About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sigint for the rest of us - 681

Matt Blaze - WiFi Village DEFCON 25Posted 4 Years Ago
  • Matt Blaze was given a grant at the University of Penn to look at the security of various wireless networking solutions. The goal was to improve the two-way public safety radio, known as APCO 25. This is the standard for digital radio used by the DoD, police stations and many other things. This has some encryption primitives but were not great at the time.
  • These radios are made by several vendors. At the time, Motorola was the only vendor that could load on encryption to be used though. These could be dropped in for standard radio or trunk radio. State and local tend to use trunk and the federal used more traditional systems.
  • The P25 Voice protocol looks as follows:
    • 9600 bits per second with 2 symbols being sent at a time.
    • 12.5KHz bandwidth, to co-exist with existing analog FM radio.
    • IMBE vocoder. Does a good job at encoding voices for being digital! The packets hold 180ms of audio then add some metadata.
    • All transmissions are a one-way model with no ACK or sessions. This makes security complicated because handshakes are not longer possible in this system.
  • Since this is a one-way protocol, the entire system only has symmetric encryption. It uses AES, DES and several proprietary variations of RC4. The keys, used for decryption, must be loaded on the radios in advanced. Additionally, there is an over the air rekeying (OTAR) in order to update the keys for the radio; these keys do expire.
  • The radios error on the side of demodulation. If the radio has encryption enabled but the sender is not encrypting the data, then the voice is demodulated anyway.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed