The funny thing about this is that my municipality just recently started encrypting their radios at all. And it was controversial! Residents liked being able to listen in to the scanners.
I think what you may be thinking of is the export from the US of strong encryption products under ITAR. It was challenged by djb (of qmail/djbdns fame, among many other things) and the result was roughly that publishing software is protected expression like any other publishing (prior to that it was classified as munitions and required an export license).
Northern California services use P25 but with encryption turned off. They also have analogue repeaters. Presumably because that way they can still use old radios and don't have to worry about key rotation.
The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.
I believe TETRA was already vulnerable to being broken based of some research that a group did into the protocol. They showed a proof video but didn't release any technical info or poc due to security fear.
Very interesting, curious how long it would take to brute force the 56 bit key, with something like a GPU/FPGA. It looks like hashcat supports DES, which is also 56 bit.
Modern GPU clusters can break 56-bit DES in under a day - AWS instances could do it for a few hundred dollars, making this vulnerability practically exploitable by motivated attackers with modest resources.
For anyone who's curious, the closest equivalent in the US is P25[1] or "Project 25". And if you're wondering, yes, P25 systems have been known to have their own share of vulnerabilities of various sorts. My favorite one[2] is the one that lets an attacker force a P25 radio to broadcast tokens "on demand" allow you to (theoretically, with the right receiving setup and software) track the location of P25 radios more or less in real-time.
And on a related note, for anyone who is interested in listening in on any local P25 transmissions, you can do so in a fairly inexpensive manner, using an RTL-SDR dongle and the Open Source op25[3] software package. No listening to encrypted traffic, but IME, many (maybe most) public safety agencies keep most of their traffic in the clear. More so for fire/ems traffic. Law enforcement is more likely to be encrypted, but even then, I find that many jurisdictions only encrypt a small number of channels, like maybe a dedicated vice/narc squad channel, SWAT team channel, etc. General LE dispatch and tac channels are still in the clear in many areas.
Kevin Mitnick figured out how to get around police radio encryption in the 90's. From 'Ghost in the Wires':
"Whenever I heard any hiss of communication, I’d hold down my Transmit button. That would send
out a radio signal on the same exact frequency, which would jam the signal.
Then the second agent wouldn’t be able to hear the first agent’s transmission. After two or three tries back and forth, the agents would get
frustrated with the radio. I could imagine one of them saying something like, “Something’s wrong with the radio. Let’s go in the clear.”
They’d throw a switch on their radios to take them out of encryption mode, and I’d be able to hear both sides of the conversation! Even today
I’m amused to remember how easy it was to work around that encryption without even cracking the code."
The local PD in my area has/had the laptops in their vehicles set to ad-hoc mode, and each broadcast static MAC addresses in the open, and could simply be looked up on the Wigle database. At about 100-yards, you could pick up the broadcast on any phone, and it would be trivial for someone to deduce that you could setup an active monitor w/ alerts for when these specific MAC addresses were present in a designated area, let alone what a distributed monitoring/alert effort would be capable of...
Why EU saw fit to buy very expensive proprietary software encryption, when there are open source standards, some of them designed in the EU itself is beyond me. Of course, you still someone to build the hardware and so on.
So what's really important with military radio's is the concept of tactically perishable information. If i give battle directions duing a fight, that information only needs to be secure for a few days, after that, I'm somewhere else.
33 comments
[ 2.7 ms ] story [ 45.5 ms ] threadThey're a public service funded by taxpayer dollars. Knowing what they're doing seems reasonable.
https://en.wikipedia.org/wiki/Bernstein_v._United_States
The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.
Haven't read a Wired article in months :-|
And thanks to poster for adding archive link.
https://www.youtube.com/watch?v=iGINoIYQwak
Got what they asked for.
And on a related note, for anyone who is interested in listening in on any local P25 transmissions, you can do so in a fairly inexpensive manner, using an RTL-SDR dongle and the Open Source op25[3] software package. No listening to encrypted traffic, but IME, many (maybe most) public safety agencies keep most of their traffic in the clear. More so for fire/ems traffic. Law enforcement is more likely to be encrypted, but even then, I find that many jurisdictions only encrypt a small number of channels, like maybe a dedicated vice/narc squad channel, SWAT team channel, etc. General LE dispatch and tac channels are still in the clear in many areas.
[1]: https://en.wikipedia.org/wiki/Project_25
[2]: https://www.reddit.com/r/tacticalgear/comments/1f4d5dr/psa_p...
[3]: https://github.com/boatbod/op25
Why EU saw fit to buy very expensive proprietary software encryption, when there are open source standards, some of them designed in the EU itself is beyond me. Of course, you still someone to build the hardware and so on.
A5/1 had a similar issue in which the weakness was deliberately added. I have some notes and references on it. Super interesting
https://github.com/alexander-hanel/asm-examples/tree/master/...