critical flaws, including one (CVE-2022-24402) in the TEA1 encryption algorithm that reduces the original 80-bit encryption key to such a small size that brute-forcing it on widely available hardware is trivial. This practically means that the TETRA contains a backdoor

No, that means it’s vulnerable to a downgrade attack, not a deliberate backdoor. Fuck out of here with that shit.

You are mistaken. A downgrade attack is where an attacker can convince their victim to use a less secure version of a protocol. If there is a deliberate defect that allows that, it would be a backdoor. However, the backdoor here is not related to a downgrade attack (unless there is also a way to force a victim to downgrade to TEA1, which I haven’t heard). The backdoor here is that the key space of TEA1 turns out to be 32 bits, instead of the 80 bits it was advertised to be. 32 bits means there are nearly twice as many humans on earth as there are possible keys for TEA1.

Everyone outside of ETSI agrees this is an intentional backdoor. The only way that it would questionable to call it a backdoor would be if the intentionality was plausibly deniable, but, ETSI has now admitted that it was intentional… while absurdly arguing that it was not a backdoor because it was done for “export requirements”. There is no requirement to lie about key sizes in Wassenaar or any other export control regime I’m aware of.

This is the quote from the linked article which which I assume led you to conclude that it is “not a backdoor”:

Brian Murgatroyd, chair of the technical body at ETSI responsible for the TETRA standard, objects to calling this a backdoor. He says when they developed the standard, they needed an algorithm for commercial use that could meet export requirements to be used outside Europe, and that in 1995 a 32-bit key still provided security, though he acknowledges that with today’s computing power that’s not the case.

I highly recommend reading the full interview with Brian Murgatroyd by Kim Zetter (this article’s author).

No cryptographer would say that a 32-bit key provided any meaningful security, even in the 70s, much less in the 90s.

In 1978 Triple DES was proposed because even then people realized that the 54-bit keys in DES were not enough.

So, again, everyone agrees that it is a backdoor except the ETSI people, and imo these are people who should really be charged with criminal negligence for what they have done: They falsely advertised that their proprietary cryptosystem had 80-bit keys when it really had 32-bit keys, and they caused it to be deployed in life-or-death situations (like systems that control railway switches… 😱) all over the world.

Again, there is no export law requirement to lie to critical infrastructure operators about key sizes. This is strictly a favor that ETSI et al did at the request of western intelligence agencies, because they had the audacity to assume nobody else would figure out how to break it for a long time. Since this is only becoming public 25 years later, one could say they were right, but we’ll never actually know how many entities have independently discovered and exploited this backdoor over that time period.