Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researchers Crack APCO P25 Encryption

timothy posted about 3 years ago | from the breaker-breaker-this-is-roscoe-p-coltrane dept.

Communications 37

An anonymous reader writes "Two Australian security researchers, Stephen Glass and Matt Robert, have published a paper that details flaws in the encryption implementation (PDF) in the APCO Project 25 digital radio standard, used by emergency services and police departments world-wide. The paper details flaws in the DES-OFB and ADP encryption that enable the encryption key to be recovered by traditional brute force key searching. Also detailed is a DoS attack that makes use of unauthenticated radio inhibit mechanism. The research is part of the OP25 project, which uses GNUradio to implement a P25 stack using software defined radio. With this solution in place, the researchers were able to do detailed analysis of the traffic coming from various radio systems and to transmit and receive to P25 radios in their lab."

cancel ×

37 comments

Sorry! There are no comments related to the filter you selected.

CRACK IT NOW !! (-1)

Anonymous Coward | about 3 years ago | (#37362526)

Then smoke it up later !!

Re:CRACK IT NOW !! (-1)

Anonymous Coward | about 3 years ago | (#37364244)

That's what Richard Prior said right before he went up in flames and burned to death. That's what he wrote in his autobiography.

I'd buy a USRP2 receiver (1)

ArchieBunker (132337) | about 3 years ago | (#37362556)

But they cost $1700! No thank you. How many people are even using them at that price?

Re:I'd buy a USRP2 receiver (2)

PCPackrat (1251400) | about 3 years ago | (#37362636)

Yeah $1700 is a lot for a drug dealer wanting to know the cops are coming for him.

Re:I'd buy a USRP2 receiver (3, Insightful)

b5bartender (2175066) | about 3 years ago | (#37362652)

...because anyone that wants to be able to monitor their public servants is obviously a hardened criminal.

Re:I'd buy a USRP2 receiver (2)

Medevilae (1456015) | about 3 years ago | (#37362796)

Or wears a tin-foil hat.

Re:I'd buy a USRP2 receiver (0)

Anonymous Coward | about 3 years ago | (#37363582)

or will be soon.

Nothing to hide, nothing to fear? (0)

Anonymous Coward | about 3 years ago | (#37364338)

Yes, but if they don't have anything to hide, they don't have anything to fear... right? RIGHT? (Isn't that the argument they've been using to justify monitoring US?)

Re:I'd buy a USRP2 receiver (1)

betterunixthanunix (980855) | about 3 years ago | (#37362762)

Wouldn't the presence of the police be enough? Lot's of radio chatter...regardless of what they are actually saying...

Re:I'd buy a USRP2 receiver (0)

Anonymous Coward | about 3 years ago | (#37363436)

Yeah $1700 is a lot for a drug dealer wanting to know the cops are coming for him.

$1700 is nothing for a methamphetamine producer compared to having his whole operation and/or distribution network compromised. I sell P25 radios to law enforcement in my area and would not be surprised at all if this happens here.

Re:I'd buy a USRP2 receiver (0)

Anonymous Coward | about 3 years ago | (#37374686)

eee no;
$1700 is just 34 gram's of coce or 50 gr of speed(here in nl)
i have seen middle mans(the guy that sells to the guy on the street-corner) earn more in 1 hour

(assume you ware not sarcastic, have aspeger [wikipedia.org] )

Pretty reasonable really (4, Informative)

nten (709128) | about 3 years ago | (#37362870)

Comparable equipment has traditionally cost in the 10s of thousands. Only in the last two or three years has it been in the home hobbyist range. Granted its not cheap, but its about the same as a good gaming rig. And its far less than car or shooting enthusiasts tend to spend. That said, the $1700 only includes the motherboard (fpga and ADC/DAC) and enclosure, not the receiver. The receivers range from a hundred to almost five hundred depending on what you need. Same API to control all of them though. If you want to mess with the fpga instead of doing it all on the PC you probably want the slightly cheaper motherboard so you can use the free xilinx webpack ise instead of the crazy expensive one.

Comblocks also has a nice SDR offering but getting it to the PC at a decent speed is still around $800 at least, and I don't know how clean the software interface is.

Slapping an fpga and highspeed ADC onto a custom PCB is easy enough, you can get such things from knjn prebuilt, but you really need gigabit ethernet or faster to do software processing on significant bandwidth and those sorts of interfaces tend to need five and six layer PCBs which aren't DIY and jack up the price. Perhaps the USB3 interfaces will be more hobby friendly. You still need a software controlled wideband receiver too, maybe heathkit will step up on that one.

All in all, the USRP is reasonable, though its been getting more expensive due to more features, and NI buying them might be involved too, NI doesn't tend to make cheap stuff.

Re:Pretty reasonable really (1)

citizenr (871508) | about 3 years ago | (#37363164)

Slapping an fpga and highspeed ADC onto a custom PCB is easy enough, you can get such things from knjn prebuilt, but you really need gigabit ethernet or faster to do software processing on significant bandwidth and those sorts of interfaces tend to need five and six layer PCBs which aren't DIY and jack up the price. Perhaps the USB3 interfaces will be more hobby friendly. You still need a software controlled wideband receiver too, maybe heathkit will step up on that one.

