RadioReference on Facebook   RadioReference on Twitter   RadioReference Blog
 

Go Back   The RadioReference.com Forums > U.S. Regional Radio Discussion Forums > Michigan Radio Discussion Forum


Michigan Radio Discussion Forum - Forum for discussing Radio Information in the State of Michigan.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #21 (permalink)  
Old 05-17-2018, 3:36 PM
Citywide173's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Feb 2005
Location: Attleboro, MA
Posts: 1,475
Default

Quote:
Originally Posted by kayn1n32008 View Post
No, I am not missing the point.

You are taking this specific situation and making it something it is not.
You are missing the posters point. While your statement:

Quote:
He was making voice transmissions with his radio that had the cloned ID programmed in it. Control channel encryption would have prevented this. It would not stop a radio from trying to affiliate, but if it was encrypted, he would have no reason to attempt to clone a radio onto the system.
is accurate, encryption keys and affiliation are not necessary to cause harmful interference on the input frequency. A radio transmitting fm on the input could generate a stronger signal than a radio operating on the system legally and cause that radio not to be able to adequately transmit into the system, causing HARMFUL INTERFERENCE. Unless of course, the laws of physics cease to exist in Michigan.
__________________
Ed Burke
KD1EMS WQRD823

Administrator: Firepics-THE Place for fire photographers
Reply With Quote
Sponsored links
  #22 (permalink)  
Old 05-17-2018, 4:02 PM
RayAir's Avatar
Member
   
Join Date: Dec 2005
Location: Island of OpenSky
Posts: 1,679
Default

Not too wise on his part.

This is why I just stick to using dsd+ and my old PRO-668 scanner for monitoring P25 systems.
__________________
KXKYC JBSOB XBMZE LCVHV WCW
Reply With Quote
  #23 (permalink)  
Old 05-17-2018, 6:10 PM
Member
   
Join Date: Sep 2008
Location: In the 'patch
Posts: 5,062
Default

Quote:
Originally Posted by RayAir View Post
Not too wise on his part.



This is why I just stick to using dsd+ and my old PRO-668 scanner for monitoring P25 systems.


Me thinks this kid knew exactly what he was doing. He only got caught because of a traffic violation.


Sent from my iPhone using Tapatalk
__________________
Interoperatablity is not a technology, it is an attitude!!!
Reply With Quote
  #24 (permalink)  
Old 05-17-2018, 7:38 PM
KK4JUG's Avatar
Member
  Premium Subscriber
Premium Subscriber
Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2014
Location: GA, AL, TX, OK, KS, AR, NC, or MI
Posts: 1,923
Default

Quote:
Originally Posted by kayn1n32008 View Post
Me thinks this kid knew exactly what he was doing. He only got caught because of a traffic violation.


Sent from my iPhone using Tapatalk
How 'bout come credit for the LEO for realizing what the radio was?
__________________
If you can read this, thank a teacher. If you can read this in English, thank a vet.
Reply With Quote
  #25 (permalink)  
Old 05-17-2018, 7:52 PM
Member
   
Join Date: Sep 2008
Location: In the 'patch
Posts: 5,062
Default FCC consent degree on unauthorized use of MPSCS

Quote:
Originally Posted by KK4JUG View Post
How 'bout some credit for the LEO for realizing what the radio was?


Probably blaring the officers dispatch talkgroup.


Sent from my iPhone using Tapatalk
__________________
Interoperatablity is not a technology, it is an attitude!!!
Reply With Quote
Sponsored links
  #26 (permalink)  
Old 05-17-2018, 8:19 PM
KK4JUG's Avatar
Member
  Premium Subscriber
Premium Subscriber
Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2014
Location: GA, AL, TX, OK, KS, AR, NC, or MI
Posts: 1,923
Default

Quote:
Originally Posted by kayn1n32008 View Post
Probably blaring the officers dispatch talkgroup.


Sent from my iPhone using Tapatalk
No, probably a knowledgeable, well-spoken, conscientious officer who takes his job seriously.
__________________
If you can read this, thank a teacher. If you can read this in English, thank a vet.
Reply With Quote
  #27 (permalink)  
Old 05-18-2018, 12:19 AM
RayAir's Avatar
Member
   
Join Date: Dec 2005
Location: Island of OpenSky
Posts: 1,679
Default

Do they even offer link layer encryption for P25 systems?

I'm thinking I saw an option for it on Harris systems. Its not a bad idea.
Certain DMR/NXDN manufacturers seem to offer better authentication/access schemes than whats available on most P25 systems today.

Coupled with voice privacy, link layer encryption would provide a better defense-in-depth and put a stop to this nonsense.
__________________
KXKYC JBSOB XBMZE LCVHV WCW
Reply With Quote
  #28 (permalink)  
Old 05-18-2018, 7:14 PM
Hooligan's Avatar
Member
   
Join Date: May 2002
Location: Clark County, Nevada
Posts: 1,126
Default

Dear Cameron has been a RadioReference member for the past 5 years -- SHOCKER!!
https://www.radioreference.com/apps/user/N8CAM



Here's a rant I emailed some friends after I saw the FCC Consent Decree (which seems to be the only official information about this situation):

*****************************************

https://transition.fcc.gov/Daily_Rel...A-18-462A1.pdf

[MPSCS is a statewide 800MHz/700MHz P25 trunked radio system used by most state/county/local
public safety plus some federal users. Having a radio programmed for this sort of trunked
system means that by doing something seemingly innocuous like just turning the radio on,
the radio will transmit to the network & try to log-onto it (like a cellphone does), unlike
a conventional two-way radio
where turning it on simply powers-up the radio but it doesn't transmit unless the operator
takes deliberate action to do so. Some aspects of the MPSCS are about 25 years old but
over the past couple years they've been modernizing the system. Yet we can expect the state
to use this incident to their advantage as they ask for funds to
get more encryption, switch to P25/Phase II, express a desire to migrate to LTE, etc. but
the REALITY-CHECK is any competent radio system manager/security analyst could & should have
warned about the cloned-radio intrusion & system key vulnerabilities about 20 years ago.]

https://www.michigan.gov/mpscs/

Note: I'm not trying to defend the kid -- he transmitted on radio
spectrum he didn't have legit access to, and 'intruded' into a computer
system (accessing the MPSCS site/network controller via simply turning-on/off
his radio programmed for the MPSCS), both of which are federal offenses.

*******

So I'm wondering if he was actually talking on MPSCS, or if the
average 4.8 second transmission consisted of
hm turning on the radio, it logging-on to the network, affiliating with
a certain TG via certain site -- still
naughty/illegal, but much different than him trying to run
license-plates, etc. If he intruded on the system for a couple
years before finally being busted & they traced 989 "transmissions" to
his radio, that # plus the average transmission
length seems consistent to me with him mostly turning on/off the radio &
maybe switching between a couple
talk-groups -- 989 times, his radio communicated with the zone/system
controller. There's no talk of whether he actually had the 'secret' SYSTEM KEY
in his radio, so the 989 transmissions over 2 years could actually have been
his radio trying to affiliate with the system (providing the cloned radio-ID),
but the controller responding back & denying the radio access ('bonking' him)
because the radio didn't have the System Key. On the other hand, there's
plenty of open-source discussions on radio or radio-hacker online forums
about how to obtain or even make good guesses as-to the system key for a trunked
radio system.


I don't find any media articles about this case -- I expect the State of
Michigan did NOT want this
publicized, though they're not the first public safety agency to have
their "sophisticated" statewide
trunked radio system intruded upon this way. I guarantee you that the
Michigan Intelligence Operations
Center (state fusion center) sent out a LE-Sensitive BOL to all Michigan
LEOs warning
them to be on the lookout for anyone with a [types of radios that could
be programmed for MPSCS] &
ask questions, if the person isn't affiliated with a LEA or other public
safety entity (Michcon, for example) that has access to MPSCS.

But possession of a Motorola radio itself is not a crime & there are
plenty of legit, legal uses --
business, amateur radio, or whatever so possession of one, especially if
it's turned OFF & not
showing a channel name like LANSING P911 or blaring audio of what is
clearly a LE channel doesn't
in itself grant an officer any reasonable suspicion to believe a
criminal act has/is/or soon will take place.

I think in this situation, the 19 year old was nervous & didn't have
the maturity to just turn off the
radio, tell the officer he's a ham & uses the radio for amateur radio,
and politely refuse to answer any
other questions not pertaining to the reason for contact (a traffic
violation). The officer (probably) asked
to see the radio, the young kid didn't know his rights & wanted to
appear cooperative, so he somewhat
unwittingly gave consent for a search, that led to seizure & a criminal
investigation. All perfectly legal,
but also perfectly preventable had the dumb kid set the radio up with a
password, had it turned off
& not in plain sight inside the vehicle, *and* politely rejected the
officer 'going fishing' on a traffic stop.

Social-media photos show that he had a receive-only 'police-scanner' that
was completely capable of monitoring the MPSCS, but having a Motorola
professional radio looks cooler, will receive the system better,
can impress/intimidate people, and is simply just something that
a 'radio-geek' who can afford the Motorola radio (easy to buy older,
used ones, fairly cheap) may want to play-around with. I don't know what model
radio he had, but assuming it was 700/800MHz only & not one of the multi-band
handhelds that are still pretty expensive, even used, there is no amateur-radio
spectrum in 700/800MHz.

Of course, he's on RadioReference...
N8CAM Shack and Equipment Photos

https://www.facebook.com/cameron.thurston

N8CAM

https://www.youtube.com/channel/UCQz...K2Gp6HVQC1IhYQ
__________________
I am the King of All Monitoring.
Reply With Quote
  #29 (permalink)  
Old 05-18-2018, 9:38 PM
Member
   
Join Date: Sep 2008
Location: In the 'patch
Posts: 5,062
Default

Quote:
Originally Posted by Hooligan View Post
Dear Cameron has been a RadioReference member for the past 5 years -- SHOCKER!!
https://www.radioreference.com/apps/user/N8CAM
Not surprised at all.

Quote:
Originally Posted by Hooligan View Post
... There's no talk of whether he actually had the 'secret' SYSTEM KEY
in his radio...
The system key does not reside in the radio. It resides on the computer used to program the radio. A software system key is simply a file that allows the software to unlock the trunking parameters, allowing the user to program the system parameters with in it.

Quote:
Originally Posted by Hooligan View Post
...so the 989 transmissions over 2 years could actually have been his radio trying to affiliate with the system (providing the cloned radio-ID),
but the controller responding back & denying the radio access ('bonking' him)
because the radio didn't have the System Key.
Except that to program a P25 trunk system into a Motorola subscriber to use a trunk system, you must have a system key, otherwise the radio will only operate as a conventional radio.


Quote:
Originally Posted by Hooligan View Post
On the other hand, there's plenty of open-source discussions on radio or radio-hacker online forums about how to obtain or even make good guesses as-to the system key for a trunked radio system.
Its an all or nothing kind of deal. Sort of like an encryption key. Either its all right, or you get nothing at all.

Likely he read enough on Austech or RR to figure out where to get a key generator, and did not read enough on how to properly NAS.


Sent from my iPhone using Tapatalk
__________________
Interoperatablity is not a technology, it is an attitude!!!
Reply With Quote
  #30 (permalink)  
Old 05-18-2018, 10:47 PM
Member
   
Join Date: May 2015
Location: Loudoun Heights, VA
Posts: 486
Default

Man, whackers are getting younger and younger...

Last edited by W9BU; 05-23-2018 at 5:28 PM..
Reply With Quote
  #31 (permalink)  
Old 05-19-2018, 12:30 AM
mmckenna's Avatar
Member
   
Join Date: Jul 2005
Location: WTVLCA01DS0
Posts: 9,325
Default

I think he was talking about Cameron in particular. He's the young man in the back row center of the photo.

Having enabled trunked radios on systems he doesn't have authority to be on, plus several other red flags, points at the whacker culture.

