In this talk we will discuss the radio jailbreaking journey that enabled us to perform the first public disclosure and security analysis of the proprietary cryptography used in TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, prisons, emergency services and military operators. Besides governemental applications, TETRA is also widely deployed in industrial environments such as factory campuses, harbor container terminals and airports, as well as critical infrastructure such as SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities.
For over two decades, the underlying algorithms have remained secret and bound with restrictive NDAs prohibiting public scrutiny of this highly critical technology. As such, TETRA was one of the last bastions of widely deployed secret proprietary cryptography. We will discuss in detail how we managed to obtain the primitives and remain legally at liberty to publish our findings.
This journey has involved reverse-engineering and exploiting multiple zero-day vulnerabilities in the highly popular Motorola MTM5x00 TETRA radio and its TI OMAP-L138 trusted execution environment (TEE) and covers everything from side-channel attacks on DSPs, through writing decompilers headache-inducing DSP architectures, all the way to exploiting ROM vulnerabilities in the Texas Instruments TEE.
and please Mr. Hacker, also upload a copy of your ID Card. I really would like to talk to you. - a secret admirer of your work and totally not some agent
> apparently was inspired by the superpowers divvying up the world at the Teheran Conference.
And the UK was part of that divvying up. Now knowing authors like to be nuanced and multi dimensioned, he couldn't exactly speak the truth about govt's including his own could he?
"The Tehran Conference was a meeting between U.S. President Franklin Delano Roosevelt, British Prime Minister Winston Churchill, and Soviet Premier Joseph Stalin in Tehran, Iran, between November 28 and December 1, 1943."
https://history.state.gov/milestones/1937-1945/tehran-conf
> Pro tip here: Put your batteries and power cables in a checked bag. Only take your cell and laptop as a carry-ons to prevent them from "disappearing". Works most of the time, especially with full flights and/or busy days.
Really, DO NOT do this! There's a reason batteries need to be in carry on luggage - because they can spontaneously catch fire mid flight, and while it might be unpleasant, if it does happen in the cabin it will be spotted and dealt with rather than having an uncontrolled fire in the luggage hold which is also generally rammed full of other flammable things like clothes.
And in any case, all carriers and governments require batteries to be in carry-on luggage AFAIK, so even if you disagree that there's a fire risk, you're still breaking the law. But then as the rest of your points seem to be mostly concerned with the possibility of being caught for breaking the law, I guess you don't care about that.
In the two-way radio world, most protocols are open (P25, DMR, LMR, etc.) but almost every digital protocol uses the AMBE[1] voice codec, which is not.
It's completely closed (not even source available) but there's unlicensed software implementations available from third parties. E.g. libmbe.
AMBE in most equipment was provided in a physical chip for protection however some firmware implementations existed in hardware from big players and they were reverse-engineered.
Most of the Chinese B-brand (AliExpress stuff) radios use this reverse-engineered software implementation. They're not licensed but a Chinese company pretends to license this on behalf of DVSI though it's totally illegal. The A-brands like hytera use the official one of course.
We are talking about a standard over 30 years old... change happens. When it was first introduced the standard was fine the problem was never updating it. That said at least the German police uses additional crypto via smartcards.
For over two decades, the underlying algorithms have remained secret and bound with restrictive NDAs prohibiting public scrutiny of this highly critical technology. As such, TETRA was one of the last bastions of widely deployed secret proprietary cryptography. We will discuss in detail how we managed to obtain the primitives and remain legally at liberty to publish our findings.
This journey has involved reverse-engineering and exploiting multiple zero-day vulnerabilities in the highly popular Motorola MTM5x00 TETRA radio and its TI OMAP-L138 trusted execution environment (TEE) and covers everything from side-channel attacks on DSPs, through writing decompilers headache-inducing DSP architectures, all the way to exploiting ROM vulnerabilities in the Texas Instruments TEE.