Day 1

Kerckhoffs’ revenge

Session complexity:
No publicity
This talk will present the first public disclosure and security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police (including the Dutch C2000, Belgian ASTRID, and German BOSNet), prisons, emergency services and military operators. Additionally, TETRA is widely deployed in industrial environments such as factory campuses, harbor container terminals and airports, as well as critical infrastructure such as SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities.

Authentication and encryption within TETRA are handled by proprietary cryptographic cipher-suites, which until now have remained secret for over two decades through restrictive NDAs, violating the well-known Kerckhoffs' principle. In this talk, we will make public these cipher suites (TEA and TAA1 to be precise) for the first time, and finally enable public review of one of the last bastions of widely deployed secret proprietary cryptography.

As we will show, this security-through-obscurity has led to previously undisclosed flaws in Air Interface Encryption (AIE), authentication, and identity protection schemes going unnoticed and unaddressed, enabling practical attacks for both passive and active adversaries, violating confidentiality, authenticity, and integrity properties of signalling, voice, and data traffic.

Alarmingly, one of the uncovered issues concerns an intentionally and surreptitiously weakened stream cipher (crackable in minutes on commodity hardware by a passive adversary), which continues to be deployed globally by critical infrastructure operators as well as certain government agencies. In addition, we uncovered a practical attack scenario enabling active adversaries to intercept and manipulate traffic regardless of the stream cipher employed.

Furthermore, we will discuss the journey that enabled us to recover the proprietary cryptographic primitives (without having to sign any NDAs) and practically confirm our attack scenarios. This involved exploiting multiple zero-day vulnerabilities in the highly popular Motorola MTM5x00 TETRA radio and its TI OMAP-L138 trusted execution environment (TEE) as well as gaining code execution on and instrumenting a Motorola MBTS base station for research purposes.

Finally, we will discuss the potential impact of the uncovered vulnerabilities for different asset owners and outline corresponding mitigations, as well as provide an overview of the coordinated disclosure process we undertook together with NCSC.

Speakers in this session