33 comments

[ 2.7 ms ] story [ 45.5 ms ] thread
(comment deleted)
The funny thing about this is that my municipality just recently started encrypting their radios at all. And it was controversial! Residents liked being able to listen in to the scanners.
> Residents liked being able to listen in to the scanners.

They're a public service funded by taxpayer dollars. Knowing what they're doing seems reasonable.

And yeah, the scanner culture thing is real
Is it still illegal in Europe to buy radios with 128 bit encryption?
I think what you may be thinking of is the export from the US of strong encryption products under ITAR. It was challenged by djb (of qmail/djbdns fame, among many other things) and the result was roughly that publishing software is protected expression like any other publishing (prior to that it was classified as munitions and required an export license).

https://en.wikipedia.org/wiki/Bernstein_v._United_States

I think on most public bands here, transmitting with encryption of any kind is banned regardless of the strength.
Note this affects TETRA which is not used in North America. Most US systems use P25 which is not mentioned in the article.
Northern California services use P25 but with encryption turned off. They also have analogue repeaters. Presumably because that way they can still use old radios and don't have to worry about key rotation.

The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.

> You’ve read your last free article.

Haven't read a Wired article in months :-|

And thanks to poster for adding archive link.

I mean, in this day and age is it such a bad thing that police and military radio is crackable?
I believe TETRA was already vulnerable to being broken based of some research that a group did into the protocol. They showed a proof video but didn't release any technical info or poc due to security fear.
TFA literally starts by saying that.
Cool! Maybe all the apps and sites intended to let you keep track of what your local kopz are doing will work again!
Right? All it took was some deeply flawed encryption and a couple researchers pulling the thread
Very interesting, curious how long it would take to brute force the 56 bit key, with something like a GPU/FPGA. It looks like hashcat supports DES, which is also 56 bit.
Modern GPU clusters can break 56-bit DES in under a day - AWS instances could do it for a few hundred dollars, making this vulnerability practically exploitable by motivated attackers with modest resources.
> The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms.

Got what they asked for.

For anyone who's curious, the closest equivalent in the US is P25[1] or "Project 25". And if you're wondering, yes, P25 systems have been known to have their own share of vulnerabilities of various sorts. My favorite one[2] is the one that lets an attacker force a P25 radio to broadcast tokens "on demand" allow you to (theoretically, with the right receiving setup and software) track the location of P25 radios more or less in real-time.

And on a related note, for anyone who is interested in listening in on any local P25 transmissions, you can do so in a fairly inexpensive manner, using an RTL-SDR dongle and the Open Source op25[3] software package. No listening to encrypted traffic, but IME, many (maybe most) public safety agencies keep most of their traffic in the clear. More so for fire/ems traffic. Law enforcement is more likely to be encrypted, but even then, I find that many jurisdictions only encrypt a small number of channels, like maybe a dedicated vice/narc squad channel, SWAT team channel, etc. General LE dispatch and tac channels are still in the clear in many areas.

[1]: https://en.wikipedia.org/wiki/Project_25

[2]: https://www.reddit.com/r/tacticalgear/comments/1f4d5dr/psa_p...

[3]: https://github.com/boatbod/op25

Kevin Mitnick figured out how to get around police radio encryption in the 90's. From 'Ghost in the Wires': "Whenever I heard any hiss of communication, I’d hold down my Transmit button. That would send out a radio signal on the same exact frequency, which would jam the signal. Then the second agent wouldn’t be able to hear the first agent’s transmission. After two or three tries back and forth, the agents would get frustrated with the radio. I could imagine one of them saying something like, “Something’s wrong with the radio. Let’s go in the clear.” They’d throw a switch on their radios to take them out of encryption mode, and I’d be able to hear both sides of the conversation! Even today I’m amused to remember how easy it was to work around that encryption without even cracking the code."
The local PD in my area has/had the laptops in their vehicles set to ad-hoc mode, and each broadcast static MAC addresses in the open, and could simply be looked up on the Wigle database. At about 100-yards, you could pick up the broadcast on any phone, and it would be trivial for someone to deduce that you could setup an active monitor w/ alerts for when these specific MAC addresses were present in a designated area, let alone what a distributed monitoring/alert effort would be capable of...
(comment deleted)
Good. I used to listen to police calls in the US. I don’t like the fact that my police is now the “secret police” with encrypted digits radios.
This is what happens when security is treated like a checklist item instead of a core requirement
"military grade" encryption.
So what's really important with military radio's is the concept of tactically perishable information. If i give battle directions duing a fight, that information only needs to be secure for a few days, after that, I'm somewhere else.