All in all, the USRP is reasonable, though its been getting more expensive due to more features, and NI buying them might be involved too, NI doesn't tend to make cheap stuff.

Cypress already announced EZ-USB 3, if its anything like FX2LP implementing solutions will be a breeze
http://www.cypress.com/?rID=51181 [cypress.com]

Re:Pretty reasonable really (0)

Anonymous Coward | about 3 years ago | (#37368246)

You don't need a USRP anyways.. unless you want to monitor multiple frequencies at once which is really the strong point of having a SDR in the first place. P25 isn't very wide. If you have a FM scanner with access to the discriminator output (or a "9600 baud" compatible Ham Radio that can reach the frequencies you want) then you can plug a sound card into that and go from there. I imagine it's even possible to define that as a source for the GNUradio program.

I've been able to receive P25 packets with an old 800mhz Maxtrac that has discriminator out on the 16-pin connector on the back. (Did me no good since the system around here uses trunking.. 2 channels and a control channel which I have no way of following, at least this one isn't encrypted in the first place)

I would love to find a reasonable USRP device though. They can't cost more than $100 or $200 in parts. $400 would be a much more sane price point than $1700. I'm sure if it wasn't for uninhibited pure evil greed, it would be cheaper.

Re:I'd buy a USRP2 receiver (-1)

Anonymous Coward | about 3 years ago | (#37363310)

GNUradio works with more than USRP's despite what Matt Ettus would like you to think. Many DAC/ADC cards and other devices work fine.

Re:I'd buy a USRP2 receiver (0)

Anonymous Coward | about 3 years ago | (#37365164)

GNUradio works with more than USRP's despite what Matt Ettus would like you to think. Many DAC/ADC cards and other devices work fine.

That sounds like you think Matt is involved in some deep conspiracy to keep other hardware support out of Gnu Radio. Nothing could be further from the
    truth. The fact is, that not a lot of commercial producers of SDR hardware have shown much interest in Gnu Radio support. That isn't Matt's fault.
    Big-ticket SDR hardware like that from ThinkRF has only paltry support for Gnu Radio. None of the other hobbyist-scale SDR producers out there have shown
    even the *slightest* interest in compatibility with Gnu Radio. Show us all, please how that's Matt's fault? None of the hardware from companies like
    RFSpace, FlexRadio and Software Radio Laboratories, have support for Gnu Radio. Again, how is this Matt's fault?

There *are* starting to be other SDR hardware manufacturers who realize that Gnu Radio is out there. The FCD (FunCube Dongle) is now usable with Gnu Radio,
    albeit via a user-contributed "driver". And other nascent efforts, like the FairWaves LMS6002D-based transceiver will be compatible with Gnu Radio, once
    it's available.

Re:I'd buy a USRP2 receiver (1)

Anonymous Coward | about 3 years ago | (#37363816)

A local news service would. Typically the encrypted channels on many city police systems are the "command nets." The command nets are typically captains and above. The use of encrypted systems by "officers" generally would be limited to ERT (A.K.A. SWAT), Major Narcotics, OPR (A.K.A. internal affairs) outside of those groups most the others wouldn't care. Besides most criminals could not afford the current scanners that can grab the clear transmissions now anyway.

Re:I'd buy a USRP2 receiver (0)

Anonymous Coward | about 3 years ago | (#37365106)

But they cost $1700! No thank you. How many people are even using them at that price?

A metric arseload.

Compared to many of the competing products, the Ettus stuff is *cheap*. Granted, the entry cost is still steep for the average hobbyist, but for academic
    research and commercial prototyping, they're considered a very good deal.

Seriously, these devices are being used by thousands of people worldwide, covering hundreds of different applications, both receive only, and TX/RX.

Funcube very much (1)

Anonymous Coward | about 3 years ago | (#37366128)

FUNcube Dongle [funcubedongle.com] - A radio thats out of this world!

64MHz to 1,700MHz Software Defined Radio

funcube.org.uk [funcube.org.uk]

Quoth shoc.ch [www.shoc.ch] :

"The FUNcube Dongle was successfully tested with W-CODE. It worked perfect with POCSAG, TETRA, APCO-25-DMR, dPMR, INMARSAT-C, INMARSAT-AERO... No drivers required! Device drivers are already included in your operating system - Windows, Linux or Mac OSX, 32 or 64 bit.
You can order this low cost 64MHz to 1,700MHz Software Defined Radio for 99" quid

Re:I'd buy a USRP2 receiver (1)

scottbomb (1290580) | about 3 years ago | (#37372830)

As a ham radio operator, I know a few guys that spend 2 to 3 grand on P25 Mototola radios. I can picture a couple of them now, reading this paper over very carefully :)

Brute force? (2)

shinigami sama (1980846) | about 3 years ago | (#37362598)

The article seems to cover two things here: - Brute force "vulnerability". - Unauthenticated DoS. The former seems to be the focus, but it is hardly the most shocking of the two. You can always do a brute force key search with any captured data, and one would assume that, being DES, it is at least 56 bits. The unauthenticated DoS, however, presents a serious flaw.

