• To anyone looking to acquire commercial radio programming software:

    Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.

    If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.

    To obtain Motorola software see the Sticky in the Motorola forum.

    The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.

    For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).

    This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.

Security Weakness in P25

Status
Not open for further replies.
G

GTO_04

Member
Joined
Mar 10, 2004
Messages
1,935
Location
Noblesville, IN
So while they may brag that encrypted P25 systems can't be scanned, they are still very much vulnerable to terrorist attack by jamming, which is relatively easy to do.

GTO_04
 
Last edited:
mobile1

mobile1

Member
Joined
Feb 17, 2008
Messages
357
Location
Sk
DJX said:
I found this article while browsing the web:
http://repository.upenn.edu/cgi/viewcontent.cgi?article=1990&context=cis_reports

Interesting stuff, especially about the encryption weaknesses.
Click to expand...
Thanks so much for the link to this information DJX. I use Pro96com to get a vast amounts of information from the P25 control channels and also directly from the portables and mobiles. The site affiliation and other events tabs show the best information. You can see who is around and know how close they are and know when they leave the area. Even when the talkgroups are encrypted you get to see all this information.
 
mikewazowski

mikewazowski

Forums Manager/Global DB Admin
Staff member
Forums Manager
Joined
Jun 26, 2001
Messages
13,527
Location
Oot and Aboot
GTO_04 said:
So while they may brag that encrypted P25 systems can't be scanned, they are still very much vulnerable to terrorist attack by jamming, which is relatively easy to do.

GTO_04
Click to expand...

Any system which has an OTA interface can be easily jammed.

The writers tend to point out the flaws in the system but what they don't say is that most of these vulnerabilities exist in other systems as well.

Kind of like saying Ferraris are unsafe when driven on icy roads. Any car is unsafe when driven on an icy road.

The only claims that P25 makes is that the contents of the traffic is safe from eavesdropping.
 
J

jackj

Member
Joined
Jul 19, 2007
Messages
1,548
Location
NW Ohio
The idea that any Over-The-Air communication is secure is laughable. If you want secure communication then don't broadcast it to anyone and everyone. All it takes to break ANY type of encryption is time and money. If you have enough of both then you can read/listen to any and all communication. But you may not be able to do it in REAL TIME and that is the end goal of P25 encryption. P25 encryption achieves that goal.
 
mobile1

mobile1

Member
Joined
Feb 17, 2008
Messages
357
Location
Sk
mobile1 said:
Looking for more information on this subject see the P25-security pdf and the other files on this. Go to : www.vk2tvk.org
Click to expand...
I found the site with Google. If you take a good look at all the files there you will see that they are using Unitrunker to decode the P25 control channels and that it is located on the Governor Phillip Tower New South Wales Sydney Australia. I think there may be more information on this system in the data base here. This guy maybe a member on this site ? Taking a look in Australia forum now.
 
Hooligan

Hooligan

Member
Joined
May 15, 2002
Messages
1,311
Location
Clark County, Nevada
jackj said:
The idea that any Over-The-Air communication is secure is laughable. If you want secure communication then don't broadcast it to anyone and everyone. All it takes to break ANY type of encryption is time and money. If you have enough of both then you can read/listen to any and all communication. But you may not be able to do it in REAL TIME and that is the end goal of P25 encryption. P25 encryption achieves that goal.
Click to expand...

I disagree. Strong encryption + a LPI/LPD waveform/channel makes the communication quite secure since unauthorized parties don't even know the communication is taking place, let alone are able to capture the communication, let-alone decode the communication.

Sure, with unlimited time & money, you can get someone to build a time machine & transport you to 30 years from now, where you can buy a computer & bring it back here to 2011, then you can find someone who knows how to write a program to have that computer from 2041 break AES in a couple minutes.

Or with that unlimited money, you can make a 'donation' of a couple billion dollars to the FSB or NSA & maybe they'll try to crack a code for you.

You talk about "P25 encryption," but exactly WHAT encryption format are you referring to? AES is Type I certified for protection of Top-Secret information. Some TS information is just tactically important (that a large air-strike is about to take place), but a lot has a shelf-life of many years, meaning the AES cipher key being broken even a year after the AES-protected transmission reasonably could be expected to cause exceptionally grave damage to US national security despite the secured communication not being decoded in REAL TIME by an unauthorized party. Thus, P-25 AES's goal is far from simply protecting the info from being decoded by an enemy in real or even near-real time.
 
D

DJX

Member
Joined
Nov 14, 2008
Messages
126
Location
Ohio
Either way...I don't think its that important to encrypt traffic stops and speeding.
I see no harm in listening to that.
 
J

jackj

Member
Joined
Jul 19, 2007
Messages
1,548
Location
NW Ohio
I could be wrong about this Hooligan but from what I've read, P25's encryption key is only 48 bits. A 48 bit key can be brute-forced in a matter of hours using today's top line computers. But if it takes you 6 or 7 hours to retrieve the secret key then the drug raid or stakeout will most likely be over before you are able to read the traffic. If the system generated new keys every 15 minutes then you probably will never be able to read the traffic in real time. The goal of P25's encryption isn't long-term protection, its to keep you and me from reading the traffic in real time.
 
