TETRA Fuzzing

Master Thesis


Analysis: 5
Empiricism: 10
Implementation: 6
Literature Research: 5


[Abstract of final thesis] Nowadays, TETRA can be considered as a critical infrastructure as it is used for critical communication services all around the world. Since the TETRA protocol is introduced there has been only few research about the security of the protocol and the mobile stations used. However, the costs, complexity, and the required hardware for this research discourages most of the people from finding vulnerabilities. It has been shown, that for the very similar GSM standard exist many weaknesses in the implementations that can be exploited. Due to the availability of cheap SDR platforms and open-source software that implements the TETRA receiving standard we are able to investigate this and do a practical research on fuzzing those mobile stations. This research gives an overview about the TETRA protocol, implements a transmitter for TETRA DMO in software using GNURadio and a SDR platform called USRP N210, and analyzes the weaknesses of the protocol. The robustness of the implementation of the TETRA protocol on selected mobile stations is tested with a technique called protocol fuzzing. In this thesis the feasibility for fuzzing the different layers of the protocol are discussed and with this practical fuzzing tests are done on text messages which leads to a strange behavior of the mobile stations. During the tests it was possible to cause a Denial of Service (DoS) on the protocol for all participants as well as a selected device which crashes and it was possible to cause a reboot of one of the tested mobile stations.


We aim at analyzing a closed-source wireless protocol implementation on corresponding communication devices. We assume implementation weaknesses leading to rebooting devices or devices that are no longer able to connect to other devices until reboot.

    Your tasks: 

    • Test devices inside our EM-wave blocking tent.
    • Wireless sniffing of the protocol.
    • Implementation of reactive jamming and message injection attacks.

    We recommend knowledge in penetration testing and signal processing.




    The result of this work will be a structured and verified documentation of known protocol bugs as well as new bugs.

    Start: 01.12.2015

    End: 01.06.2016


    Student: Jan-Pascal Kwiotek

    Research Areas: Sichere Mobile Netze



    Prof. Dr.-Ing. Matthias Hollick

    Technische Universität Darmstadt
    Department of Computer Science
    Secure Mobile Networking Lab 

    Mornewegstr. 32 (S4/14)
    64293 Darmstadt, Germany

    Phone: +49 6151 16-25472
    Fax: +49 6151 16-25471


    A A A | Drucken Drucken | Impressum Impressum | Sitemap Sitemap | Suche Suche | Kontakt Kontakt | Webseitenanalyse: Mehr Informationen
    zum Seitenanfangzum Seitenanfang