back to article $25 toy radio used to knock out feds

Researchers looking at the security of the US Project 25 radio network, used by federal agents and local police, have discovered that it's easily jammed, and almost as easily compromised. During a two-year study, the researchers from the University of Pennsylvania found that encryption on the police network was routinely …

COMMENTS

This topic is closed for new posts.
  1. Kevin Bailey

    Are you sure?

    'Fortunately, and despite media portrayals, few criminal organisations are quite organised enough to create such an information brokerage.'

    The cartels in Mexico apparently make six billion US per year on cannabis alone/

    1. Anonymous Coward
      Devil

      Serezha, davai vruchnuju

      Yeah... Right...

      Not like Odessa Mafia does not "own" a significant chunk of what used to be Sicilian turf. Not like the Mexican and Colombian cartels do not buy millions dollars a year of technical consultancy from Eastern Europe and ex-USSR as it is. Not like...

    2. Anonymous Coward
      Alert

      re: the cartels in Mexico

      With that kind of money it's better to just buy the cops and judges as need be and brazenly do as you wish.

      1. laird cummings
        Thumb Up

        RE: AC @ 14:28GMT

        Just so.

        Unsophisticated and low-tech, but anyone can do it, and it's more reliable in the end - Communication systems can always be reset, or replaced. A corrupted cop is corrupt for life - Or at least until caught. And if a sizable proportion of the cops are corrupt, no communication system in the world will help.

    3. TeeCee Gold badge
      Facepalm

      Re: Are you sure?

      Presumably that sort of thing is why it says "few criminal organisations" rather than "no criminal organisations"......

  2. Anonymous Coward
    Stop

    Thats nothing...

    ...you can knock out TETRA for a 100 metre radius using a Casio F-91W*

    * not really, but it will probably knock out DAB reception.

    1. Trygve Henriksen

      Anything can knock out DAB if you try...

      How exactly do you do it with the F-91W ?

      1. Anonymous Coward
        Anonymous Coward

        By..

        ..throwing it at the radio?

        1. Anonymous Coward
          Devil

          Throwing it?

          Waste of a perfectly good F91-W terror watch. In my exprience breathing within a four metre radius of a DAB receiver is enough to knock it out.

    2. Cameron Colley

      I heard teh F-91W could take out a Chinook's avionics too.

      Can't they also be used to remote-lock/unlock HMMWVs?

  3. Anonymous Coward
    Thumb Down

    "Giving girls access to technology was always going to be dangerous"

    OK, I read the caption to the photo. Enough, already, lay off... Haven't you seen all the promo photos for Anonymous? :)

  4. Anonymous Coward
    Boffin

    +1

    Ilove stuff like this.

  5. Wommit
    Thumb Down

    "The GirlTECH IMme: Giving girls access to technology was always going to be dangerous"

    We really are missing Ms Bee aren't we.

  6. stizzleswick
    Facepalm

    Why do you think...

    ...the system is flawed that badly? Obviously, the feds bought it from the Mafia...

    1. Trygve Henriksen

      Nope...

      Those are genuine Im-me that has been carefully and lovingly rebuilt with a new shock-proof casing and functions, by an all-american company(probably has an american flag in every office, and preprinted on their stationery, too) and sold with a modest 137% profit margin to the Police.

  7. Anonymous Coward
    Paris Hilton

    hah hah girls eurgh

    ..it says 'period' on the screen.

  8. Destroy All Monsters Silver badge
    Facepalm

    Not getting anything done here, do we?

    "The first problem is that key distribution doesn't always work, so the team found users frequently get cut out and have to ask the rest of the group to switch off encryption for the duration of the operation."

    Reminds me of Generation Kill where the guys in Humvees don't have the keys for the Cavalry Division's Choppers and so cannot either find out what they are doing dropping bombs just in front of them or massacring civvies. Can't remember which. Upon which general gallic shrugging ensues.

    Open-sourced RSA solutions?

    That's for smart people.

  9. Anonymous Coward
    Mushroom

    OOOO!

    I have about 50 of these kicking round in my store room, now taking bids from El Reg Readers ;)

    1. max allan

      I'll have a couple!

      I have no desire to hack FBI radio (don't live in the land of the massively oppressed) but it seems like these things are text based radio comms devices... Which could be quite handy.

      Of course, it looks like I'd need to print a new box for it, the one shown looks a bit naff...

      1. TeeCee Gold badge
        Black Helicopters

        Re: I'll have a couple!

        "...text based radio comms devices... Which could be quite handy."

        Aha! You noticed the BBM logging articles and you're trying to organise a riot then?

        No need to explain yourself here, someone[1] will be around to hear your explanation in person.

        [1] Well, quite a few someones actually......

        1. Anonymous Coward
          Windows

          Cybiko

          The Cybiko is a pretty cool* radio text messaging device which sadly* didn't really catch on in the UK. Can be had for cheap on eBay.

    2. Anonymous Coward
      Anonymous Coward

      Oooh, would have said yes..

