Following the April 15 Boston Marathon bombing various Law Enforcement Agencies (LEA) in the US (and presumably elsewhere) worked to identify and apprehend those responsible for the attack. On April 19 they publicly identified two persons of interest. One of these persons was killed during apprehension and the other led LEA on a protracted and chaotic manhunt through Boston suburbs.
Because US LEA (at least those agencies involved in Boston) don’t employ radio encryption, their over-the-air communications during the manhunt were easily surveilled by enthusiasts using scanning receivers such as these. Additionally, some enthusiasts also provide free internet audio streams from their scanners, enabling users from anywhere in the world to tune in and listen. During the manhunt Boston Police, Fire and EMS audio streams were published via social media and hundreds of thousands of people listened live.
While the situation progressed Twitter users pumped out blow-by-blow updates on officer movements and strategy as they came through the radio feed. This eventually prompted LEA requests for listeners to stop publishing the information, citing officer safety and operational security concerns.
Here in Australia, much Emergency Services communication takes place on trunking radio networks based on the APCO Project 25 (P25) standard. These digital networks are more advanced than regular UHF Simplex/Duplex and offer additional security features such as data and voice encryption. Unlike the Boston Police network discussed above, encryption prevents many Australian Police communications from being (easily) monitored.
Following the Boston situation I spent some time pondering the question: how secure are the Australian Government radio networks in practice?
During the 2010 Ruxcon conference in Melbourne, radio hobbyists/hackers Steve Glass and Matt Robert presented a talk titled Insecurity in Public-Safety Communications: Apco Project 25. During the talk they discussed the findings of security analysis conducted on P25 networks, describing a number of practical and theoretical security vulnerabilities.
Summary of major vulnerabilities;
1. Flawed Key Hierarchy - Mobile radios do not employ a unique Traffic Encryption Key (TEK) for each network association. A single, common TEK is typically shared between multiple stations on the network. Although individual stations can be configured to reside in multiple crypto-groups, each having a unique TEK that provides isolation from other groups, a key compromise affecting one station exposes traffic for all handsets in the crypto-group.
2. Poor Key Management - The network provides support for Over The Air Re-keying (OTAR), enabling TEK updates to be automatically pushed to mobile stations. In addition to facilitating frequent key updates this is useful where, for example, a radio is lost or stolen and allows the keys to be remotely erased. At the time of the presentation the researchers stated they understood that OTAR was not being used to push regular TEK updates to P25 GRN handsets. Instead, they believed that manual TEK updates took place approximately once per year. A TEK compromise taking place shortly after an update could therefore leave network traffic exposed for significant periods.
3. Weak Encryption Ciphers - The network supports several encryption ciphers, including DES (weakest), 3DES (stronger) and AES (strongest). At the time of the presentation the researchers believed DES to be the most commonly deployed cipher. Although affording pseudo-reasonable security, it’s relatively small 56-bit key space is vulnerable to brute-force attack. Performance advancements achieved by GPU cracking mean that these attacks are far more practical now than when the networks were originally implemented.
4. Key Recovery Attack - Voice messages broadcast on the network contain known-plaintext at predictable locations in the broadcast frame. This is a protocol weakness resulting from ‘silence’ codewords being inserted to pad any unused voice slots in the current frame before broadcasting. Due to the use of weak encryption, and by predicting where in the transmission this known data exists, recovery of the TEK is possible via brute force attack.
5. Handset Inhibit Attack - The P25 protocol provides facility to remotely ‘inhibit’ (brick) a mobile handset. As with OTAR TEK wipes, this is intended to quarantine a handset that may have become lost or stolen. Sending a specially crafted “stun” packet to the device renders it completely inoperable and non-responsive to button input. This function is implemented without any form of authentication or message validation and is exploitable without knowledge of the TEK.
It seems reasonable to assume that the inhibit attack could be easily weaponised by continuously scanning for handsets and automatically forwarding the “stun” packet to those in range. In context of a planned attack this could potentially be used to create a near-total radio communication blackout for police and other emergency services at the target site.
It’s worthwhile noting that Police and other Emergency Services radio communication in Australia has been unencrypted since the dawn of time. Successive generations of radio enthusiasts, myself included, spent countless hours listening to their Local Area Command and for all intents and purposes very little if any harm seems to have come of it.
So, why is it a big deal if a tiny minority of people potentially obtain access again?
1. Back in ‘ye olde analog days’, radio network users were aware that their communication was basically always being monitored by the public. With this in mind they could moderate what hit the air to ensure operational integrity where appropriate. Now working on the understanding that third parties are unable to monitor communication it’s reasonable to assume this consideration is at least lessened, with more sensitive information hitting the air. On this basis information leakage through surreptitious monitoring of encrypted networks is higher-risk.
2. Assuming an attacker has the requisite technical knowledge, is able and willing to purchase the required equipment and has the time to actually pull it off we can broadly categorise them as either;
a. Radio hobbyist / security researcher / grey-hat who has a genuine interest in the technology and is willing to take things a little far playing with it.
b. Criminal or terrorist who believes that leveraging access to the network may assist in achieving some other goal important enough to spend the not insignificant time, money and resources required. See example above about creating a network DoS at a planned attack site to hinder LEA and first responders.
Person a. is unlikely to intentionally cause damage or leverage the network for secondary criminal purposes. Person b. is why Goverments around the world are throwing massive resources at “Cyber” and they’re as real a threat as it gets. Use your imagination.
3. In addition to regular voice communication the new networks are also used to service vehicle mounted Mobile Data Terminals. I believe this is something that needs more research but at face value the implications of having over-the-air access to a Police data network are obvious.
4. We’ve got the technology, not making use of it seems stupid. The network supports AES – TURN IT ON. The network supports OTAR TEK updates – DO THEM MORE THAN ONCE A YEAR. Handset inhibit can be disabled – TURN IT OFF… See where I’m going with this?
I’ve questioned the mathematical likelihood of attackers infiltrating these networks for some time now. Those hackers actively researching P25 security are, understandably, very tight lipped on just how much of their research has been tested “outside” the lab.
Here’s hoping that Government network operators are listening and that the P25 networks our Emergency Services rely on aren’t waiting to be used against us.