Texas Instruments Signing Keys Broken

Texas Instruments' calculators use RSA digital signatures to authenticate any updates to their operating system. Unfortunately, their signing keys are too short: 512-bits. Earlier this month, a collaborative effort factored the moduli and published the private keys. Texas Instruments responded by threatening websites that published the keys with the DMCA, but it's too late.

So far, we have the operating-system signing keys for the TI-92+, TI-73, TI-89, TI-83+/TI-83+ Silver Edition, Voyage 200, TI-89 Titanium, and the TI-84+/TI-84 Silver Edition, and the date-stamp signing key for the TI-73, Explorer, TI-83 Plus, TI-83 Silver Edition, TI-84 Plus, TI-84 Silver Edition, TI-89, TI-89 Titanium, TI-92 Plus, and the Voyage 200.

Moral: Don't assume that if your application is obscure, or if there's no obvious financial incentive for doing so, that your cryptography won't be broken if you use too-short keys.

Posted on September 25, 2009 at 6:17 AM • 49 Comments

Comments

A Nonny BunnySeptember 25, 2009 6:55 AM

Threatening to sue is the worst thing you can do in this situation. Because it will just entice the internet community to post it everywhere they can.
There's still places where I run across 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ( http://en.wikipedia.org/wiki/... )

KenSeptember 25, 2009 8:21 AM

Is there something I am missing or does the availability of these keys have no consequence on the copyrights held by TI?

They are asserting their copyrights over these numbers which can be used to *replace* their OS code, not copy it elsewhere.

Who's copying anything?

sir_lewkSeptember 25, 2009 8:39 AM

Ken, you are absolutely correct. The keys are used for signing only (the devices will only run signed code). Their OSes have never been encrypted and their use of the DMCA is clearly abusive.

BF SkinnerSeptember 25, 2009 8:39 AM

09 F9 reminds me of what happened in the 60's in Berkeley. People started painting vans with "Cocaine" as a parody of the CocaCola logo. The PD went nuts and began to pull them over. The traffic stops never uncovered drugs so they stopped. No telling how much coke was transported in these vans afterwards.

Once the cat is outta the bag the solution is to be able to quickly and easily change your locks

anonymousSeptember 25, 2009 9:12 AM

What I saw claimed in the slashdot thread about this is that for being allowed to use the calculators for some tests the testing authorities need to know that can't be used to cheat. There are programs available for them that are supposed to clear the calculators. If the OS is replaced, those programs might not really work any more. If because one can now replace the OS, they decide to decertify TI's calculators for these tests, it could hurt sales.

aikimarkSeptember 25, 2009 9:21 AM

Maybe I'm a bit naive, which might be a good thing, but this potential security breach might make customers take a skeptical look at the updates they download. They might get their updates from the (TI) trusted source and avoid mirrored servers.

This, in turn, might give TI more web traffic and its concommitant sales/marketing opportunities.

VincentSeptember 25, 2009 10:08 AM

@Aaron
Have to agree with you there.

@anonymous
Flashing the entire OS and then storage device would accomplish the same thing. How do you know these weak little keys aren't already in circulation by people who aren't publishing?

Ward S. DenkerSeptember 25, 2009 10:29 AM

>Moral: Don't assume that if your application is obscure, or if there's no obvious financial incentive for doing so, that your cryptography won't be broken if you use too-short keys.

...especially if your product has worldwide appeal to geeks. Geeks hack things.

TI should have expected that cryptologists (professional or amateur) tend to have backgrounds in mathematics. Most students possess a calculator in high school these days, and a majority of those calculators are TI products. I just don't get what it is that TI thinks they'll lose on this. If anything, it will probably increase the appeal of their product because hackers tend to like to buy products they can hack and use for purposes other than the originally intended one.

Fred PSeptember 25, 2009 10:37 AM

I didn't realize that people still considered calculators to be useful; I don't think I've used one in over a decade, as they're so limited compared to a general purpose computer.

EscapedWestOfTheBigMuddySeptember 25, 2009 10:53 AM

Fred,

These things are general purpose computers. They have (depending on the model) OSs, pixel addressable displays, programming languages, and third party software.

And they are relatively inexpensive, come in convenient form factors and have tuned to the application input devices.

AS PDAs and phones get better, you can expect them to push out the dedicated calculators, but it isn't a cut and dry as it seems.

