P25 radios vulnerable to eavesdropping, can be jammed by child's toy
- By William Jackson
- Aug 11, 2011
Weaknesses in the emerging interoperability standards for radios used by law enforcement agencies make the supposedly secure systems vulnerable to eavesdropping and jamming, researchers from the University of Pennsylvania reported.
The researchers, who presented their findings at this week’s Usenix Security Symposium in San Francisco, were able to build an effective low-powered jamming device from an inexpensive children’s texting toy and intercepted sensitive traffic that was supposed to have been encrypted.
They spent two years examining the Project 25 land mobile radio standards in a study partially funded by the National Science Foundation.
Radio interoperability effort is old enough to drink
Why the march to interoperable radios is so slow
“We found that a significant fraction of the ‘encrypted’ P25 tactical
radio traffic sent by federal law enforcement surveillance operatives is
actually sent in the clear, in spite of their users’ belief that they
are encrypted, and often reveals such sensitive data as the names of
informants in criminal investigations,” they wrote.
The weaknesses stem from inadequacies in the standards and in their implementation.
Project 25 is a 22-year-old effort to develop standards that would let
police, firefighters, and other first responders communicate across
departmental and jurisdictional lines using equipment from various
manufacturers. The standards include security features such as optional
encryption for voice and data. The Association of Public Safety
Communications Officials is leading the project, and the
Telecommunications Industry Association is publishing the standards.
To date, only a couple of interface standards have been completed and
fully implemented. The remaining seven interfaces are in various states
of document completion, and the lack of interoperability testing makes
it difficult to evaluate products.
But P25 trunked radio systems that comply with the partial suite of
standards have been sold for more than a decade, and the promise of
interoperability has led to widespread adoption, particularly by the
federal government for surveillance and other confidential operations,
the researchers said.
The university team described the existing standards as a “highly ad
hoc, constrained architecture that, we note, departs in significant ways
from conservative security design, does not provide clean separation of
layers, and lacks a clearly stated set of requirements against which it
can be tested.”
Although this does not necessarily result in vulnerabilities, when
coupled with vendor implementations and complex, nonstandard user
interfaces, it is difficult to analyze and ensure the security of the
The researchers found a number of protocol, implementation and user
interface weaknesses that routinely leak information to a passive
Although encryption is relatively straightforward in digital radio — and
P25 supports Data Encryption Standard, Advanced Encryption Standard and
National Security Agency-approved Type 1 encryption — it is an optional
feature, and users often mistakenly broadcast sensitive information in
The researchers built a system to intercept P25 traffic with $1,000
worth of equipment and analyzed clear-text transmissions. During March,
April and May, they intercepted an average of 23 minutes of sensitive
information every day. The information was made available because of
individual user errors, group user errors and some users' lack of proper
Even when encryption is used, much of the metadata that identifies the
systems, talk groups, user IDs for senders and receivers, and message
types are sent in the clear and available to a passive eavesdropper, the
And users could also be tricked into not using encryption by an attacker
who selectively jams encrypted traffic, the researchers said, adding
that jamming was surprisingly easy to do on P25 systems. “We implemented
a complete receiver and exciter for an effective P25 jammer by
installing custom firmware in a $15 toy ‘instant messenger’ device
marketed to preteen children.”
The jamming system required little power because it was necessary only
to block a small critical section of each data frame being transmitted
in order to block reception of the entire frame. Therefore, jamming a
digital transmission required significantly less power than jamming the
analog systems that P25 radios are intended to replace.
The jammer was built using the Texas Instruments CC1110 chip, which is
used in the Girl Tech IM-Me, a toy for preteen text messaging that
retails for about $30. The researchers were able to make two jammers
from each toy for a net cost of about $15 each.
“A standard off-the-shelf external RF amplifier would be all that is
necessary to extend this experimental apparatus to real-world,
long-range use,” they wrote. “We expect that an attacker would face few
technical difficulties scaling a jammer within the signal range of a
typical metropolitan area.”
A number of vendors manufacture P25 radios. The University of
Pennsylvania research was conducted on Motorola XTS 5000 handheld
radios. A company spokesman said they have not had time to examine the
report and had no comment on the findings.
William Jackson is freelance writer and the author of the CyberEye blog.