I don't think he was pointing at the CERT team, or at least I hope he wasn't. Most of them are dedicated to what they are doing and don't confuse being a volunteer with being a public safety professional.
Reply With Quote
  #32 (permalink)  
Old 05-19-2018, 2:00 AM
RFI-EMI-GUY's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2013
Posts: 2,437
Default

Quote:
Originally Posted by I_am_Alpha1 View Post
I need to get the contact info for this guy's lawyer. Two felony charges reduced to a civil matter with a small fine and basically probation.
Being that the radio he had was a clone of "an infrequently used radio belonging to the county", arguably the 989 keyups of 4.8 seconds each, could belong to the legitimate radio. In other words can they prove he actually transmitted on the system? If I were his defense attorney, I would be demanding audio recordings and corresponding system manager logs. The FCC seems to be building the case on system manager logs alone and assuming that the County radio was never used.



Sent from my SM-T350 using Tapatalk
__________________
"Have Spectrum Analyzer, - Will travel" "Standby for Traffic, Now Going Red"
Reply With Quote
  #33 (permalink)  
Old 05-19-2018, 2:04 AM
RFI-EMI-GUY's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2013
Posts: 2,437
Default

Quote:
Originally Posted by KC4RAF View Post
If the system was encrypted but his not, he could not get the control channel/frequency to transmit.
Thus no interference.
Most owners of trunked systems would be shocked to lean how vulnerable the control channel is to interference. Encryption of the control channel won't help in this case.

Sent from my SM-T350 using Tapatalk
__________________
"Have Spectrum Analyzer, - Will travel" "Standby for Traffic, Now Going Red"
Reply With Quote
  #34 (permalink)  
Old 05-19-2018, 2:07 AM
RFI-EMI-GUY's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2013
Posts: 2,437
Default

Quote:
Originally Posted by kayn1n32008 View Post
Corroborate where he was at the time the system was receiving the channel grant requests from the cloned ID. Very easy to do with peoples use of cell phones. Once you establish a timeline of what sites were receiving channel grants for that RID, confirm the location and status of the actual radio assigned that RID. If the actual county radio is not on, or is being used on a different site, you can show what radio is what. Another way is to look at the affiliation logs for the RID. If it is affiliating with talk groups the actual radio does not have programmed, it eliminated the actual radio as well.

The fact that "the device was a clone of an infrequently
used radio belonging to Oscoda County, Michigan..." likely made corroborating the actions of this person pretty easy.
Except, the FCC isn't making a very strong and compelling argument that the 989, 4.8 second keyups were his.

Sent from my SM-T350 using Tapatalk
__________________
"Have Spectrum Analyzer, - Will travel" "Standby for Traffic, Now Going Red"
Reply With Quote
  #35 (permalink)  
Old 05-19-2018, 2:15 AM
RFI-EMI-GUY's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2013
Posts: 2,437
Default

Quote:
Originally Posted by kayn1n32008 View Post
Not surprised at all.



The system key does not reside in the radio. It resides on the computer used to program the radio. A software system key is simply a file that allows the software to unlock the trunking parameters, allowing the user to program the system parameters with in it.



Except that to program a P25 trunk system into a Motorola subscriber to use a trunk system, you must have a system key, otherwise the radio will only operate as a conventional radio.




Its an all or nothing kind of deal. Sort of like an encryption key. Either its all right, or you get nothing at all.

Likely he read enough on Austech or RR to figure out where to get a key generator, and did not read enough on how to properly NAS.


Sent from my iPhone using Tapatalk
Actually, the Motorola Smartnet system Key does a bit more. It turns on the system ID in the radio so that when the system ID is broadcasted, the radio recognizes it and STAYS on the control channel. Read what I said again, because I will let you in on a secret. If you turn on a a radio that has a different system ID programmed into it, and you affiliate and transmit before the system ID is broadcast on the control channel, you can actually make a voice call on a system for which the system ID is a mismatch.

Sent from my SM-T350 using Tapatalk
__________________
"Have Spectrum Analyzer, - Will travel" "Standby for Traffic, Now Going Red"
Reply With Quote
  #36 (permalink)  
Old 05-19-2018, 2:36 AM
RFI-EMI-GUY's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2013
Posts: 2,437
Default

Quote:
Originally Posted by Hooligan View Post
Dear Cameron has been a RadioReference member for the past 5 years -- SHOCKER!!

