Security Researchers Crack APCO P25 Encryption

[AF6LJ]

This boildown came by way of Slashdot.org.......

I thought this would be of interest consider how the other P-25 thread of recent is doing.

Before some reply with P-25 is an open standard, yes it is however some police departments use a layer of encryption head of the P-25 encoding.

Security Researchers Crack APCO P25 Encryption

An anonymous reader writes
"Two Australian security researchers, Stephen Glass and Matt Robert, have published a paper that details flaws in the encryption implementation (PDF) in the APCO Project 25 digital radio standard, used by emergency services and police departments world-wide. The paper details flaws in the DES-OFB and ADP encryption that enable the encryption key to be recovered by traditional brute force key searching. Also detailed is a DoS attack that makes use of unauthenticated radio inhibit mechanism. The research is part of the OP25 project, which uses GNUradio to implement a P25 stack using software defined radio. With this solution in place, the researchers were able to do detailed analysis of the traffic coming from various radio systems and to transmit and receive to P25 radios in their lab."

[KA7O]

And, this is surprising - how?

Guess it's surprising that it took this long for anyone who knew what they were doing to bother cracking it. Guess it's been a slow week in the crypto arena.

hint: There's a whale of a diff twixt Secure communications and 'keeping scanner land' deaf to an interoperable radio system. IOW: "encrypted != secure", it's just a bit more difficult to listen to. Most scannists have neither the know how, resources or time to mess with it. Ipso-Facto - it worked.

When this beast 'first appeared' on the LMR scene over 10 years ago - it was common discussion THEN that it would only be a matter of time before 'people' could listen in freely. Anyone that's using P-25 encryption for Secure comms deserves what they get.

[W2BBQ]

Well that's a lot of technoblab to chew on but I like it. This part {traditional brute force key searching} reminded me of some real whiz bang Federation Star Fleet spacespeak. In this one episode, Captain Picard really wanted to talk to some space goober he was chasing or mad at or whathaveyou, and he ordered Data to git 'er done. Date responded with: "forced spectrum communication is spotty at best sir." Undeterred, Picard piped back with his usual "git 'er done" again and obedient Data start pushing some buttons.

Now I don't know about you folks but I like that idea. It doesn't matter if you're in the bathroom, have peanut butter in your ears, or even have your communications array turned off, with the push of a few space buttons..... by golly you're GOING to receive my transmission, listen to me, accede to my demands..... or else !

Now that's my kind of hamming.

[AF6LJ]

One of the police agencies here that uses P-25 also use an encrypted mode that won't decode on a normal P-25 scanner.
Cracking the code just because you can is in itself an end.

[NL7W]

This does not surprise me at all. The lesser DES varieties and ADP encryption keys are the low, low-end offerings for P25 users. DES have been available and used for over a quarter century now. ADP is more recent, and intended for lesser industrial/gov't work. Until recently, Motorola corp used their triple-DES for some on-line security. How well it holds up these days, is another story. These are not approved for most, if not all, federal use.

High bit level AES encryption, like 128-bit through 256-bit key lengths, offer high strength security these days. The lesser encryption cyphers of years gone by only afford reasonable security from all but other gov't agencies and groups/individuals with skills and computing power. Some LMR radios and supporting encryption hardware are approved as "Type 1" encryption products for use in applicable gov't circles -- like the military and others involved with national security.

73.

[NL7W]

There's no such thing as "P25 encryption." Project 25 is a suite of interoperating, digital, public safety mobile radio standards under the auspices of the Association of Public Safety Communications Officials (APCO) and it's standards process. The P25 suite surrounds the Common Air Interface (over-the-air digital modulation scheme(s)), the P25 RF Subsystem (RFSS), the InterSubsystem Interface (ISSI), the Console Sub-System Interface (CSSI), and the Digital Fixed Station Interface (DFSI) for non-turnked P25 systems. P25 is fully digital and IP addressable down to the individual subscriber radio, incorporating developing technologies such as VoIP.

In P25 subscriber units, other P25 devices and its network, encryption is accomplished by various methods. But encyption methods and P25 radio systems are not intertwined whatsoever. P25 systems are not dependent upon encryption, and can operate independently from any and all encryption systems. Though being a digital system, they can fully utilize the capabilities of latest encryption offerings.

73.

And, this is surprising - how?

Guess it's surprising that it took this long for anyone who knew what they were doing to bother cracking it. Guess it's been a slow week in the crypto arena.

hint: There's a whale of a diff twixt Secure communications and 'keeping scanner land' deaf to an interoperable radio system. IOW: "encrypted != secure", it's just a bit more difficult to listen to. Most scannists have neither the know how, resources or time to mess with it. Ipso-Facto - it worked.

When this beast 'first appeared' on the LMR scene over 10 years ago - it was common discussion THEN that it would only be a matter of time before 'people' could listen in freely. Anyone that's using P-25 encryption for Secure comms deserves what they get.

[KB0OXD]

Well that's a lot of technoblab to chew on but I like it. This part {traditional brute force key searching} reminded me of some real whiz bang Federation Star Fleet spacespeak. In this one episode, Captain Picard really wanted to talk to some space goober he was chasing or mad at or whathaveyou, and he ordered Data to git 'er done. Date responded with: "forced spectrum communication is spotty at best sir." Undeterred, Picard piped back with his usual "git 'er done" again and obedient Data start pushing some buttons.

Now I don't know about you folks but I like that idea. It doesn't matter if you're in the bathroom, have peanut butter in your ears, or even have your communications array turned off, with the push of a few space buttons..... by golly you're GOING to receive my transmission, listen to me, accede to my demands..... or else !

Now that's my kind of hamming.

In other words, you're THE BORG, right?

Cheers & 73

[KB0OXD]

This boildown came by way of Slashdot.org.......

I thought this would be of interest consider how the other P-25 thread of recent is doing.

Shh.....Let's not give Al Qaeda any wise ideas, shall we?

Cheers & 73