'Course, I still use my HP 11C.

Lionel DebrouxSeptember 25, 2009 11:00 AM

Besides the 8 keys mentioned by Bruce Schneier, we factored the 7 freeware FlashApp keys, i.e. we have factored all of the interesting RSA keys of TI-Z80 and TI-68k calculators. All 15 keys are available at http://www.sunshinepress.org/wiki/...
"FlashApp"s are TI's technology for programs that execute from Flash memory, with .data/.bss sections in RAM, as opposed to regular assembly programs which are copied to RAM (if necessary) before execution.


@anonymous: indeed, what seems to bother TI is that anyone will now be able to make arbitrary mods of their copyrighted OS.
However, the standardized tests' regulation bodies would be outright incompetent if they decided to ban TI calculators in the light of the RSA keys' factoring. See http://www.theregister.co.uk/2009/09/23/...


That is illegal in most Western countries, however.
Perhaps they're also trying to scare people out of hacking TI's latest models, the locked-down NSpire / Nspire CAS slow crap of limited functionality. They haven't been opened up yet, partly because their OS are encrypted, but TI being litigation-happy will only motivate people to open them up, that's for sure...

Khurt GeeSeptember 25, 2009 12:10 PM

Reminds me of a very funny (and accurate) cartoon on Moserware. http://www.moserware.com/2009/09/...
Reading the cartoon, it explains AES and 'Rijndael' quite well. If folks understand what happened, historically, in between the Lucifer/DES to AES years (read J. Bamford's Puzzle Palace, esp. Chapter 9), they would understand about secrecy of the "key" vice the "algorithm".

Chris SSeptember 25, 2009 1:46 PM

"Moral: Don't assume that if your application is obscure, or if there's no obvious financial incentive for doing so, that your cryptography won't be broken if you use too-short keys."

True as this may be, I would keep in mind that this is not a plug-in-the-wall computer with MIPS to spare. It's a calculator, restricted in space, memory, performance, and running on battery power.

Longer keys would certain offer better protection - but what would it do to the performance of the device? Would it appear dramatically slower to load and run - or would making it operate acceptably instead make the run time on batteries unacceptably short?

Clive RobinsonSeptember 25, 2009 2:16 PM

A thought occures,

Does anyone else remember FIG Forth for the Z80 and 68K?

Somewhere I have the assembler listings (and for the Jupiter Ace).

It might be fun to port them onto TI hardware 8)

@ Lionel Debroux,

Do you know if there is any programer low level hardware info floating around for these TI Calcs?

Ward S. DenkerSeptember 25, 2009 2:54 PM

>I didn't realize that people still considered calculators to be useful; I don't think I've used one in over a decade, as they're so limited compared to a general purpose computer.

They're certainly limited, especially when any serious study of mathematics and related fields usually involves products like Mathematica nowadays. Still, there's something to be said a single-purpose device like a calculator which is instantly available to do its job. Despite the power of Mathematica, I've yet to meet a calculator-sized piece computer which can boot with the speed of a graphing calculator.

It seems silly to boot up a laptop just to perform a few calculations or plot a simple graph and promptly shut it down and pack it up again when you can get the answer out of a calculator much more rapidly and just stuff it back into your pocket or toss it into a drawer when you're done with it.

Lionel DebrouxSeptember 25, 2009 3:01 PM

@Clive Robinson: you didn't leave a website that can enable me to contact you privately, so I'll reply here.

Yes, we have lots of low-level hardware info. Most of it was gained through reverse-engineering, because TI's docs, when they exist, are incomplete or wrong.

In the rest of this post, I'll talk only about TI-68k calculators, because I know next to nothing about TI-Z80 calculators. I'll point some people who have a clue to your post.

* the file that contains almost everything we know about the hardware of TI-68k calculators is named "J89hw.txt". One of its (unofficial, the original site disappeared) mirrors is
http://tict.ticalc.org/docs/J89hw.txt .
* there's a complete C/ASM development environment, GCC4TI: http://trac.godzil.net/gcc4ti/ . It's a derivative of the TIGCC environment, the activity on TIGCC has been very low for a while.
...

Lionel DebrouxSeptember 25, 2009 3:03 PM

@Clive Robinson:
...
* TIEmu ( http://lpg.ticalc.org/prj_tiemu/ ) is nowadays the emulator of choice for TI-68k calculators.
* TI-Freakware (English-speaking), United-TI (English-speaking) and yAronet (French-speaking) are among the most lively remaining community forums. Look them up in a search engine, the spam protections trigger if I post too many links in a single post...
* http://www.ticalc.org is the largest TI-* file archive (more than 40K files).

Hope that helps :)

kangarooSeptember 25, 2009 3:21 PM

The "folks might cheat" whining is particularly entertaining.

There was a day, in ages past, when folks received oral exams. There was no cheating, in that the tester adapted to the testee as the test progressed.

Then later on, we had blue book exams, where conceptual problems where given in a time limited frame. Once again, cheating was fairly irrelevant -- a well written extended essay/problem solving exam is primarily about application, and not memorization. I recall being often allowed to bring in "cheat sheets" -- the instructor was not worried about that!

For sake of efficiency, we've reduced most tests to multiple choice -- memorized facts, or plug-and-chug problems. Cheating is a problem because the tests are so poorly written -- and inevitably so. Yes, it's cheap, but all they do is eliminate the completely brain-dead from the system.

This is a very similar problem to "google cheating" on papers. That is only a problem because instructors assign problems that are google-able -- old questions with old answers, in no way capable of reflecting original thought, graded en masse, eliminating any ability for the grader to identify the writers natural flavor.

Pointless exercises in "grading theater".

Theater -- it's a running theme.

ParentSeptember 25, 2009 4:16 PM

@Fred
"I didn't realize that people still considered calculators to be useful; I don't think I've used one in over a decade, as they're so limited compared to a general purpose computer."

I know of high schools which do not allow students to possess any form of cell phone, PDA, or other general computing device in classrooms. Only certain models/brands of calculator are allowed (i.e. TI-83/84), to provide consistency for the instructors, and to ensure the applications available to the students is generally known. I suspect these high schools may have a problem if this "break" allows students to bring rogue applications into the classroom via the approved calculator.

DSeptember 25, 2009 4:56 PM

Someone mentioned that these calculators are indeed general purpose computers ... But they're not exactly. They have a fair amount of math-specific hardware where your general purpose CPU doesn't. Try factoring a large number on your computer and then on the calculator - if it's a newer TI it'll beat your computer. This is why my iPhone isn't replacing the TI any time soon. That and my iPhone isn't "approved" for use on a standardized test.

My personal complaint is that any testing authority wants to test my ability to memorize formulas and such rather than testing my understanding.

JasonSeptember 25, 2009 8:00 PM

@D:

Actually not really. They're doing math in software. Most notable is the 83+ which even does floating point math encoded in BCD in software. No kidding.

JasonSeptember 25, 2009 8:07 PM

Oh, and a bit of context: the TI-83+ and TI-89 which first contain these 512 bit signing keys were released in 1999. Thus 10 years ago these keys looked a lot stronger than they do today!

ThomasSeptember 25, 2009 8:10 PM

@D
"My personal complaint is that any testing authority wants to test my ability to memorize formulas and such rather than testing my understanding."

Testing the former is easy, cheap and demonstrably objective. Answer X is right, everything else is wrong, tick or cross, done!

Testing understanding is slow, expensive and subjective.

Clive RobinsonSeptember 25, 2009 9:34 PM

@ Lionel Debroux, Brandon Wilson,

Thank you both for the links I've had a quick look now comes the hard part making the best selection of hardware to "old school hack" 8)

anonanonaSeptember 26, 2009 2:05 PM

Back in the day, I suppose 7, 8, or 9 years ago, we used Zilog's assembler. We had a lot of documentation including stuff TI posted on their website. I think they took most of that down. I'm impressed to see how far hobbyists have come. Now they have greyscale graphics on a two color display. Snazzy. It's sad TI is alienating its most hardcore customers. A lot of kids learned the tricks of the trade programming in assembly for the calculator, me included.

Clive, are you considering joining the fun? :)

Clive RobinsonSeptember 26, 2009 2:53 PM

@ anonanona,

"Clive, are you considering joining the fun? :)"

Many many years ago (83ish) I put FIG Forth onto the "Torch Z80" card for the BBC Model B computer for fun.

And when Torch brought out the "68000 Unix" system I also ported FIG Forth onto that...

I also put Forth on many other "boxes" and designed some hardware add ons for them including the Acorn Atom & BBC Model B, Commador PET, Sinclair ZX80/81 and QL as well as the Jupiter Ace (Forth) and one or two odd items for the Tangerine and Apple IIe. Oh and the original Psion Organiser and early IBM PC's (I even have an old Osbourn luggable and Apple Lisa in my garage from some proto projects).

My son is now of an enquiring age and having played with the Lego Mindstorms CPU unit to make it more "programable" I'm looking for a hardware platform for (our) Hornby railway to make the DCC a bit more interesting so I thought porting forth across to one of the TI's and interfacing it to the DCC controler might be a little project for when I get out of hospital.

Clive RobinsonSeptember 26, 2009 3:07 PM

@ Jason,

"Most notable is the 83+ which even does floating point math encoded in BCD in software. No kidding."

There might be a simple reason for this...

Some 8 bit CPU's such as (Chuck Peddles) 6502 had native BCD instructions.

If you had developed a math's library for such a CPU it would be easier when porting to a new CPU to fake the BCD instructions rather than start the library from scratch.

It was just one of the odd things we did back in the 80's. I remember writing a bit of code that would read in an ASM file for one CPU and spit it out as ASM for another CPU, it was not perfect so had to be hand tweaked but it saved on programer time.

Oh and anyone else remember "Pilot" "BCPL", "B" and "UCSD P code" ?

mashiaraSeptember 27, 2009 7:30 AM

funny thing this controversy. back here the "high-school" (not exactly same thing but anyways for people 16-20 yrs old, in preparation [and required] for university) normal math and physics exams generally allow graphing calculators of just about any sort in addition to a standard book of tables and formulas.

The final exams allow a certain set of graphing calculators that have hardware memory reset (you give your calculator to the exams board about a week in advance and get it back when the exam starts), the standard book for tables and formulas is naturally allowed (I don't recall if they provide you with one for the duration or check your own beforehand)

The questions are in the style of "There is a lake of volume X, and outgoing flow of Z, amount Y of contaminant is introduced, how long untill contaminant levels are below N." "show your work" is implicit so it's not enough to get the correct answer, you need to show that you understand how to convert the question into the required calculations (the machincal calculations can be done on the calculator, it's not interesting [you will have learn to do them manually as well but it's only to make you understand what they're really about]).

History questions are answered with essays (graded by the exams board) and while you naturally lose points for getting dates wrong, if they're only slightly off it's not a huge problem.

As for the "cheating" argument against the signing keys, it's bogus for two reasons:

1. The calculator should have ROM copy of the OS and the hardware reset should load that to the flash (many reasons, most important is that it can always be reset to known state, this sinks the cheating idea without HW modification, also acts as nice backup if you run out of battery when flashing upgraded OS)

2. Even without the ROM os the exams board could simply reflash the device with a known good OS for the exams that really matter. For the run-off-the mill stuff it's the cheaters own problem anyways.

LyleSeptember 27, 2009 6:16 PM

I memorized the z80 machine code when I was 15, as a side effect of hand-disassembling the TRS80 BASIC interpreter. I wasn't clever enough to think of writing a disassembler, and couldn't afford the forty bucks to buy one.
That ROM had some really incredible programming tricks in it, including interleaved streams of code, in which one execution path included some apparently silly and pointless opcodes, but those were data to the other execution path, and vice versa. I've not seen anything like it before or since.
I've always wondered whether that was done manually or not.

Clive RobinsonSeptember 28, 2009 6:31 AM

@ elegie,

"the actions of the tinkerers may not in fact be restricted by the DMCA"

Whilst it might be true it does not stop the likes of TI using it as a blunt instrument...

It works like this,

1, You do something MegaCorp don't like.

2, MegaCorp get their best sharks in suits to find any bit of legislation no matter how thin to use against you.

3, You get a thick piece of paper with a heavily embossed header basicaly saying "cease and desist or we take procedings against you".

4, You either aquiess or go see a shark of your own.

5, Your shark hums and hars and says 30,000 retainer to fight the case.

6, You either aquiess or pay your shark, who then sends the appropriate letter.