Hooligan

Hooligan

Member
Joined
May 15, 2002
Messages
1,311
Location
Clark County, Nevada
jackj said:
I could be wrong about this Hooligan but from what I've read, P25's encryption key is only 48 bits. A 48 bit key can be brute-forced in a matter of hours using today's top line computers. But if it takes you 6 or 7 hours to retrieve the secret key then the drug raid or stakeout will most likely be over before you are able to read the traffic. If the system generated new keys every 15 minutes then you probably will never be able to read the traffic in real time. The goal of P25's encryption isn't long-term protection, its to keep you and me from reading the traffic in real time.
Click to expand...

Jack,

Again, you keep referring to P25 as encryption. It is not. It is an encoding/decoding & information standard. So *once again* I'll assume you're referring to AES. AES comes in several implementations that offer varying levels of protection. AES-256 is certified by NSA for the protection of Top Secret-level information. AES-128 is the lowest key size I've heard of, and in the USA it is certified by NIST for the protection of sensitive, but unclassified information.

I already responded to your claim that P25 encryption (sic) is only designed to protect info against real or near-real time unauthorized decryption in my prior post.


As the great report referenced in the original post shows, there are vulnerabilities to using a P-25 circuit, with or without encryption. They're all well-known to the people involved with designing comm networks (though as the report pointed out, often not the actual users). But you seem to be fixated on the AES issue without just cause.
 
Hooligan

Hooligan

Member
Joined
May 15, 2002
Messages
1,311
Location
Clark County, Nevada
DJX said:
Either way...I don't think its that important to encrypt traffic stops and speeding.
I see no harm in listening to that.
Click to expand...

So you're suggesting that a LEA use a non-secure channel for communications regarding civil infractions "traffic stops & speeding," but it'd be OK if they use a secure-channel for misdemeanor & felony crimes in progress?

I understand & agree with what you're getting at, but I think if an LEA already using P-25 wants to protect their radio comms regarding in-progress crimes, it's easier for them to just encrypt the dispatch channel 100% (which would include 'routine' traffic-stop related comms) instead of necessitating officers going back between secure & non-secure modes.


In the days of DVP/DES & speech-inversion, it was different because using those modes had an impact on circuit quality (range/intelligibility) so some agencies would just selectively use secure mode (Austintown Township, Ohio is an example) but these days if they're already using P25, AES itself doesn't have a negative impact on circuit quality.


Getting back to the original report, I think the biggest item of concern is clear-voice override, meaning a hostile party transmitting in P25 non-secure won the right freq & with the right NAC can intrude on the secure net & possibly inject harmful information without being discovered, because the legitimate users, even using secure-mode, will hear that person & quite possibly not recognize him as an intruder. Clear voice override is a 'feature' of Motorola DVP & NIST DES because federal agents were somewhat nervous about the high-tech digital voice stuff not working right & if they were out on the street in a firefight, they wanted to be sure that everyone would hear their SOS call, even if their radio was transmitting in analog mode.

Accidently having your radio in the non-secure mode on what's supposed to be a secure channel/operation is a big threat too, but that can be mitigated by the radios being programmed to only transmit in secure-mode on a channel.
 
S

Squad10

Member
Joined
Nov 8, 2007
Messages
922
Hooligan said:
In the days of DVP/DES & speech-inversion, it was different because using those modes had an impact on circuit quality (range/intelligibility) so some agencies would just selectively use secure mode (Austintown Township, Ohio is an example) but these days if they're already using P25, AES itself doesn't have a negative impact on circuit quality.
Click to expand...

Only if the agency ordered the Clear/Code board when Motorola Securenet DVP/DES was in its infancy:>}

USPS is an example.
 
M

MattSR

Member
Joined
Jul 26, 2002
Messages
407
Location
Sydney, Australia
DJX said:
Index of /GNUradio
Looks like you were messing with P25 encryption stuff.
You get any where with that?
Click to expand...

We successfully cracked DES-OFB and one other P25 based encryption algorithm that we are yet to release the details on. We have proven that P25 DES-OFB key recovery can be performed in less than a day.

Regards,
Matt
VK2TVK
 
D

DJX

Member
Joined
Nov 14, 2008
Messages
126
Location
Ohio
Cool,
I would love to see more details...or even do a little testing myself, if it's possible.
 
H

hitechRadio

Member
Joined
Dec 23, 2010
Messages
538
Well looks like we should start encrypting the CC as well, that shold make scanner listiners happy. But I think we might be in luck, because I dought system administrator will do that, just for the rason of money. If the CC was encrypted every radio would have to have encryption in them. But they could implement a basic encryption on the CC that doesnot require a secure module.

This Paper is and ovouius attack against p25, hell he goes out of the way to mention his opinioons on design flaws of Motorola subscriber equipment.

As far as im concerned that article is a bunch of bs.

As far as MattsSR, sure ya did. LOL
 
Status
Not open for further replies.

Similar threads

N
Marlborough going P25
Replies
3
Views
865
ecps92
ecps92
K
P25 Adjacent Site Status Message Meaning (TSBK 3C)
Replies
5
Views
494
boatbod
boatbod
T
What's Interesting to Listen to in Orange County?
2
Replies
20
Views
1K
phipac
phipac
J
Exploring Continuous Four Frequency Modulation (C4FM) and Linear Simulcast Modulation (LSM) in VHF Conventional Simulcast Systems
Replies
11
Views
655
speedway_navigator
S
C
Voice on P25 Phase 2 TDMA System
Replies
6
Views
576
GTR8000
GTR8000
Top