Researchers say weaknesses in interoperability standards for radios used by law enforcement leave the systems open to eavesdropping and jamming, even from a GirlTech IM-Me texting toy.
Weaknesses in the emerging interoperability standards for radios used by law enforcement agencies make the supposedly secure systems vulnerable to eavesdropping and jamming, researchers from the University of Pennsylvania reported.
The researchers, who presented their findings at this week’s Usenix Security Symposium in San Francisco, were able to build an effective low-powered jamming device from an inexpensive children’s texting toy and intercepted sensitive traffic that was supposed to have been encrypted.
They spent two years examining the Project 25 land mobile radio standards in a study partially funded by the National Science Foundation.
“We found that a significant fraction of the ‘encrypted’ P25 tactical radio traffic sent by federal law enforcement surveillance operatives is actually sent in the clear, in spite of their users’ belief that they are encrypted, and often reveals such sensitive data as the names of informants in criminal investigations,” they wrote.
The weaknesses stem from inadequacies in the standards and in their implementation.
Project 25 is a 22-year-old effort to develop standards that would let police, firefighters, and other first responders communicate across departmental and jurisdictional lines using equipment from various manufacturers. The standards include security features such as optional encryption for voice and data. The Association of Public Safety Communications Officials is leading the project, and the Telecommunications Industry Association is publishing the standards.
To date, only a couple of interface standards have been completed and fully implemented. The remaining seven interfaces are in various states of document completion, and the lack of interoperability testing makes it difficult to evaluate products.
But P25 trunked radio systems that comply with the partial suite of standards have been sold for more than a decade, and the promise of interoperability has led to widespread adoption, particularly by the federal government for surveillance and other confidential operations, the researchers said.
The university team described the existing standards as a “highly ad hoc, constrained architecture that, we note, departs in significant ways from conservative security design, does not provide clean separation of layers, and lacks a clearly stated set of requirements against which it can be tested.”
Although this does not necessarily result in vulnerabilities, when coupled with vendor implementations and complex, nonstandard user interfaces, it is difficult to analyze and ensure the security of the overall system.
The researchers found a number of protocol, implementation and user interface weaknesses that routinely leak information to a passive eavesdropper.
Although encryption is relatively straightforward in digital radio — and P25 supports Data Encryption Standard, Advanced Encryption Standard and National Security Agency-approved Type 1 encryption — it is an optional feature, and users often mistakenly broadcast sensitive information in the clear.
The researchers built a system to intercept P25 traffic with $1,000 worth of equipment and analyzed clear-text transmissions. During March, April and May, they intercepted an average of 23 minutes of sensitive information every day. The information was made available because of individual user errors, group user errors and some users' lack of proper encryption keys.
Even when encryption is used, much of the metadata that identifies the systems, talk groups, user IDs for senders and receivers, and message types are sent in the clear and available to a passive eavesdropper, the researchers found.
And users could also be tricked into not using encryption by an attacker who selectively jams encrypted traffic, the researchers said, adding that jamming was surprisingly easy to do on P25 systems. “We implemented a complete receiver and exciter for an effective P25 jammer by installing custom firmware in a $15 toy ‘instant messenger’ device marketed to preteen children.”
The jamming system required little power because it was necessary only to block a small critical section of each data frame being transmitted in order to block reception of the entire frame. Therefore, jamming a digital transmission required significantly less power than jamming the analog systems that P25 radios are intended to replace.
The jammer was built using the Texas Instruments CC1110 chip, which is used in the Girl Tech IM-Me, a toy for preteen text messaging that retails for about $30. The researchers were able to make two jammers from each toy for a net cost of about $15 each.
“A standard off-the-shelf external RF amplifier would be all that is necessary to extend this experimental apparatus to real-world, long-range use,” they wrote. “We expect that an attacker would face few technical difficulties scaling a jammer within the signal range of a typical metropolitan area.”
A number of vendors manufacture P25 radios. The University of Pennsylvania research was conducted on Motorola XTS 5000 handheld radios. A company spokesman said they have not had time to examine the report and had no comment on the findings.
NEXT STORY: With 13 fixes, Patch Tuesday reboots abound