Are you sure?
'Fortunately, and despite media portrayals, few criminal organisations are quite organised enough to create such an information brokerage.'
The cartels in Mexico apparently make six billion US per year on cannabis alone/
Researchers looking at the security of the US Project 25 radio network, used by federal agents and local police, have discovered that it's easily jammed, and almost as easily compromised. During a two-year study, the researchers from the University of Pennsylvania found that encryption on the police network was routinely …
Just so.
Unsophisticated and low-tech, but anyone can do it, and it's more reliable in the end - Communication systems can always be reset, or replaced. A corrupted cop is corrupt for life - Or at least until caught. And if a sizable proportion of the cops are corrupt, no communication system in the world will help.
"The first problem is that key distribution doesn't always work, so the team found users frequently get cut out and have to ask the rest of the group to switch off encryption for the duration of the operation."
Reminds me of Generation Kill where the guys in Humvees don't have the keys for the Cavalry Division's Choppers and so cannot either find out what they are doing dropping bombs just in front of them or massacring civvies. Can't remember which. Upon which general gallic shrugging ensues.
Open-sourced RSA solutions?
That's for smart people.
I have no desire to hack FBI radio (don't live in the land of the massively oppressed) but it seems like these things are text based radio comms devices... Which could be quite handy.
Of course, it looks like I'd need to print a new box for it, the one shown looks a bit naff...
"...text based radio comms devices... Which could be quite handy."
Aha! You noticed the BBM logging articles and you're trying to organise a riot then?
No need to explain yourself here, someone[1] will be around to hear your explanation in person.
[1] Well, quite a few someones actually......
..but I already have a handful sourced from the local Toys-R-Us when they were fire-saleing them for £6 early last year. They make a great TI/Chipcon RF microcontroller dev kit. Nothing is locked down on them at all, and you get two identical radios in the package - the one with the LCD and keyboard attached and the naked one in the USB dongle. (And they can pop the locks on many cars and open garage doors too.)
First: I lead the design team on one of the top P25 testers on the market, so I know a bit about APCO-25.
The paper omitted a few very important details about their jammer:
1) What frequency band did it operate in? APCO-25 is fielded in 3 bands in the US: 800MHz, 450MHz, and 150MHz. I doubt this toy has a three band transmitter in it, so it would at best be able to jam one of those bands. The report didn't say what band that was. Also, I doubt this toy is frequency agile enough to jam both the control channel and the traffic channels, and since the exact traffic channel the call will be assigned to is unknown until the call is set up, the toy would have to be able to monitor the control channel, snarf the channel grant message, decode it, and go to the traffic channel to jam the radio. OR it would have to jam the outbound control channel, and then the radio would go into channel hunt to find the backup control channel.
2) The toy wasn't standing alone - they hooked up an external power amp to raise the level.
3) The issue of encryption of the voice channel is mismanagement of the radio site. Radios can be programmed to reject operation in non-encrypted modes.
4) Generating keys on-the-fly is a security risk. The whole idea of key management is that you maintain a set of secure keys - if people in the field can make their own keys then you just blew your security out of the water, as people can generate insecure keys.
5) Encrypting the control channel and the header data for the traffic channel is difficult - much more so than encrypting the voice channel. I've looked at the spec and shuddered in horror. So the paper is correct that a lot of information could be snarfed from over the air.
6) The voice payloads can modify the encryption seed on every LDU2, if they so desire. That would raise the bar on cracking the system.
7) Many of the things they did to APCO-25 could also be done to TETRA - time selective jamming, for example.
1. two out of the three bands you quote, not bad for a $30 toy but it's not about the bands used, it's about the fact that it's possible. It sounds like it'd be rather trivial to find another RF transceiver to cover all three bands and feed it with just about any MCU (the 803x core in the TI chip is 30+ years old)
2. No, they speculated that one could be attached to wipe out comms over a wide area but didn't because of the legal ramifications.
3. The whole issue here is the flakiness of the key distribution system, failed OTAR key distribution is the reason comms are in the clear, it's a choice between clear or no comms and the system is obviously badly designed if users can be so confused about switching between modes.
4. Yes, well, as long as your key generation and distribution mechanism is crap then it will be flawed. If the key distribution worked reliably in the first place it wouldn't be an issue.
5. Seems to work fine for many other encrypted comms systems. Just because something is difficult doesn't mean it can be ignored or excused.
6. Wouldn't raise the bar on jamming it though.
7. Sure, but the proof of concept was done on APCO-25 and this article was about APCO-25 being jammed with a $30 toy..
TETRA (and by extension AirWave) was designed from the outset as a digital replacement for interoperability between agencies. APCO-25 appears to be a botch job of a system that was crippled from the outset by the requirements forced upon it by the muppets who set the specification.
It's a damning bit of research that appears to be very embarrassing for the vendors who have got their snouts in this trough.
So, all in, bwahahahahaha
The toy uses a Chipcon CC1110 8051-cored radio/controller SoC. Lifted from the datasheet:
Frequency range: 300 – 348 MHz, 391 – 464 MHz and 782 – 928 MHz
... so it will receive and transmit on all but the 150MHz band, subject to antenna arrangements. There is actually an independent pair of these transceivers in the im-me and they are apparently agile enough to make a spectrum analyzer with. A neat bit of inexpensive kit. :-)