Tait gear approved for use on GRN

[centralcoastscanman]

ah ok...

[ivahri]

But I could be wrong as they are still advertising EFJ radios on their website. This doesn't mean they are approved for use on the P25 GRN.

Cheers,


Richard

[ivahri]

Just a little update... yes Benelec are selling a RELM BK radio that is P25 conventional (trunk optional)- have been playing with one this afternoon. However it is not approved for use on the GRN until certain issues are resolved.

Cheers,

Richard

[SKEYGEN]

It wasn't that simple guys... Tait developed an Advanced System Key that satisfied the security requirements that network users (and I was on that committee) required. Cut out the BS about "monopoly", this is a P25 OPEN standard, but that doesn't mean that every Joe Bloggs that produces a radio should be allowed to market radios without appropriate security safeguards. Peoples lives depend on this (along with a massive $ investment in the new network). Can't say more than that but other vendors expressed interest too & if they meet the standards Tait did then I'm sure they will also be permitted.

False security is worse than no security. This is a serious case of the network users getting fitted out with the emperor's new clothes.

The client (ie, attacker controlled) segment is a really bad place to put trust in the security model of any system.

With both Motorola Type II and P25 you're automatically at a disadvantage in that all you need to authenticate to the network is a number that's sent in the clear, and that anyone can observe on the air. No amount of smoke and mirrors like ASK is going to fix this. About all you can really do is sit back and hope that nobody decides to do anything really bad on your network.

Only the programming software running on the attacker's PC requires the ASK; the radio itself doesn't care, it just does what it's told by the PC. When the attacker controls the PC, they control the software running on it, and are therefore free to skip along past any "security" measures imposed by the software as they please, as they are in full control of the environment in which that software runs. Even if the authentication happened on the radio, a determined attacker can build their own P25 MR using cheap hardware (as in, less than the price of a new, factory made P25 portable) that behaves however they like.

You might be interested to know Icom's software requires no system key of any sort; hardware or otherwise. Give it the system ID, frequencies, WACN etc and you're good to go.

[citabria]

....With both Motorola Type II and P25 you're automatically at a disadvantage in that all you need to authenticate to the network is a number that's sent in the clear, and that anyone can observe on the air.

The P25 authentication spec enables system vendors to change this to a cryptographic challenge/response with a unique AES128 key on each handset - which is real security.

[SKEYGEN]

Good start TIA's part. Does anyone's gear implement this yet?

TETRA's mutual authentication is pretty solid. To boot, encrypted BCCH prevents the sorts of really fun traffic analysis you can do against P25 networks, also.

[centralcoastscanman]

It wasn't that simple guys... Tait developed an Advanced System Key that satisfied the security requirements that network users (and I was on that committee) required. Cut out the BS about "monopoly", this is a P25 OPEN standard, but that doesn't mean that every Joe Bloggs that produces a radio should be allowed to market radios without appropriate security safeguards. Peoples lives depend on this (along with a massive $ investment in the new network). Can't say more than that but other vendors expressed interest too & if they meet the standards Tait did then I'm sure they will also be permitted.

False security is worse than no security. This is a serious case of the network users getting fitted out with the emperor's new clothes.

The client (ie, attacker controlled) segment is a really bad place to put trust in the security model of any system.

With both Motorola Type II and P25 you're automatically at a disadvantage in that all you need to authenticate to the network is a number that's sent in the clear, and that anyone can observe on the air. No amount of smoke and mirrors like ASK is going to fix this. About all you can really do is sit back and hope that nobody decides to do anything really bad on your network.

Only the programming software running on the attacker's PC requires the ASK; the radio itself doesn't care, it just does what it's told by the PC. When the attacker controls the PC, they control the software running on it, and are therefore free to skip along past any "security" measures imposed by the software as they please, as they are in full control of the environment in which that software runs. Even if the authentication happened on the radio, a determined attacker can build their own P25 MR using cheap hardware (as in, less than the price of a new, factory made P25 portable) that behaves however they like.

You might be interested to know Icom's software requires no system key of any sort; hardware or otherwise. Give it the system ID, frequencies, WACN etc and you're good to go.

Well if i read your email correctly your saying if someone hacks the pc of a government employee who is programming radios they control the PC... Yes your totally correct but hacking is illegal especially breaking into a government department.
I'll use the example of NSWFB, I'm sure they would have more than enough network security measures in place to stop idiots trying to hack their IT infrastructure as lets face it they are an emergency service/life saving organisation so they could not afford to risk it.
The Private Sector I'd totally agree they would spend as little as possible on IT security unless they have been bitten in the past.

[citabria]

Good start TIA's part. Does anyone's gear implement this yet?

Yes, Moto have it available on specific firmware and infrastructure versions. Also note the P25 auth functionality has absolutely ZERO to do with tracking the handsets ESN as some people have alluded to. Theres nothing in the spec that allows one to transmit an ESN, and in any case they're all vendor specific anyway which makes it impossible to provision for in the standards.

Matt

[SKEYGEN]

centralcoastscanman,

I was referring to the attacker's PC.

Say you've got someone who buys a radio on eBay or whatever, and they want to program it up for a trunking network without the authorization of the network operator. They get a copy of the programming software from somewhere and install it on their own computer, but the software won't allow you to program a trunking system into the radio without a system key. This looks like good security to the uninformed user, but it's not.

The security is enforced in the programming software. Given that the atttacker has full control of the PC, he also has control of everything running on it. If he's got a clue he can alter the program flow of the programming software to not require the system key, and just program the radio as he desires anyway without having they key.

This is why ASK and the like, from a security perspective, is merely smoke and mirrors.

[citabria]

SKEYGEN is exactly right, and that flaw is the original motivation for the OP25 project. Things like software defined radio don't know, nor care about nonsense such as ASKs - it just goes ahead and transmits whatever packets we tell it to. This is a true test of the real inherent security of a protocol.