P25 Security

citabria
Site Admin
Posts: 1064
Joined: Thu Aug 14, 2008 8:22 pm

Re: P25 Security

Post by citabria » Fri Oct 07, 2011 11:46 pm

ivahri wrote:P25 & Smartzone are very different creatures security wise- being an open standard makes security far more of a problem than a proprietary system.
Good grief - lets compare GSMs A5/1 proprietary algorithm to the open source AES-256, RSA and 3DES standards. GSM A5/1 can be broken using commodity hardware in a matter of seconds now, and the latter three are still considered massively secure. One of the fundamental tenants of cryptographic security is that the system is open, its called Kerckhoff's Principle --> http://en.wikipedia.org/wiki/Kerckhoffs's_Principle and its been around far longer than anyone reading this thread.

AES aka Rjindael, is totally open and it was mandated by the selection committee at NSA that this was the case - read my previous comments regarding NSA's involvement with DES and IBM's knowledge of differential cryptanalysis at the time as to why proprietary systems are always less secure.

Saying that an open standard is less secure than a proprietary one is a beginners mistake when it comes to security - one that was debunked over a century ago. Since then Kerckhoffs's Principle has also become known and Shannons Maxim and "Security by Obscurity" in IT terms. One might call this "Academic rubbish", but its quite simple really..

In fact, George Santayana said it best - "Those who fail to learn from the mistakes of their predecessors are destined to repeat them."

Motorola are far too big and corporatised to even remotely understand this concept...

ivahri
Posts: 843
Joined: Sun May 31, 2009 8:24 pm

Re: P25 Security

Post by ivahri » Sat Oct 08, 2011 7:41 am

Sorry, but you miss the point because you are too busy thinking at a higher level than your average tow truck driver or meth lab owner. With Smartzone you could use a stolen Motorola radio, only a Motorola radio... With an open standard like P25 they can choose from Moto, Tait, Simoco, Icom.... and the list goes on. Each has its own degree of security, but in reality most of them has next to none (or none).

Not a beginners mistake- just common sense. Your knowledge of IT security is unquestioned but the average crook doesn't know what you know, nor do they need to.

centralcoastscanman
Posts: 750
Joined: Fri Oct 31, 2008 7:58 pm
Contact:

Re: P25 Security

Post by centralcoastscanman » Sat Oct 08, 2011 6:45 pm

ivahri wrote:Sorry, but you miss the point because you are too busy thinking at a higher level than your average tow truck driver or meth lab owner. With Smartzone you could use a stolen Motorola radio, only a Motorola radio... With an open standard like P25 they can choose from Moto, Tait, Simoco, Icom.... and the list goes on. Each has its own degree of security, but in reality most of them has next to none (or none).

Not a beginners mistake- just common sense. Your knowledge of IT security is unquestioned but the average crook doesn't know what you know, nor do they need to.
Would I be right in saying the only real way the grn management are going to prevent un-authorised radios is to encrypt the control channel ?

Matt is however correct that an open standard is going to be far more secure as there are always people trying to break it and people trying to fix it.

citabria
Site Admin
Posts: 1064
Joined: Thu Aug 14, 2008 8:22 pm

Re: P25 Security

Post by citabria » Sat Oct 08, 2011 7:45 pm

ivahri wrote:Sorry, but you miss the point because you are too busy thinking at a higher level than your average tow truck driver or meth lab owner. With Smartzone you could use a stolen Motorola radio, only a Motorola radio...
Totally agree there Richard, your point is very true and I wasn't thinking about it from that perspective - Its a very valid and practical point, and that's where the threat to public safety comes from.

ivhari wrote:Your knowledge of IT security is unquestioned
Thanks Richard - I appeciate the comment and agree that I was looking at things from purely theoretical as opposed to practical view.

