About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sigint for the rest of us - 682

Matt Blaze - WiFi Village DEFCON 25Posted 4 Years Ago
  • Matt Blaze was given a grant at the University of Penn to look at the security of various wireless networking solutions. The goal was to improve the two-way public safety radio, known as APCO 25. This is the standard for digital radio used by the DoD, police stations and many other things. This has some encryption primitives but were not great at the time.
  • These radios are made by several vendors. At the time, Motorola was the only vendor that could load on encryption to be used though. These could be dropped in for standard radio or trunk radio. State and local tend to use trunk and the federal used more traditional systems.
  • The P25 Voice protocol looks as follows:
    • 9600 bits per second with 2 symbols being sent at a time.
    • 12.5KHz bandwidth, to co-exist with existing analog FM radio.
    • IMBE vocoder. Does a good job at encoding voices for being digital! The packets hold 180ms of audio then add some metadata.
    • All transmissions are a one-way model with no ACK or sessions. This makes security complicated because handshakes are not longer possible in this system.
  • Since this is a one-way protocol, the entire system only has symmetric encryption. It uses AES, DES and several proprietary variations of RC4. The keys, used for decryption, must be loaded on the radios in advanced. Additionally, there is an over the air rekeying (OTAR) in order to update the keys for the radio; these keys do expire.
  • The radios error on the side of demodulation. If the radio has encryption enabled but the sender is not encrypting the data, then the voice is demodulated anyway. There is a button to turn on and off secure mode, as well.
  • The first issue is that the voice traffic is NOT authenticated what-so-ever. This means that encrypted traffic can be replayed at will. Even though we do not know the exact content of the message, this could be used to spoof the user being used. If nonces (number used once), then this attack would not be possible.
  • The next attack allows for the discovery of all radios around. When using the radio, a Unit ID, TalkGroupID and NAC are sent with every transmission. The Unit ID is supposed to be encrypted but on the ping message, which can check the encryption ID, the Unit ID is sent back in the clear. This helps to discover all idle radios in the area by using the issue mentioned above. The author calls this the Maurauder's Map of police cars and things.
  • Another interesting attack was the encrypted DoS attack. By selectively jamming a specific part of the frame (64 bit NID), the entire rest of the attack would be thrown out. For 864 symbols of data, only 32 symbols needed to be jammed, which requires a substantially less amount of energy for a jamming attack than what should be required. Using this, if somebody was using the radios in encrypted mode, they would get frustrated and switch back to the unencrypted mode, allowing you to hear the text in the clear. Kevin Mitnick used to do this back in the day!
  • Even though the over the air rekeying is added, there is a major problem with it. When one radio attempts the rekeying, if one of them is NOT listening, then they do NOT get the key. While in the field, there is no way to rekey a radio, making it completely useful. Practically, this means that NOBODY will be using the encryption.
  • To make matters worse, the authors noticed that many of the stations using P25 sent data in the clear, with no encryption! "The first rule of cryptoanalysis: Look for plaintext". They setup a large amount of radios to sit on the federal P25 spectrum. By looking at the encrypted lines, they would find the bands sending sensitive information. It turned out that some of the radios did not have the encryption on, with tactical information being leaked, confidential informants and many more. The only agency that they never saw data from was the postal inspector (lolz).
  • The mitigation for P25 not super helpful. Instead of giving real findings, the author simply says that the protocol needs to be completely rewritten in order to be secure. Currently, the usability is poor, making it easy to accidentally send data in the clear.
  • Overall, the talk sheds light into issues with the P25 protocol used in lots of radios today. There is a false sense of security in the radios because of a fail open method and usability problems making it trivial to accidentally send data in the cleartext. The talk has many great stories of them interacting with law officials and many practical things that happened during the research.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed