Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Encryption Security United States News

Feds' Radios Have Significant Security Flaws 84

Posted by samzenpus
from the listening-to-the-listeners dept.
OverTheGeicoE writes "The Wall Street Journal has a story describing how the portable radios used by many federal law enforcement agents have major security flaws that allow for easy eavesdropping and jamming. Details are in a new study being released today (PDF). The authors of the study were able to intercept hundreds of hours of sensitive traffic inadvertently sent without encryption over the past two years. They also describe how a texting toy targeted at teenage girls can be modified to jam transmissions from the affected radios, either encrypted or not."
This discussion has been archived. No new comments can be posted.

Feds' Radios Have Significant Security Flaws

Comments Filter:
  • You notice that pretty much everything sold to the federal government is fraudulent? There is an entire industry devoted to ripping them off. Why isn't there a mechanism in place to punish these folks?

    • by couchslug (175151) on Wednesday August 10, 2011 @06:08PM (#37050436)

      "Why isn't there a mechanism in place to punish these folks?"

      A fine idea, but let's outsource it to save money.

      • Re: (Score:3, Informative)

        by AvitarX (172628)

        There is, you're allowed to Sue on behalf of the government if it doesn't do so itself. You get a 30 percent take.

      • by hairyfeet (841228)

        Hell if they are anything like the local yokels and the county mounties they are making money both ways! In my area the above get all the federal grants to upgrade gear for the "war on (insert drug of the week)" which of course they skim the fuck off of with kickbacks and the like (hell you should have seen the jail they got a grant to build. Supposedly the thing cost 3 mil+ and the wires were hanging down and the shitters leaked on opening day. The cops wives got some nice Navigators though) and then when

    • by jimpop (27817) *

      How else would that industry be able to sell upgrades?

    • We kind of do [epls.gov]... It just isn't all that toothy and appears to apply more seriously to smalltime operators, not to Big Respectable Contractors...
    • And who do you think should pay the kickbacks if they wasted money on research or production?

      Tsk, tsk, people don't understand politics.

  • by jd (1658) <<moc.oohay> <ta> <kapimi>> on Wednesday August 10, 2011 @06:12PM (#37050490) Homepage Journal

    Kim Possible has become Evil!

  • or supposed to be. I couldn't find where they where using an encrypted channels.

    And it's radio, so NEWSFLASH: It can be jammed.

    Ob. link:
    http://www.youtube.com/watch?v=FcArnepkhv0 [youtube.com]

    • by fuzzyfuzzyfungus (1223518) on Wednesday August 10, 2011 @06:27PM (#37050626) Journal
      Obviously, any RF device can be jammed(if nothing else, a correctly crafted jamming signal could cause destructive interference resulting in zero signal at the receiver site; but good luck with that one...); but the difficulty of doing so can vary widely. If a spark-gap that blacks out the east coast and draws complaints from the FCC-analogs of 6 nearby countries jams something, the designer gets a pass. If some FCC approved kiddie toy can jam it, the system is likely being attacked in a manner significantly more sophisticated than brute force...

      From TFA: " But, as we will see below, the situation is actually far more favorable to the jammer than analysis of its modulation scheme alone might suggest. In fact, the aggregate power level required to jam P25 trafc is actually much lower than that required to jam analog FM. This is because an adversary can disrupt P25 trafc very efciently by targeting only specific small portions of frames to jam and turning off its transmitter at other times... It is therefore unnecessary for an adversary to jam the entire transmitted data stream in order to prevent a receiver from receiving it. It is sufcient for an attacker to prevent the reception merely of those portions of a frame that are needed for the receiver to make sense of the rest of the frame. Unfortunately, the P25 frame encoding makes it particularly easy and efcient for a jammer to attack these subelds in isolation."

      Oops: A sophisticated digital RF transmission mechanism substantially more vulnerable to jamming than analog narrowband...
      • by hawguy (1600213)

        From the study itself:

        A jammer synchronized to attack just the NID
        subeld of voice transmission would need to operate at
        a duty cycle of only 3.7% during transmissions. Such a
        pulse lasts only about 1/100th of a second.

        So not only does this mean that your jamming transmitter can be small (not much power to dissipate when you're only transmitting a 100ms pulse, but it means that the power source can be small, and the short duration of the signal makes it hard to find.

        So when you're ready to create your civil disruption, you drop 100 of these jammers around town (they can be quite small, powered by a couple D-cell batteries for a few days), with so many jammers, it's hard to triangulate on any single o

        • by ae1294 (1547521)

          So not only does this mean that your jamming transmitter can be small (not much power to dissipate when you're only transmitting a 100ms pulse, but it means that the power source can be small, and the short duration of the signal makes it hard to find.

          So when you're ready to create your civil disruption, you drop 100 of these jammers around town (they can be quite small, powered by a couple D-cell batteries for a few days), with so many jammers, it's hard to triangulate on any single one of them.