***lengthy post unnecessarily quoted***
True about giving consent. He was not caught in the act of transmitting. He was caught in a routine traffic stop and consented to a search. Unless the radio was blasting local PD traffic on an open speaker, he could and should have simply declined a search of the vehicle. They likely had no probable cause.

When I was younger, I was driving my mother's car, with a girlfriend and two school chums I barely knew in the back. I drove into a neighborhood to visit a friend, we stopped for just a minute or two at the end of his driveway. I did not know at the time that MEG agents were watching his neighbor across the street. 15 minutes later, in another town, 10 miles away, the police, with 4 marked cars, pull us over.

They tell me some sort of lie that I was spotted at a nearby location in that same town and they want to search the car. I being young and dumb, consented. After 45 minutes, of the police tearing the car apart and exclaiming loudly WHATS THIS about every innocent thing in the car, a Weston photo light meter, tool kits, everything including a CB and linear hidden in the back, they had to let us go. Had any of the two kids in the back seat had any dope, it would have been trouble.

Never never consent to a warrantless search. Especially if you are innocent...

Sent from my SM-T350 using Tapatalk
__________________
"Have Spectrum Analyzer, - Will travel" "Standby for Traffic, Now Going Red"

Last edited by W9BU; 05-23-2018 at 5:31 PM.. Reason: lengthy post unnecessarily quoted
Reply With Quote
  #37 (permalink)  
Old 05-19-2018, 8:39 AM
KK4JUG's Avatar
Member
  Premium Subscriber
Premium Subscriber
Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2014
Location: GA, AL, TX, OK, KS, AR, NC, or MI
Posts: 1,923
Default

Quote:
Originally Posted by RFI-EMI-GUY View Post
Except, the FCC isn't making a very strong and compelling argument that the 989, 4.8 second keyups were his.

Sent from my SM-T350 using Tapatalk
Has he put up a fight?

I doubt that the FCC is laying out all the justifications for the accusations they're making.
__________________
If you can read this, thank a teacher. If you can read this in English, thank a vet.
Reply With Quote
  #38 (permalink)  
Old 05-19-2018, 9:41 AM
Member
   
Join Date: May 2016
Posts: 708
Default

So during his trainings or a mutual aide a legit radio got in his hands, was read or cloned over then given back snd he did his work. Lock plugs, disable cloning options if possible. While it is a possible pointless thing for some cases it slows down the possible issues.

He knew what he had to do to clone it, planned it, waited for it. Did he loose his certification for being a community volunteer for all this?
Reply With Quote
  #39 (permalink)  
Old 05-19-2018, 10:58 AM
Member
   
Join Date: May 2015
Location: Loudoun Heights, VA
Posts: 486
Default

Quote:
Originally Posted by LosRio View Post
So during his trainings or a mutual aide a legit radio got in his hands, was read or cloned over then given back snd he did his work. Lock plugs, disable cloning options if possible. While it is a possible pointless thing for some cases it slows down the possible issues.

He knew what he had to do to clone it, planned it, waited for it. Did he loose his certification for being a community volunteer for all this?
I'm surprised he hasn't faced local charges for any of this - taking police property without permission, misuse of public safety equipment, etc.

And the whole cloning thing... everyone's always so paranoid about mean ol' Motorola swooping down on people misusing and abusing software they're not supposed to have, you'd think the big M would have a grand time making a very public example out of young Cameron the whacker and any possible co-conspirators or unauthorized dealers (if indeed it was Motorola equipment used... but I'm sure other radio mfr's have similar license and use policies).
Reply With Quote
  #40 (permalink)  
Old 05-19-2018, 5:13 PM
Member
   
Join Date: Dec 2014
Posts: 564
Default

Quote:
Originally Posted by RFI-EMI-GUY View Post
Never never consent to a warrantless search. Especially if you are innocent...
Amen.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 4:29 PM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
All information here is Copyright 2012 by RadioReference.com LLC and Lindsay C. Blanton III.Ad Management by RedTyger
Copyright 2015 by RadioReference.com LLC Privacy Policy  |  Terms and Conditions