CCC Talk: All cops are broadcasting Obtaining the secret TETRA primitives [video](media.ccc.de)
media.ccc.de
CCC Talk: All cops are broadcasting Obtaining the secret TETRA primitives [video]
https://media.ccc.de/v/camp2023-57100-all_cops_are_broadcasting
21 comments
Great work! Can you post a photo of your lab? I'd love to see what gear you get to play with.
and please Mr. Hacker, also upload a copy of your ID Card. I really would like to talk to you. - a secret admirer of your work and totally not some agent
You can get it from here:
https://shop.digitalcourage.de/themen/ak-vorrat/lichtbildaus...
https://shop.digitalcourage.de/themen/ak-vorrat/lichtbildaus...
Wouldnt be able to do this in the UK, interception of any radio signals are illegal.
The UK makes China, North Korea, Russia and [Insert most hated country here] look positively amateur.
I wonder where George Orwell got his inspiration for 1984 from?
The UK makes China, North Korea, Russia and [Insert most hated country here] look positively amateur.
I wonder where George Orwell got his inspiration for 1984 from?
> I wonder where George Orwell got his inspiration for 1984 from?
Stalin's USSR and Nazi Germany.
Stalin's USSR and Nazi Germany.
True, but it was his exposure to the Soviet Communists while he was a Marxist in the Spanish Civil War.
Everyone should read, "Homage to Catalonia"
https://en.wikipedia.org/wiki/Homage_to_Catalonia
Everyone should read, "Homage to Catalonia"
https://en.wikipedia.org/wiki/Homage_to_Catalonia
Nazi Germany and the Soviet Union under Stalin. And apparently was inspired by the superpowers divvying up the world at the Teheran Conference. HTH.
> apparently was inspired by the superpowers divvying up the world at the Teheran Conference.
And the UK was part of that divvying up. Now knowing authors like to be nuanced and multi dimensioned, he couldn't exactly speak the truth about govt's including his own could he?
"The Tehran Conference was a meeting between U.S. President Franklin Delano Roosevelt, British Prime Minister Winston Churchill, and Soviet Premier Joseph Stalin in Tehran, Iran, between November 28 and December 1, 1943." https://history.state.gov/milestones/1937-1945/tehran-conf
And the UK was part of that divvying up. Now knowing authors like to be nuanced and multi dimensioned, he couldn't exactly speak the truth about govt's including his own could he?
"The Tehran Conference was a meeting between U.S. President Franklin Delano Roosevelt, British Prime Minister Winston Churchill, and Soviet Premier Joseph Stalin in Tehran, Iran, between November 28 and December 1, 1943." https://history.state.gov/milestones/1937-1945/tehran-conf
I misread the title at first.
It should be "CCC Talk: All cops are broadcasting.\n Obtaining the secret TETRA primitives [video]"
I read it as though all the cops are broadcasting that they have obtained the TETRA primitives. As in, they're bragging about bypassing encryption.
It should be "CCC Talk: All cops are broadcasting.\n Obtaining the secret TETRA primitives [video]"
I read it as though all the cops are broadcasting that they have obtained the TETRA primitives. As in, they're bragging about bypassing encryption.
We need open standards for radio protocols, including encryption.
Outside of 802.11, it's a bleak landscape.
Outside of 802.11, it's a bleak landscape.
802.11 series standards are far from open though. There are better examples, I'm sure.
In the two-way radio world, most protocols are open (P25, DMR, LMR, etc.) but almost every digital protocol uses the AMBE[1] voice codec, which is not.
[1] - https://en.wikipedia.org/wiki/Multi-Band_Excitation
[1] - https://en.wikipedia.org/wiki/Multi-Band_Excitation
Is it completely closed or only source-available?
It's completely closed (not even source available) but there's unlicensed software implementations available from third parties. E.g. libmbe.
AMBE in most equipment was provided in a physical chip for protection however some firmware implementations existed in hardware from big players and they were reverse-engineered.
Most of the Chinese B-brand (AliExpress stuff) radios use this reverse-engineered software implementation. They're not licensed but a Chinese company pretends to license this on behalf of DVSI though it's totally illegal. The A-brands like hytera use the official one of course.
See the popup warning on this page: https://www.dvsinc.com/soft_products/software.shtml
Since the closed nature of this codec goes counter to ham radio principles some open source codecs were also developed. The best example is codec2.
AMBE in most equipment was provided in a physical chip for protection however some firmware implementations existed in hardware from big players and they were reverse-engineered.
Most of the Chinese B-brand (AliExpress stuff) radios use this reverse-engineered software implementation. They're not licensed but a Chinese company pretends to license this on behalf of DVSI though it's totally illegal. The A-brands like hytera use the official one of course.
See the popup warning on this page: https://www.dvsinc.com/soft_products/software.shtml
Since the closed nature of this codec goes counter to ham radio principles some open source codecs were also developed. The best example is codec2.
Security with obscurity mentality is rather still present at large.
We are talking about a standard over 30 years old... change happens. When it was first introduced the standard was fine the problem was never updating it. That said at least the German police uses additional crypto via smartcards.
For over two decades, the underlying algorithms have remained secret and bound with restrictive NDAs prohibiting public scrutiny of this highly critical technology. As such, TETRA was one of the last bastions of widely deployed secret proprietary cryptography. We will discuss in detail how we managed to obtain the primitives and remain legally at liberty to publish our findings.
This journey has involved reverse-engineering and exploiting multiple zero-day vulnerabilities in the highly popular Motorola MTM5x00 TETRA radio and its TI OMAP-L138 trusted execution environment (TEE) and covers everything from side-channel attacks on DSPs, through writing decompilers headache-inducing DSP architectures, all the way to exploiting ROM vulnerabilities in the Texas Instruments TEE.