          Any EE undergrad should be able to build these jammers using easily obtained off-the-shelf components.

          open source project???

        • by Gordonjcp (186804)

          But the signal is more-or-less continuous, so you are trying to locate the source of a very powerful continuous buzz.

          This is trivial to DF.

          • by hawguy (1600213)

            But the signal is more-or-less continuous, so you are trying to locate the source of a very powerful continuous buzz.

            This is trivial to DF.

            Ahh, good point, when I first read the article, I thought the key was sent at the beginnning of a voice stream, but in rereading, it looks like it's sent with every packet, so the jammer would need to operation more or less continuously. LIke in a 3.7% duty cycle (as it says in snippet of the article I quoted).

            But still, there's safety in numbers, with a 100 point sources sending out jamming signals, it's much harder to triangulate on any single one.

            • by Gordonjcp (186804)

              No, quite the reverse. If you've got lots of sources it's quite easy to find them simply because you've got a better chance of finding one.

            • by Yamioni (2424602)

              But still, there's safety in numbers, with a 100 point sources sending out jamming signals, it's much harder to triangulate on any single one.

              This is only true if you attempt to search for one inside of a field of many. You can't triangulate to a single source when you're in range of multiple transmitters all broadcasting the same source. But nothing says you can't start your search from beyond the edge of the coverage zone where you can easily be in range of one and only one transmitter at any given time. Following the method of outside-in, you could rather easily chip away at the coverage zone. Generally speaking though, yes, it would be harde

    • by AvitarX (172628)

      If the user interface leads to accidentally sending things in the clear, it's a problem. If it's stupid feds, that's a problem too (but a different one).

      Why shouldn't essentially everything be encrypted? That sounds like the sane default to me.

      • by geekoid (135745) <dadinportland AT yahoo DOT com> on Wednesday August 10, 2011 @06:34PM (#37050666) Homepage Journal

        Because we want to minimize the amount of chatter that goes on behind closed doors?
        You're 'sane' default leads to less checks and balances. No thanks. OTOH, very few criminal would actually know or do anything about this.

        • by Sycraft-fu (314770) on Wednesday August 10, 2011 @06:38PM (#37050708)

          And it is legal to listen in on them. Google for "police scanner".

          Now I could see reasons why the FBI might have encrypted radios, but then again they also might decide such a thing isn't necessary, or that they should be selectable.

          Either way, the idea of unencrypted police radio isn't surprising, it is the norm. That may change, but for now in most places a cheap scanner is all you need to listen to police radio, if you wish to do so.

          • by Anonymous Coward

            The changeover started pre 9/11, but the influx of Federal funds after that really kicked it into high gear. All or nearly all major metro areas now use digital, encryptable radio systems and they're spreading to smaller and smaller counties and cities. And thanks to the Publc Safety push they're using the P25 standard for interoperability.

            It has made it much harder for journalists to learn about news-worthy incidents.

        • By "very few" you mean "Only the really smart and dangerous ones, and any of the ones who imported an dubiously legal P25 scanner, labelled as a "toy/gift", from a drop-shipper in Hong Kong", right?
          • you can buy a "dubiously legal" P25 scanner at any Radio Shack or Amazon... P25 is an open standard.
            • by Obfuscant (592200)
              You can buy a dubiously legal P25 transmitter on Ebay.

              But you won't be buying the encryption keys for encrypted P25 traffic there.

      • by fuzzyfuzzyfungus (1223518) on Wednesday August 10, 2011 @06:39PM (#37050724) Journal
        Apparently, aside from user interface failings, the system is based on manual keyfill and pre-shared keys...

        And I'm not talking "Man, I hate trusting CA certs" pre-shared keys, I'm talking "Apparently, news of assymetric key cryptography hasn't made it to P25 land yet, and we have no option but to talk in the clear unless everybody we are talking to has been keyfilled ahead of time. Oh, also, none of our radios provide any warning when receiving a cleartext signal, they just decode and play exactly the same as if it were encrypted... We are deliberately ignoring everything that has been learned about maintaining encrypted channels under real world conditions here, apparently!"
      • by Obfuscant (592200) on Wednesday August 10, 2011 @08:36PM (#37051626)

        Why shouldn't essentially everything be encrypted? That sounds like the sane default to me.

        Because encryption requires management of encryption keys, which require security clearances for people who go around loading keys in radios and need to store keys locally.

        It creates a terrible headache for backup radio systems and radio caches. I.e., the feds have several large storage areas for equipment that is needed in a disaster but wouldn't get much use otherwise. Someone would need to keep all those radios keyed up to date if everything was encrypted. Also, the radios need better security if they are encrypted. I manage a stack of about two dozen radios -- it would be a real PITA if I had to get a clearance so I could go rekey them once a week.

        For CAP (Civil Air Patrol), they are getting/have gotten encryption capable radios. Out here, there is nobody with a clearance to manage the keys and keying of radios. It also shuts out personally owned equipment use, and mostly there isn't much that needs to be encrypted in the first place. CAP is getting this capability because they sometimes in some areas support fed agencies that want encrypted traffic. (The aircraft radios won't do it, anyway.)

        And finally, encryption really puts the nail in the coffin of the idea of "interoperability"; that is, different agencies being able to communicate with each other when they need to. E.g., a major forest fire needs people from many agencies and different fire departments to fight it. They all show up with their own radio equipment. Interop means they all have standard channels (VTAC, VCALL, UTAC, etc) (look up "NIFOG" in google for the field guide that defines this all) and can talk to each other as soon as they arrive. Encryption means those who have encryptable radios have to get the right keys installed before they can do anything, and those without encryptionable radios don't talk to anyone.

        And really, finally, encryption does NOTHING to prevent the issues of jamming and interference. The only people who haven't figured out that P25 digital systems have nowhere near the coverage as the old analog wideband systems are the radio manufacturers making billions selling the new P25 whiz-bang radios. We did a simple test out here (somewhere on the west coast) comparing P25 to analog narrowband, and P25 would fail where analog narrowband woked fine. One company (with the intials "M") came out here and proposed a trunked digital system to replace all the local public service systems, and they wound up with about thirty radio sites to provide the same coverage that we are getting with a dozen. Just doesn't work as well, and that's personal experience.

        • by adolf (21054)

          I agree; P25 is crap. (Qualification, for whatever it's worth: I've installed/programmed/fixed/pondered-upon many thousands of such radios, all from a company with the initials "M" and am entrusted with keys to the tower sites all over a certain midwest state.).

          Nobody really likes it. Some agencies are happy because they've got new radios which aren't yet as broken as their old ones were, but they cost 5-10x as much to buy, each. Plus a monthly fee, per radio, for service. The only reason they're even

        • Excellent points.

          The only suggestion I could make in this scenario would be to store the encryption key on an external dongle/smartcard/USB-key that requires a PIN/password to activate (and need it after x amount of time). That would address the issue about managing the inventory.

          Now that does transfer the issue of key management to some other part of the great fed machinery. Still a messy endeavour.

      • by GooberToo (74388)

        Why shouldn't essentially everything be encrypted? That sounds like the sane default to me.

        Because news organizations frequently are given radios. As a rule of thumb, only discussions which are intended for public consumption are done on unencrypted channels. Furthermore, encryption prevents cross departmental communication. So imagine 9/11. Now imagine none of the various agencies being able to communicate because none have the same keys.

        Honestly, there doesn't exist a legitimate reason for everything to be encrypted.

  • by sackvillian (1476885) on Wednesday August 10, 2011 @06:22PM (#37050576)
    The front page of the 'texting toy' website begins with 'It sounds 2good2btru - but it's 4real!' and ends with my stomach contents, evacuated onto the floor. Shame on TheGeicoE for subjecting us to that.
    • by sjames (1099)

      You have received a Denial Of Sustenance attack.

    • Good job citizen: The absolutely insufferable 'language' and graphic design of that website is designed to keep dangerous, potentially pedophilic, adults away from vulnerable children. It is part of a broader campaign to make parts of the internet used by children utterly insufferable for those over the age of 12 for the safety of our children.

      The program is already beginning to see considerable success [theonion.com]...
    • The front page of the 'texting toy' website begins with 'It sounds 2good2btru - but it's 4real!' and ends with my stomach contents, evacuated onto the floor. Shame on TheGeicoE for subjecting us to that.

      Sorry. I have kids. They've desensitized me. I just wasn't thinking how innocent Slashdotters might react.

      The article and the study have a less objectionable picture with some hexadecimal numbers on the screen.

    • yeah, that site drove me nuts real quick.
      that much txt-speak is inexcusable if you're well under the character limit
      you'd think that it would be easy to type out full words if you're that good at working a tiny keyboard

  • "the more they over-think the plumbing, the easier it is to stop up the drain." (Star Trek III: The Search for Spock)

  • try frequency hopping, or spread spectrum technology, no analog or digital scanner can receive them...
    • I was thinking just that. Even jamming isn't easy unless you jam in such a wide spectrum that it becomes near trivial to sniff you out. Hell, I built a freq hopping communication toy, it's not rocket science.

    • try frequency hopping, or spread spectrum technology, no analog or digital scanner can receive them...

      Oh, really? [hamradio.com]

      Most modern public service radio systems have used frequency hopping for the last 10 or more years. Consumer-oriented scanners, in general, only lag the latest technology development by a few months; and older scanners can usually be updated to new technology by a software update.

      • by Obfuscant (592200)

        Most modern public service radio systems have used frequency hopping for the last 10 or more years.