Re:Brute force? (1)

maxwell demon (590494) | about 3 years ago | (#37363136)

I would have thought that any wireless communication device can be easily DoSed by a normal jammer. No specific knowledge of the protocol needed.

Re:Brute force? (0)

Anonymous Coward | about 3 years ago | (#37363178)

Except this isn't a "block communication while in range" DoS, this is a "completely disable device until unlocked by service tech" DoS.

Two researchers? (0)

Anonymous Coward | about 3 years ago | (#37362632)

There are FOUR authors of the paper and you refer to the 1st and 3rd only as the authors?

Re:Two researchers? (1)

PIBM (588930) | about 3 years ago | (#37362660)

The others weren't australians ?

There are FOUR lights! (1)

ClayJar (126217) | about 3 years ago | (#37362734)

I was afraid you were going to tell me there were five researchers, but you don't even *look* Cardassian.

Catastrophic incompetence (5, Insightful)

thue (121682) | about 3 years ago | (#37362858)

> Once a radio has been stunned by the receipt of an inhibit command the standard requires that it remains in-operational and unresponsive to the operator console or device programming interface until it receives an “uninhibit” XFC on the frequency it received the inhibit. The attack exploits the lack of any guarantee of authenticity for the frame Inhibit/Uninhibit types. [...] Note that the XFC message payload may be sent either encrypted (P=1) or un-encrypted (P=0).

Not a desirable property in a supposedly secure crypto system!

Re:Catastrophic incompetence (1)

Sduic (805226) | about 3 years ago | (#37363208)

Based on the article, it seems the system is often restricted to a small common subset of security/authentication due to needing to maintain interoperability with legacy elements (e.g. DES-OFB encryption must be available where used, but others are optional).

In other words, they (may not be able to) keep a secret because the other stuff doesn't understand HOW to.

As to how effective their security would be otherwise, I couldn't say, although apparently authentication is a major problem that would need attention.

Re:Catastrophic incompetence (1)

thue (121682) | about 3 years ago | (#37363260)

Other parts of the article talks about security features being disabled because of interoperability. As I read the part of the article I quoted, there simply isn't any specification in the protocol to authenticate inhibit command, so this specific problem is not because of interoperability.

Re:Catastrophic incompetence (1)

Mister Transistor (259842) | about 3 years ago | (#37384582)

The interoperability referred to is whether the inhibit request is sent encrypted or in the clear, not whether or not it had authentication. If you have the wrong crypto type, you can just fall back into clear mode for "interoperability".
   

Re:Catastrophic incompetence (1)

RocketRabbit (830691) | about 3 years ago | (#37364544)

Hah yeah.

Re:Catastrophic incompetence (0)

Anonymous Coward | about 3 years ago | (#37379456)

This feature has nothing to do with the crypto system. It's a design flaw at the radio system level.

Link to previous story (1)

plsuh (129598) | about 3 years ago | (#37363146)

http://it.slashdot.org/story/11/08/10/2113246/Feds-Radios-Have-Significant-Security-Flaws [slashdot.org]

APCO 25 doesn't seem to be very well thought through. Easily jammed at multiple levels and vulnerable in many ways.

--Paul

Re:Link to previous story (3, Insightful)

Lord Crowface (1315695) | about 3 years ago | (#37364402)

P25 wasn't originally designed with security in mind. It was designed as a standardized digital replacement for the mess of incompatible digital and analog trunking systems that had grown up in the 80s and 90s. In its basic, as-designed, unencrypted mode, it works well. It's only when local PDs and FDs decide to try and lock out scanner users (nominally to keep criminals from listening, but more often to keep away TV news crews) by means of ill-conceived encryption addons that things fall apart.

P25 isn't "world-wide" (1)

Gordonjcp (186804) | about 3 years ago | (#37364430)

It's pretty much only used in America. Everyone else uses TETRA, or if they don't want trunking DMR or iDAS.

Re:P25 isn't "world-wide" (0)

Anonymous Coward | about 3 years ago | (#37365566)

It's pretty much only used in America. Everyone else uses TETRA, or if they don't want trunking DMR or iDAS.

Yah and it really is Google's problem now too, since they bought the main manufacturer of mobile Public Safety radio with the APCO standard with thousands of installed P25 TRS and millions of APCO P25 radios out there. I bet Google didn't see that one coming.

Re:P25 isn't "world-wide" (1)

RubberDogBone (851604) | about 3 years ago | (#37365766)

Incorrect. Motorola was split into two different companies early in 2011.

Motorola Solutions -effectively the old Motorola- makes the public safety and business radio equipment and some other things. They are the ones who make the P25 and TETRA and other radio gear.

Motorola Mobility -effectively some non-core businesses which we basically spun off or shed, if you like- which makes the cellphones and cable boxes and some other things is the part Google has offered to buy. While they share the Motorola name, they have nothing to do with P25 or any of the public safety or business radio products.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>