      ..but I already have a handful sourced from the local Toys-R-Us when they were fire-saleing them for £6 early last year. They make a great TI/Chipcon RF microcontroller dev kit. Nothing is locked down on them at all, and you get two identical radios in the package - the one with the LCD and keyboard attached and the naked one in the USB dongle. (And they can pop the locks on many cars and open garage doors too.)

  10. James Pickett

    Absence makes the heart etc.

    “We really are missing Ms Bee aren't we.”

    Where is she, anyway? Disporting herself on some tropical shoreline, no doubt. I could bring some suncream...

  11. David Kelly 2

    Genius of Bureaucracy

    What continuously amazes me is how with examples such as this happening every day that there are still people who think letting these same geniuses run the health care system is still a good idea.

  12. Anonymous Coward
    Anonymous Coward

    They omitted a few interesting things

    First: I lead the design team on one of the top P25 testers on the market, so I know a bit about APCO-25.

    The paper omitted a few very important details about their jammer:

    1) What frequency band did it operate in? APCO-25 is fielded in 3 bands in the US: 800MHz, 450MHz, and 150MHz. I doubt this toy has a three band transmitter in it, so it would at best be able to jam one of those bands. The report didn't say what band that was. Also, I doubt this toy is frequency agile enough to jam both the control channel and the traffic channels, and since the exact traffic channel the call will be assigned to is unknown until the call is set up, the toy would have to be able to monitor the control channel, snarf the channel grant message, decode it, and go to the traffic channel to jam the radio. OR it would have to jam the outbound control channel, and then the radio would go into channel hunt to find the backup control channel.

    2) The toy wasn't standing alone - they hooked up an external power amp to raise the level.

    3) The issue of encryption of the voice channel is mismanagement of the radio site. Radios can be programmed to reject operation in non-encrypted modes.

    4) Generating keys on-the-fly is a security risk. The whole idea of key management is that you maintain a set of secure keys - if people in the field can make their own keys then you just blew your security out of the water, as people can generate insecure keys.

    5) Encrypting the control channel and the header data for the traffic channel is difficult - much more so than encrypting the voice channel. I've looked at the spec and shuddered in horror. So the paper is correct that a lot of information could be snarfed from over the air.

    6) The voice payloads can modify the encryption seed on every LDU2, if they so desire. That would raise the bar on cracking the system.

    7) Many of the things they did to APCO-25 could also be done to TETRA - time selective jamming, for example.

    1. Anonymous Coward
      Devil

      IM Me..

      1. two out of the three bands you quote, not bad for a $30 toy but it's not about the bands used, it's about the fact that it's possible. It sounds like it'd be rather trivial to find another RF transceiver to cover all three bands and feed it with just about any MCU (the 803x core in the TI chip is 30+ years old)

      2. No, they speculated that one could be attached to wipe out comms over a wide area but didn't because of the legal ramifications.

      3. The whole issue here is the flakiness of the key distribution system, failed OTAR key distribution is the reason comms are in the clear, it's a choice between clear or no comms and the system is obviously badly designed if users can be so confused about switching between modes.

      4. Yes, well, as long as your key generation and distribution mechanism is crap then it will be flawed. If the key distribution worked reliably in the first place it wouldn't be an issue.

      5. Seems to work fine for many other encrypted comms systems. Just because something is difficult doesn't mean it can be ignored or excused.

      6. Wouldn't raise the bar on jamming it though.

      7. Sure, but the proof of concept was done on APCO-25 and this article was about APCO-25 being jammed with a $30 toy..

      TETRA (and by extension AirWave) was designed from the outset as a digital replacement for interoperability between agencies. APCO-25 appears to be a botch job of a system that was crippled from the outset by the requirements forced upon it by the muppets who set the specification.

      It's a damning bit of research that appears to be very embarrassing for the vendors who have got their snouts in this trough.

      So, all in, bwahahahahaha

    2. Anonymous Coward
      Boffin

      Frequency bands

      The toy uses a Chipcon CC1110 8051-cored radio/controller SoC. Lifted from the datasheet:

      Frequency range: 300 – 348 MHz, 391 – 464 MHz and 782 – 928 MHz

      ... so it will receive and transmit on all but the 150MHz band, subject to antenna arrangements. There is actually an independent pair of these transceivers in the im-me and they are apparently agile enough to make a spectrum analyzer with. A neat bit of inexpensive kit. :-)

  13. Armando 123

    That's nothing

    I've known one Ivy League MBA to destroy a trillion-dollar company in three months. We should ban all Ivy League MBAs.

    You know, I wrote that in sarcasm, but now that I type it out loud, I'm not using the Joke Alert icon.

  14. Kev99 Silver badge

    Boondoggle #2,987,465

    Five will get you ten the system was designed by show off programmers with little or no input from users.

    1. musojon74

      Scope creep

      It was probably the spec from hell...

This topic is closed for new posts.

Other stories you might like