7, The MegaCorp sharks then play their next nasty little card "electronic discovery", they pay a judge to tell you to produce every bit of electronic documentation you have ever seen etc, but you have to do it at your own expense to MegaCorp's satisfaction.

I think you get the idea MegaCorp know they have no real chance of winning all they are doing is blackmailing you via legal expenses into doing what they want.

And guess what 90% of the time they get their way.

They won't even negotiate unless you have an equally as big legal stick or resources to back you up, such is the "American Way".

Oh and there are another bunch of tricks MegaCorp can do via the UK courts thanks to the likes of Judge Edey and UK liable/defermation laws...

Oh and a new little trick is if you are a European resident, MegaCorp take action against you in a European country where they know they are going to win (money talks etc) they then either use the European Arrest warrant to drag you into that countries jails or other EU legislation to get enforcment of the "tame court findings" against you in the courts of the European Country you live in...

But hey it's only business...

Web designSeptember 28, 2009 9:51 AM

It will be interesting to see how the college board, et al. reacts to this news. If people can install arbitrary software on their TIs, it kind of kills their use on standardized tests.

Lionel DebrouxSeptember 28, 2009 2:29 PM

@Web design: in fact, it's been possible to install arbitrary software on some TI calculators for _years_ before we factored their RSA public keys. See http://www.theregister.co.uk/2009/09/23/... for a little more technical detail.
Factoring the public RSA keys, and deducing the private RSA keys, eases (as opposed to "makes possible", at least for the TI-68k models), the installation by end users of arbitrary, reset-resistant software.

In other words, any regulation authority that would decide to ban TI calculators from standardized tests, in the light of the RSA keys' factoring, would show its incompetence to the world.

bobSeptember 29, 2009 3:21 PM

Hewlett-Packard got around this problem by discontinuing the production of calculators that have any value or utility.

@EscapedWestOfTheBigMuddy,Aaron Toponce, NotYetEscapedWestOfTheBigMuddy. I carry my hp-11c with me everyday. I bought it in June 1983. I replaced the batteries in ~1997 (so they're probably about due again). Have you guys visited: http://hp15c.org/ ?

DCOctober 1, 2009 8:10 PM

I wonder how much some would pay to have you NOT publish some DVDs of the right sized prime numbers to make factoring a known length RSA key easy? Due to the key generation rules (if I recall correctly) this would be a fairly small subset of the random numbers.

ShayOctober 14, 2009 1:11 PM

Regarding the problem of verifying that the calculator is using an unmodified OS, someone suggested to put a ROM copy of it, and have hardware reset use this. This would be costly, as it would add an extra chip.

It seems the solution is to connect the calculator to a PC and reflash it to an official version of the OS. If the reflash code itself could be modified to pretend to be reflashing but not really doing so, you could first send the calculator a large set of random data that completely fills all its memories (RAM, Flash), then ask for it to send this bck to you. The data wouldn't be compressible, so there's no way a modified flasher could fake this; it would have to write this data to Flash and RAM, replacing any previous contents. Then you send the official OS and you know that the calculator doesn't have a modified version.

gc-secOctober 15, 2009 8:19 AM

There is no Security Through Obscurity.

Any professional designer should be aware of this!!!

Glenn ClaboughSeptember 19, 2011 6:23 AM

I have been a loyal customer and supporter of TI's for more than 20 yrs. I have personaly owned 23 of their calculators and instructed students to buy them for years. I use them for my programming hobby and homemade robots. After following this story I can say that time is gone now.
the fact is, TI removed my favorite the "ti86" from the market in the last few years anyway.so I buy them at pawnshops but why are they complaining about it now, the good stuff is gone? I would rather have these "singing key's" for further development as any of their other junk anyway even for a price. If they cant release them and these kids from leagality they lost my business for good. there are plenty of micro controlers out there to compete and they sale for alot less than the $120 they want..

David GishDecember 15, 2011 11:14 PM

This is a cobweb now but I couldn't resist the temptation to chime in.

No one has pointed out what, exactly, TI has at stake in this market. Haven't you wondered why they can command the price they get for their graphing calculators when competing devices sell in the $20-$30 range? In addition to being approved for use on college entrance exams, TI has managed to convince educators to standardize on theirs and many schools *require* students to have TI calculators. It doesn't get much more lucrative than being the sole supplier for a government specification. You better believe they'll protect that.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..