Jos Wetzels
Jos Wetzels is a co-founding partner and security researcher at Midnight Blue. His research has involved reverse-engineering, vulnerability research and exploit development across various domains ranging from industrial and automotive systems to IoT, networking equipment and deeply embedded SoCs. He has uncovered critical zero-day vulnerabilities in dozens of embedded TCP/IP stacks, Industrial Control Systems (ICS), and RTOSes. He previously worked as a researcher at the Distributed and Embedded Security Group (DIES) at the University of Twente (UT) in the Netherlands where he developed exploit mitigation solutions for constrained embedded devices deployed in critical infrastructure, performed security analyses of state-of-the-art network and host-based intrusion detection systems and has been involved in research projects regarding on-the-fly detection and containment of unknown malware and APTs.
Session
In this talk we will discuss the radio jailbreaking journey that enabled us to perform the first public disclosure and security analysis of the proprietary cryptography used in TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, prisons, emergency services and military operators. Besides governemental applications, TETRA is also widely deployed in industrial environments such as factory campuses, harbor container terminals and airports, as well as critical infrastructure such as SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities.
For over two decades, the underlying algorithms have remained secret and bound with restrictive NDAs prohibiting public scrutiny of this highly critical technology. As such, TETRA was one of the last bastions of widely deployed secret proprietary cryptography. We will discuss in detail how we managed to obtain the primitives and remain legally at liberty to publish our findings.
This journey has involved reverse-engineering and exploiting multiple zero-day vulnerabilities in the highly popular Motorola MTM5x00 TETRA radio and its TI OMAP-L138 trusted execution environment (TEE) and covers everything from side-channel attacks on DSPs, through writing decompilers headache-inducing DSP architectures, all the way to exploiting ROM vulnerabilities in the Texas Instruments TEE.