Motorola MTM5400

• Motorola MTM5400

  • It is a common TETRA radio model that can be easily obtained second-hand online.
  • The researchers used it as a target device for recovering TETRA cryptographic primitives.
  • It was used for practical validation of findings in a lab setup on a TETRA network.
  • The secret cryptographic primitives were successfully recovered from this device and its associated firmware images using software exploitation techniques.
  • The MTM5400 is built around the Texas Instruments OMAP-L138 SoC.
  • It uses the SoC's Trusted Execution Environment (TEE), where the TETRA crypto is loaded and executed.
  • Code related to TEE invocation on this device referenced error messages pertaining to TETRA cryptography, confirming the TEE module embeds the primitives.
  • It has an AT modem command interface over a serial link, which provided a large attack surface.
  • A format string vulnerability (CVE-2022-26941) was identified and exploited on the MTM5400, allowing arbitrary code execution on the ARM core.
  • The device's Memory Protection Units (MPUs) and I/O Protection Units (IOPUs) were found to be left unconfigured, making it straightforward to gain code execution on the DSP core by overwriting DSP firmware in RAM (CVE-2022-27813).
  • Its Pseudo-Random Number Generator (PRNG) relies solely on the clock tick register as its entropy source, making it vulnerable to the session key pinning attack (CVE-2022-26943).
  • When used with a modified Motorola MBTS base station, analysis of downlink frames confirmed that traffic was encrypted.
  • The MTM5400 can be persuaded to arbitrarily update its internal frame counters and thus re-use keystream by spoofing sync and sysinfo frames.
  • The keystream recovery attack works reliably in practice on the MTM5400.
  • It also acknowledges frames destined for a talk group, allowing the keystream recovery attack to target group-encrypted traffic.
  • The researchers expect most other Mobile Station (MS) models to be equally susceptible as they are not aware of deviations between the MTM5400's implementation and the TETRA standard.
  • The MTM5000 series of radios, including the MTM5400, had tools released to the public developed during the research, including a disassembler plug-in, disassembly support, decompiler support, firmware unpacking tools, and utilities for instrumenting, debugging, monitoring, and packet injection.
  • 4 CVEs were found on MTM5x00 radio firmware (which includes the MTM5400), allowing for key extraction and persistent covert implants.

• Texas Instruments (TI) components (OMAP-L138 SoC, C6748 DSP, L138 development board)

  • TI manufactures the Baseband SoC used in the Motorola MTM5400, which means the MTM5400 uses software, not hardware, for TETRA crypto.
  • The SoC includes software security features.
  • The Texas Instruments OMAP-L138 SoC is specifically identified as the one used in the MTM5400.
  • The OMAP-L138 houses an ARM core and a TI C6748 DSP.
  • The SoC provides secure boot and a Trusted Execution Environment (TEE). The TEE is used for protecting the TETRA crypto from extraction.
  • 3 CVEs were found in the ROM code of the Texas Instruments OMAP-L138.
  • These CVEs allow for breaking Secure Boot and the TEE.
  • The C6748 DSP has notions of privilege level (user/supervisor) and security level (non-secure/secure).
  • The secure kernel, contained in ROM provided by TI, runs in secure supervisor mode.
  • The TEE on the DSP allows run-time loading of modules via the SK_LOAD API call.
  • Modules are decrypted, signature checked, and copied to a secure address space via this mechanism.
  • The TETRA cryptographic primitives (TAA1, TEA1, TEA2, TEA3) are loaded and invoked through this TEE mechanism.
  • Modules loaded via SK_LOAD are encrypted with AES-128.
  • The C6748 offers fine-grained cache control functionality.
  • A cache timing side-channel attack was successfully performed on the TEE using these cache control primitives, even from non-secure supervisor mode, affecting secure memory.
  • This attack was used to locate the AES S-box in secure ROM.
  • The attack allowed the recovery of 48 bits of the 128-bit first round key (CVE-2022-25332). A more complex version of the attack could recover the full round key.
  • Distinct keys are used for decrypting the module header and body; the body decryption key was also recovered using the cache timing attack.
  • The recovered cryptographic primitives were studied as C674x assembly instructions.
  • An L138 development board was used to load instructions and invoke functions to generate known-good test vectors, aiding in writing equivalent C implementations of the primitives.

• Toshiba Satellite 4010CDS

  • This is an older laptop model from the late 1990s, mentioned in contrast to more modern hardware.
  • It is specified as having a 266 MHz Pentium II processor, a 4.1 billion byte hard disk, and 32MB SDRAM.
  • It was used in a demo titled "Party like the ‘90s".
  • Its inclusion appears to challenge the idea that a 32-bit key would have been secure 25 years ago and that exploiting the TEA1 backdoor requires "reasonable equipment".

• NVIDIA GTX 1080 GPU

  • Described as state-of-the-art consumer hardware from 2016.
  • Used to demonstrate the practical speed of attacks on the weak TEA1 stream cipher and the identity encryption scheme.
  • A proof-of-concept in OpenCL running on this GPU could exhaust the search space for the 32-bit reduced ECK in approximately 52 seconds.
  • The attack to recover the full 80-bit key (complexity 248) took approximately 7 minutes on this GPU.
  • The meet-in-the-middle attack on the identity encryption scheme (complexity 240) took approximately 16 seconds on this GPU.
  • Brian Murgatroyd, Chair of ETSI TC TETRA, mentioned that researchers could decrypt messages using a "very high-powered graphics card in about a minute", referencing results likely obtained on this GPU.

• Motorola MBTS TETRA base station / EBTS base station firmware

  • An old Motorola MBTS was purchased to serve as a Proof of Concept (PoC) for the keystream recovery attack (CVE-2022-24401).
  • The researchers found vulnerabilities in it.
  • A module framework was developed for it, turning it into an attack platform.
  • The specific MBTS procured lacked air interface encryption support out of the box, but its firmware had the necessary prerequisites with an empty stub for the stream cipher.
  • Arbitrary read/write/execute primitives were injected into its firmware image, which was possible because the image is not cryptographically signed.
  • The TEA1 stream cipher stub was replaced with the actual implementation.
  • A small framework allowed loading C code as an ELF executable module into the MBTS at runtime.
  • This framework facilitated inserting key material (normally requiring a Motorola Key Variable Loader KVL) and redirecting firmware code flow.
  • The MBTS was used in a lab setup, configured for security class 2 with the same keys as the MTM5400.
  • By overriding data transmission procedures, the ability to inject arbitrary messages was gained.
  • The MBTS, acting as a base station, was used to implement the bootstrap and keystream expansion attack, tampering with network time and interpreting MS responses.
  • The attack on the MTM5400 was validated as working reliably using the modified MBTS.
  • 5 CVEs were found on EBTS base station firmware, allowing for key extraction and persistent covert implants.

• Motorola MTM5x00 radio firmware

  • 4 CVEs were found on Motorola MTM5x00 radio firmware.
  • These vulnerabilities allow for key extraction and persistent covert implants.
  • The TAA1 suite is present in all MTM5x00 firmwares.
  • Tools developed for the Motorola MTM5000 series of radios (which use this firmware) were released, including disassembler support, decompiler support, firmware unpacking, and utilities for debugging and packet injection.