Two years ago, Dutch security researchers revealed an intentional backdoor in a European radio encryption algorithm used worldwide by critical infrastructure operators, police forces, intelligence agencies, and military units. The flaw—embedded in radios for decades—made supposedly secure communications vulnerable to interception as reported in 2023.
Following the disclosure, the European Telecommunications Standards Institute (ETSI), which developed the flawed algorithm, urged organizations handling sensitive information to layer an additional end-to-end (E2E) encryption system on top of the compromised TETRA encryption to restore confidentiality.
But now the same research team has uncovered a serious weakness in at least one implementation of the ETSI-endorsed E2E encryption solution. Although the algorithm begins with a 128-bit key, the system compresses it to just 56 bits before use—drastically reducing its strength and making it significantly easier to crack through brute-force attacks. It’s currently unclear who is using this flawed implementation or whether affected organizations are aware of the vulnerability.
The E2E system examined by the researchers is typically deployed only for high-security operations—national law enforcement, special forces, intelligence teams, and covert military units that require communications resistant to interception. But because ETSI recommended this E2E encryption two years ago to compensate for weaknesses in the core TETRA encryption, it may now be deployed far more widely.
Back in 2023, researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Dutch security firm Midnight Blue revealed multiple vulnerabilities in TETRA—the European digital radio standard engineered by ETSI and used in equipment from Motorola, Damm, Sepura, and others since the 1990s. These flaws remained hidden for decades because ETSI kept its proprietary algorithms secret and refused independent scrutiny.
The newly discovered E2E vulnerability affects encryption designed to run on top of those TETRA algorithms—meaning even organizations that followed ETSI’s post-2023 security guidance may still be exposed to interception risks.