-M40EURDNUM-Combination-M4...]

And that is just the tip of the iceberg. Is it fraudulent? Eh... there is no real concrete definition for 'high security'! And fraud doesn't include 'mere fluffery' either.

Masterlock certainly isn't claiming TR/TL-30 ratings on any of their stuff!

These issues however have been widely known about in some cases for 50-100 years or more. For instance, doing some random googling I ran across this patent [https://patents.google.com/patent/US917365A/en] for pin within sleeve technology to work around that whole basic pin-tumbler picking issue (from 1908!), and at least according to this random website, spool pins were invented in 1865 by Yale himself, shortly after the first pin/tumbler locks were invented [https://www.art-of-lockpicking.com/security-pins/]!

The patent expired so long ago, it is absolutely laughable to not use them, and it's definitely ridiculous for a pin-tumbler lock to not have at least ONE! If not have all but one of them spool or similar!

I have a hard time seeing how that is any different than selling a secure system with an 80 bit crypto k...

According to ETSI who have been busy reading their thesaurus to redefine negative sounding words, it wasn't a "backdoor" they specified into TEA1, rather, it's just a necessary application of export control regulations.

"The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption. These regulations apply to all available encryption technologies. As the designer of the TETRA security algorithms, ETSI does not consider that this constitutes a “backdoor”.[1]

ETSI also completely bullshits this claim:

"We are pleased that this research affirmed the overall strength of the TETRA standard, finding no weaknesses in the TEA2 and TEA3 algorithms following extensive analysis."[1]

Which directly conflicts with the researchers who found[2] and demonstrated[3] the highest severity problems directly impact users of TEA2 and TEA3 algorithms:

"The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications."

This claim from ETSI is a bit like saying that disk encryption software standard that specifies use of AES in ECB mode (note: very insecure) is strong because the underlying AES standard has no identified weaknesses. ETSI are responsible for the TETRA standards that vendors implement, and could have made it mandatory for vendors to implement features such as authenticated encryption, and/or could have developed test standards for vendors to use to verify their products are correctly implemented.

ETSI released TEA5, TEA6 and TEA7 encryption schemes at the end of 2022, likely in response to this security research. TEA5 is for European Union states and TEA6 and TEA7 users are supposedly kept secret.[4]

[1] https://www.etsi.org/newsroom/news/2260-etsi-and-tcca-statem...

[2] https://tetraburst.com/

[3] https://www.youtube.com/watch?v=oJjTiO6C9xs (demonstration of CVE-2022-24401 being used to break into radio networks using TEA2 and TEA3 algorithms in under 10 minutes)

[4] https://cdn.standards.iteh.ai/samples/63125/8392cdca31d74030...

ah yes, a legally-mandated backdoor isn't a backdoor apparently.

Interestingly after the whole encryption export debacle a while back the way export controls now seem to generally work is that proprietary 'strong' encryption is still export controlled, but publically documented encryption schemes are not. Which is of course what everyone should be using anyway but not what groups like ETSI want.

(comment deleted)
If this back door had been found in Chinese-marketed communications hardware, it would be front page news in the WSJ and NYT.
I wonder if this affects "Airwave", which is the UK's national public safety network (based on TETRA). If it does, then ETSI has some answering to do. If we used export level crypto on a piece of critical national infrastructure, we're just idiots. It also further reinforces that weakening crypto is almost always a bad idea, as you'll end up using it yourself for interoperability's sake.

https://en.wikipedia.org/wiki/Airwave_Solutions

EDIT: It looks like Airwave uses TEA2, which isn't backdoors but is definitely vulnerable to the other issues such as the oracle attacks (with complete plaintext recovery).

I remember I did a project back in 2010 where you can decrypt GSM A5/1 using very simple tools like USRP etc., and I remember during the research it seemed what it was an intentional by the government/agencies to allow a quick bypass without getting the operators involved, so I wouldn’t be shocked if this is the same situation.
The US doesn't use TETRA but a US-specific standard called Project 25, which also has a history of poor crypto choices. There is something about telco standards committees that keep reinventing the crypto square wheel, same with cellular standards and also WiFi.

What's remarkable (not in a good way) about P25 is that the mandated a voice codec is the intellectual property of a MIT spin-off and they never negotiated a standard license fee so that company can essentially charge as much as it wants for a government-mandated standard. San Francisco paid over $120M to equip 11,000 buses, so over $10,000 per radio (TETRA radios are also expensive due to no economies of scale, but they cost a more reasonable $4,000 each).

> There is something about telco standards committees that keep reinventing the crypto square wheel, same with cellular standards and also WiFi.

The companies involved in creating these standards want to enforce usage of their patents, because even under nominally FRAND terms it is a guaranteed shitload of money for about 10-20 years as everyone has to license the patent.

On top of that come the demands from secret services and pigs who want to be able to root around in communication as they please - and unlike ordinary IETF standards which are created by experts, anything involving radio transmission automatically involves the governments with their ability to license or to not license, so the committees are under a huge leverage to let as much bullshit pass as possible without generating too much outrage.

Except both TETRA and P25 are for police and public safety.
Well, if the Police and Military have done nothing wrong, they've got nothing to hide.
This made me laugh out loud frfr. Well done, you.
One of the authors responded to correct a Dutch publication about this research [1].

He explains the attack thusly:

- Attacker intercepts message that he decides he wants to decrypt.

- Attacker later goes to a location of his choice, and targets a (possibly different) radio with his directional antenna, pretending to be infrastructure.

- Attacker plays with the radio's perception of time to discover the keystream used to encrypt the previously intercepted message

- Attacker applies keystream to message and obtains decrypted message.

The connection between radio and mast is therefore not directly attacked. It is therefore not a man in the middle. At a different time, another connection is set up, whereby that radio then leaks material with which an earlier message (possibly from another radio) can be decrypted.

Finally; Even back then, 32 bits were not sufficient to protect confidentiality, especially given the often sensitive use cases of TETRA networks.

[1] https://tweakers.net/nieuws/212022/onderzoekers-vinden-kwets...