User avatar
Bigfella237
Posts: 1895
Joined: Fri Feb 26, 2010 3:11 pm
Location: In geosynchronous orbit above the Far South Coast of NSW, Australia

Re: P25 Security

Post by Bigfella237 » Sun Oct 09, 2011 5:12 am

centralcoastscanman wrote:Would I be right in saying the only real way the grn management are going to prevent un-authorised radios is to encrypt the control channel ? ~
As I understand it, full encryption is not and will not be an option with the current hardware so long as the RFS (and possibly others) are subscribers to the GRN?

Puting aside the cost of purchasing 8,500 odd UCMs which even at a heavily discounted price would still amount to a several million dollar outlay, and not to mention that all those radios would (I assume) also need to be re-flashed with either H869-Multikey or Q498-Multikey w/OTAR which is an expensive option in itself (although a UCM will still hold a single key without either), the current hardware just isn't suitable...

All RFS trucks are fitted with battery isolators to (hopefully) ensure the truck will still start after sitting in the station for extended periods but the UCM carrier boards for the XTL5000 radios will only retain an encryption key for 3 days at the most without external power applied, that means either the radios would need to be rewired around the isolator to permanent power, which defeats the purpose of the isolator, or somebody has to remember to go in every couple of days and power up the radio, otherwise the truck would lose the key needed to affiliate with a fully encrypted network?

So, until Mother comes up with a carrier board for the XTL series radios that will retain a key indefinitely, the RFS simply can't, in practice, use encryption which means the control channels can't be encrypted either?

Andrew

SKEYGEN
Posts: 90
Joined: Sun Oct 02, 2011 2:22 pm

Re: P25 Security

Post by SKEYGEN » Mon Oct 10, 2011 9:05 am

Full traffic encryption for RFS et al is doable with ADP (software RC4-40.) It's cheap option, having been sold for $10/radio on large contracts in the USA and doesn't rely on the radio having a UCM of any flavour. Keys get loaded with CPS, and can't (easily) be read back out of the radio. Keys can be updated in the field using a KVL, or OTAR if the radio is flashed appropriately. All the current hardware can do ADP.

At the moment there's no provision in the P25 specs for an encrypted control channel. There is a strong cryptographic authentication facility, but the subscriber equipment that's deployed at the moment doesn't support it.
Last edited by SKEYGEN on Mon Oct 10, 2011 9:28 am, edited 1 time in total.

SKEYGEN
Posts: 90
Joined: Sun Oct 02, 2011 2:22 pm

Re: P25 Security

Post by SKEYGEN » Mon Oct 10, 2011 9:27 am

ivahri wrote:Sorry, but you miss the point because you are too busy thinking at a higher level than your average tow
truck driver or meth lab owner.
Except with those sorts of people, the end customer isn't the person who programs the radio or otherwise does what's required to get the radio on the system. A technically savvy associate who knows a very small amount x86 assembler and has a general level of knowledge about Motorola radios is the one who does the work, sells the radios and probably makes a great deal of money, probably using information and software he found on the Internet.

Look at credit card skimming from ATMs and EFTPOS terminals for example: Your average mafioso can't build a skimmer. But he can identify lucrative business opportunities, and he can find and hire someone who can do the work. He can also thoroughly convince his underlings that should they fail to keep their mouths shut about who they're working for if they get sprung, the consequences will be dire.
ivahri wrote:With Smartzone you could use a stolen Motorola radio, only a Motorola radio...
Not quite. EFJohnson is also an option, but they never sold their kit in Australia as far as I know. There's also no reason to use a stolen radio, clean ones are available relatively cheaply on the legitimate surplus market.

The client side isn't secure. AMPS mobile phone carriers found this out the hard way by losing millions of dollars in the 80's and 90's with ESN cloning, which is why GSM got SIM cards and cryptographic authentication to prevent cloning, and why TETRA did something similar.

system_tech
Posts: 263
Joined: Mon Aug 18, 2008 5:28 pm

Re: P25 Security

Post by system_tech » Mon Oct 10, 2011 10:26 am

Skygen is on the right track ... therw were plenty of unathorised radios on 4.1, and fact so many with duplicated IDs it became a problem.
Haha the default ID, 700000, was actually an ID for an agency, and that ID came in the radio as default! Later cancelled for obvious reasons.