        You are confusing trunking with frequency hopping or spread spectrum.

        Trunking has a dedicated control channel that tells every radio that is part of a talkgroup (predefined group) to "go to channel X" so everyone in the talkgroup hears the same thing. Yes, modern scanners can monitor that control channel and do the same thing. This channel hopping is done on a per-transmission basis. I.e., once the talker is assigned a transmission channel, he and all the receivers stay there until he lets up on the push-

  • Back in the day, you could tune into the police on an ordinary FM radio (in the UK). They used the frequencies from 100 to 108 MHz before they got moved.
  • Is their some reason the feds are not using the same radios the military uses? I'm sure the DOD has some experience in secure portable communications.

    • Might want to be careful [wsj.com]...

      The "Oh, our Predators are using unencrypted video feeds over transmission hardware sufficiently similar that dirt-cheap satellite-TV piracy gear is enough to grab their feeds in real time" incident was sort of an ominous sign...
    • Because encrypting analog radios costs extra money. Ask most police depts what they would rather have - 1000 encrypted portable radios, or 1000 portable radios that work with the portable radios and base stations they already have plus 1000 6 cell maglites.
      • by Yamioni (2424602)

        plus 1000 6 cell maglites.

        As long as I can get two to dual wield while cracking a perp's skull I'm in!

        • My favorite quote, from some detective story, "Except for the fact that it lit up when you pushed a button on the side, the officer's flashlight would not have been out of place at the Battle of Agincourt"
  • Traditionally, all police radio communications were unencrypted and anybody could buy a scanner from RadioShack to listen in. My understanding is that the press commonly used them and would publish what they learnt from it. And that was a good thing, because it forced the police to be a little more accountable.

    • However, more recently, most police bands have gone encrypted. The thinking is that if the info is broadcast in the clear, the perps have a much better chance of avoiding the police and getting away with whatever they were planning. Broadcasting police information in the clear also has privacy implications (did you here that Fred Smith was busted for speeding last night?).

      Slightly off topic - I have that exact radio shown in the TFA. It is a complete pile of garbage. It's UI is complex, non intuitive,

      • by tftp (111690)

        Broadcasting police information in the clear also has privacy implications (did you here that Fred Smith was busted for speeding last night?)

        This is not directly transmitted over the air. The LEO may ask for 10-28 on a plate and the dispatcher says "Vehicle registered to Fred Smith, digits in Anytown, US" and that's basically all. Very little is reported over the air about the nature of the stop; it goes into the report, if there is any.

        A typical 10-36, if transmitted, contains name and address of the

      • by adolf (21054)

        However, more recently, most police bands have gone encrypted.

        Define "most."

        I work in communications. Of the five or six counties I typically work in, all but one has recently moved to a statewide system based on P25 where law enforcement has been issued radios capable of encryption.

        Of those four or five counties which have encryption-capable radios, only one agency in one single town uses it by default. Everyone else transmits in the clear by default, as a matter of policy.

    • by anubi (640541)
      What do we do when the "bad guys" game the system by listening to our police so they can vamoose before the police arrive?
    • by DarthBart (640519)

      The county I grew up in went with this thinking. They scored about $350K in a drug bust and used that to buy a high powered (transmitter output was 350W) Motorola 150Mhz encrypted radio system. The transmitter was located in the Texas hill country northwest of San Antonio and you could hear it down in Corpus Christi, but you had to have a 100W mobile to be able to talk back into it from about 20 miles from the transmitter. As a comparison, my father and I put a 75W Amateur Radio 145Mhz repeater system wi

  • They also describe how a texting toy targeted at teenage girls can be modified to jam transmissions from the affected radios, either encrypted or not."

    A texting toy targeted at teenage twats 'twas transformed to twist transmissions 'tween totalitarian terrorist-tackling tards.

  • http://en.wikipedia.org/wiki/Terrestrial_Trunked_Radio [wikipedia.org] - Encrypted and allows direct and infrastructure communication.
  • ....the number one reason will be A DumbAss on a Backhoe.

  • Software or hardware to filter the signal from the noise can help in a jamming environment but it's not a cure-all.

    Unless you can stop the jammer from transmitting, stop your receiver from picking up the jamming signal, or you can simply overpower him, it's hard to stop a jammer.

    For typical hand-held and automobile radios there isn't a good solution.

    The most effective way to stop a jammer usually involves either finding and arresting the person responsible or destroying the transmitter. Sometimes a credibl

  • I've always wondered about wholly passive methods for police activity monitoring. For example, how difficult would it be to combine a GPS position fix and a DF setup to track nearby police cars or foot patrols? That's assuming law enforcement and emergency services use dedicated radio bands for communication. I guess eavesdropping would provide further information, but even just a position fix could be useful in the commission of a crime.

Sentient plasmoids are a gas.

Working...