Security flaws found in Project 25 mobile radios
Many users don’t know how to use encryption, and radios can be jammed with a child’s toy
A paper presented at this year’s APCO conference showed the vulnerability of some new and expensive encrypted digital mobile radios, particularly those used by federal law enforcement agencies. The researchers from the University of Pennsylvania found that it was very easy to monitor sensitive law enforcement operations, that users either didn’t turn on their encryption or thought their transmissions were encrypted when they weren’t, and that a $30 child’s toy could corrupt the radios’ signals enough to make them useless. They also found a way to make the radios transmit at will, so that direction-finding equipment could be used to determine their location.
The radios with the identified problems operate on a relatively new protocol called Project 25 (P25). P25 is an initiative of the Association of Public Safety Communications Officers (APCO) and both users and manufacturers of radio equipment. P25 radios use digital transmissions on channels spaced 12.5KHz apart in the UHF and VHF bands. One of the objectives of P25 is to expand the number of channels available for use in the crowded radio spectrum. Presently, federal law enforcement agencies are the biggest users of P25 equipment, but other public safety organizations are adopting the standard as they replace their “legacy” radios. Eventually, all users in the VHF and UHF bands will be required to go to P25 equipment, as their licenses to operate on the broader channels and with analog equipment won’t be renewed by the FCC.
Traffic over P25 equipment is transmitted in digital form, as bits of ones and zeros, rather than as an analog waveform as with older radios. The body of voice or data traffic is preceded and followed by several data frames of different lengths that identify the source, the type of information (voice or data) that follows, and when the traffic is encrypted, encryption keys that prevent the transmission from being heard by a radio which doesn’t have the matching codes. The authors of the paper found that the markings on the radios that turned the encryption on or off were so cryptic themselves that many of them thought they were transmitting encrypted, when they were actually sending “in the clear.” The knobs and indicators for encryption were poorly located, making it easy to turn encryption on and off while adjusting the volume or changing radio channels.
There are blocks of frequencies allocated for the exclusive use of federal law enforcement agencies. These are allocated by the National Telecommunications and Information Administration, and are not published, as are FCC-allocated channels. The allocation is made by both region and user agency, so that a channel used by the FBI in New York might be the one used by the U.S. Forest Service in Boise. Even though the assignments are confidential, the researchers were able to scan the federal bands in two large U.S. cities and monitor ongoing operations at length. The encryption problem became obvious, as users openly discussed names and descriptions of informants, appearance and vehicles of undercover agents and surveillance operators, and plans for raids and arrests. The researchers used a $1000 bench-type receiver, but indicated that the same task could be accomplished with gear from Radio Shack.
Techies are familiar with the acronym “RTFM,” or “Read the [Bleeping] Manual.” The manual for a P25 radio from one well-known manufacturer is 150 pages long. On top of that, most P25 radios are user-configurable, so that combinations of button presses and switch settings set the radio to work in specific ways the owner agency thinks is appropriate. The net effect is that — in addition to the 150-page manual — each agency has to publish their own user manual if they want their users to understand all the functions of the radio and how to use them. Of course, getting the users to read those manuals is another matter.
Digital communications has several advantages over analog, one being that if a portion of a transmission is not received or corrupted in sending, an error-correction protocol identifies it and sends a request for a re-send. The University of Pennsylvania researchers found they could manipulate this mechanism and send a string of renegade error messages to a radio, triggering a string of retransmit requests. There would be no retransmit, as the messages pointed to a nonexistent message stream, but the nearly continuous transmission could be used with a direction finder to pinpoint the location of the radio. Someone who was running countersurveillance on law enforcement users would be able to tell by this method when officers were active, and where they were.
A variation on the data packet manipulation worked to disable the radios entirely. The researchers purchased a toy text messaging device called an IM-Me http://uk.girltech.com/electronics-imMe.aspx , which sends and receives text messages between a computer and the toy, which looks like a text pager. By loading some custom firmware onto the device, it could be set to transmit corrupted data packets to P25 radios and confound their reception. The device had to transmit these packets for milliseconds at a time, making it very difficult to locate and identify.
The authors of this paper are all “good guys” who have no agenda for compromising public safety communications, but if they can produce the hardware and software necessary to manipulate P25 radios, you can bet someone with less honorable motives can, as well. These new P25 radios are expensive; one available from Midland costs $3295. Hopefully, that custom-configuration capacity can be used to modify the radio firmware and close some of these security gaps. In the meantime, if your agency is using or contemplating a purchase of P25 radios, you should revisit your security procedures and contact your vendor to determine how vulnerable your communications may be.
Clark, S., Goodspeed, T., Metzger, P., Wasserman, Z., Xu, K., Blaze, M. University of Pennsylvania. Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System, 2011. Available at http://www.usenix.org/events/sec11/tech/full_papers/Clark.pdf
Clark, S., Metzger, P., Wasserman, Z., Xu, K., Blaze, M. University of Pennsylvania. Security Weaknesses in the APCO Project 25 Two-Way Radio System, 2010. Available at http://repository.upenn.edu/cgi/viewcontent.cgi?article=1990&context=cis_reports