EFjohnson made a 4.1 compatible radio under licence or approval from /\/\. Tested by NOCC on behalf of GCIO and approved by GCIO for use on GRN. I carrried a few of these test radios around myself.

I know people brought in 4.1 /\/\ radios from the US, cheaper than on govt contact prices and they sold them to anyone. Easy to do when you are in, or sort of in "the trade". Often bought of Ebay as well.

Certain NSW govt agencies sold their "surplus" MCS-2000 and MTS-2000 GRN radios at auction or via radio dealers. They turned up in various places with their original ID still intact, and OFTEN still paid up on the network as the agency DID NOT cancel the subscription for that ID. Known as a fact as I had to investigate this.

And of course, there is the Ex-SORN XTS-3000 cluster-fcuk where they (the Govt, not Telstra) ostensibly sold the radios to volunteer units, except that the unit acted as middle man to private individuals, thus numerous 3000's ended up in private hands. Known as a fact.

So, you didn't really need to steal a radio.

All you needed was CPS and a bit of knowledge about Smartzone settings, most of which were found on websites. A bit here, a bit there. Hahaha and if you wanted to program in talkgroups, just read this website or its predecessors for talkgroup IDs, happily found and documented by enthusiasts.

I even tracked down an enthusiast who advertised programming of /\/\ gear for GRN for the appropriate fee. It was on an enthusiast website.

4.1 was as wide open as a barn door, so being proprietry didn't help at all.

Govt at the time had very poor procedures & control over all of the radios, the fact that each agency owned the radio dictated the anomaly that they could dispose of as they wished. GCIO were the ones behind selling of the 3000's and put no process in place to ensure correct disposal. With that volunteer unit, it was assumed that the actual unit was buying the radio, when in fact the unit just ordered on behalf a member with the cash, there was no inventory checking afterwards, no accountability.

[note ex-SORN radios very easy identify, and they were seen in all kinds of places]

Needles to say, same folks at Govt still running the show.


And if you think the world became as safer place with ASKs and XTL, XTS radios? Not at all.

Even before XTL-5000 radios were issued from the main store of a volunteer agency (after being registered on the GRN), they appeared on eBay as brand new, ready for "use". Tracked to a corrupt temporary employee at the store. Luckily the NOCC was notified by a well meaning eBay looker, and the radios didn't make it out the door. Mind you the stupid corrupt person actually replied to an equiry on eBay and supplied the serial number! Easily found on NOCC database and tracked to agency concerned. Police advised and sting commenced. It was close thing though, the radios could have easily made it out the door.

So, as much as you might have technical standards, humans tend to bugger things up. Even if you had the best physical security, it wouldn't last long under determined attack. Skygen's anaology of dumb crimm hiring smart hacker will work every time. If you look carefully, there are doors to find open all over the place. Oops, well, you don't even have to look hard. You don't have to bust the encription, just get an already encrypted unit, for example. (years ago I stopped at an acco to help. the first tow truck driver offered me 2k to loose my work MCS-2000 I was carrying, bet you that kind of mentality & practice is still around, and No, I didn't "drop" the radio!).

citabria
Site Admin
Posts: 1064
Joined: Thu Aug 14, 2008 8:22 pm

Re: P25 Security

Post by citabria » Thu Nov 24, 2011 12:37 pm

Hi Guys,

Theres a video of the presso here - http://www.youtube.com/watch?v=xWGgn1dxt28

At 39 Minutes I demo P25 decryption and voice recovery done on a PC in GNUradio (Yep a complete P25 DES-OFB receiver done in software)

Enjoy.

citabria
Site Admin
Posts: 1064
Joined: Thu Aug 14, 2008 8:22 pm

Re: P25 Security

Post by citabria » Tue Sep 25, 2012 8:16 pm

Hi Guys,

Heres the complete official video of the presentation. It includes screenshots and details of whats going on in detail. Hope you guys enjoy it.

http://www.youtube.com/watch?v=OumDnhO7veg&feature=plcp

Cheers,
Matt

Post Reply