NXDN Scrambler and AOR scanners

Status
Not open for further replies.

LimaZulu

Member
Joined
Jul 7, 2011
Messages
346
Recently I saw that some AOR scanners that can do digital modes, NXDN in particular, are able to discover the code that is used by the build in digital scrambler used by Kenwood NexEdge and ICOM IDAS radios. So, I was wondering are they only able to do it only when receiving the signal or is possible for them to obtain it by RAW (unfiltered) audio record as well?
 

Giddyuptd

Member
Premium Subscriber
Joined
Oct 6, 2018
Messages
1,302
Location
Here and there
Scramble or voice inversion I haven't seen on most minus small commercial applications. Pretty much just a hz it needs to decode. Most use the default kenwood or icom setting so most the time it wouldn't be hard.
 

mmckenna

I ♥ Ø
Joined
Jul 27, 2005
Messages
23,618
Location
Hiding in a coffee shop.
Scramble or voice inversion I haven't seen on most minus small commercial applications. Pretty much just a hz it needs to decode. Most use the default kenwood or icom setting so most the time it wouldn't be hard.

I was/am skeptical also.
I did pull up the manual for it, and it does look like it's actual NXDN encryption, not the voice inversion scrambling. It appears to let you enter a code, or let it search.

I'd love to know how long it takes to search, and how it knows when it's got the right code.

I'd also love to know how they got around the FCC requirements on decoding traffic that is not intended for the party. I'm sure it'll go back to "selling it is OK, using it isn't" sort of thing.

It should be noted that most of the NXDN radios that Kenwood sells can be outfitted with an add on AES/DES encryption board making the value of this function useful with only the stock/included encryption.
 

chill1971

Member
Premium Subscriber
Joined
Nov 1, 2006
Messages
31
Location
Opdyke, Illinois
It's the non-U.S. versions of the AOR radios. Since using it is illegal in the U.S., lets just say that allegedly it's quick.
 

LimaZulu

Member
Joined
Jul 7, 2011
Messages
346
Scramble or voice inversion I haven't seen on most minus small commercial applications. Pretty much just a hz it needs to decode. Most use the default kenwood or icom setting so most the time it wouldn't be hard.

It's different than standard analog voice inversion which is pretty easy to be descrambled even without any special equipment. NXDN standard includes 15 bit digital scrambler that has 32767 key variations. On top of that, radios can be equipped with 3rd party scrambler board but that's something out of the standard which NXDN includes by default. Yes it's not as strong as AES/DES encryption but honestly speaking it's not even an encryption. It's just a digital way to invert the voice. It's stronger than analog voice inversion but weaker than real encryption. As I already said, there are 32767 possible keys so it's not just "click 'n' try" :) So, sorry, it's not anything near to "...just a hz it needs to decode."
:)
This document claims that 1 to 2 seconds (for AOR AR-DV1) with good signal are enough for key to be found: http://www.aorja.com/udoc/AR-DV1_undocumented_features.pdf As far as I know, newer models also have that feature :)
 

racingfan360

Member
Joined
Dec 19, 2005
Messages
1,158
Just to confirm a few points:
- The AOR DV1x do both analog [voice inversion] descrambling and the 'decryption' of the NXDN standard linear feedback shift XOR 15-bit 'NXDN encryption' available out of the box on most Kenwood and Icoms.
- AOR seem to go to great pains to point out the latter is just 'scrambling' and it definitely isn't 'decoding an encrypted signal of any kind', whereas Kenwood and Icom will tell you its encryption. Draw your own conclusions on why each party states as they do.
- Its is a pretty basic method but as stated at nearly 33k keys it's not bad and not trivial to brute force. So it offers a degree of privacy but not really security.
- Don't forget the AORs only do the Very Narrow (6.25khz BW) version of NXDN and not the Narrow (12.5khz) version
- I've never come across a 'default NXDN encryption code'. In fact all the different systems I've researched use different codes.
- In my experience of the DV10 it typically takes about 4-6 seconds to search/find the code in use. It will work about 80% of the time. With a known code programmed into memory it might still take 1-2 seconds to sync (ie you get 1-2 secs of garbage with the right key programmed in). It can drop sync part way through a call. In contrast a Kenwood transceiver or Icom R30 will sync immediately, and the voice quality is unaffected throughout.
- The AOR only works on a live signal. However in theory perhaps if you could find a way of using the raw recording to modulate say a 10.7MHz signal and feed direct to the AOR that might work???
- I'm not in the US before anyone asks
 

wa8pyr

Technischer Guru
Staff member
Lead Database Admin
Joined
Sep 22, 2002
Messages
6,983
Location
Ohio
- AOR seem to go to great pains to point out the latter is just 'scrambling' and it definitely isn't 'decoding an encrypted signal of any kind', whereas Kenwood and Icom will tell you its encryption. Draw your own conclusions on why each party states as they do.

It doesn't matter what format is used to obscure the content of the communication; voice inversion, ARC4, DES, AES. . . as far as the law goes in the US (and I suspect many other countries as well) it's all encryption, and descrambling/decryption is illegal unless you're an authorized party to the communication. AOR is being rather disingenuous by saying that voice inversion "is just scrambling" and they're not "decoding an encrypted signal of any kind" since the intent of all those formats remains preventing unauthorized users monitoring it.
 

mmckenna

I ♥ Ø
Joined
Jul 27, 2005
Messages
23,618
Location
Hiding in a coffee shop.
….since the intent of all those formats remains preventing unauthorized users monitoring it.

Exactly. Which is why I run encryption on some of our talkgroups.

Products like this will just drive me to utilize more secure forms of encryption. Not that I put a lot of stock in the 15 bit encryption that Kenwood uses, but it helped restrict casual reception. Not all personal info is to be shared with the general public.
 

mikewazowski

Forums Manager/Global DB Admin
Staff member
Forums Manager
Joined
Jun 26, 2001
Messages
13,459
Location
Oot and Aboot
It's the non-U.S. versions of the AOR radios. Since using it is illegal in the U.S., lets just say that allegedly it's quick.

According to the manual, "the US consumer version comes with cellular frequencies blocked and analog voice descrambler function deactivated by hardware."

Analog Voice Scrambler refers to inversion using a carrier frequency between 2000 and 7000hz. This is not the same as the Digital Scramble Codes used on NXDN.

So yes, the AOR receivers will discover the scramble code on a live signal. Doubtful it would do it on a prerecorded signal.
 

LimaZulu

Member
Joined
Jul 7, 2011
Messages
346
wa8pyr, mmckenna, both of you are right, but that's not the point of this thread. I do understand the reason of scrambling, encrypting, etc. but if there is some feature of that kind why not use it? :) Everyone who is going to use it, will do it on it's own responsibility :) Other than that, you know what they say - encryption is enemy number one of our hobby
 

G7HID

Member
Joined
Nov 13, 2015
Messages
626
Location
Box 500 Slough UK
I was/am skeptical also.
I did pull up the manual for it, and it does look like it's actual NXDN encryption, not the voice inversion scrambling. It appears to let you enter a code, or let it search.
I'd love to know how long it takes to search, and how it knows when it's got the right code.
On the DV1 you trigger an NXDN code search, when a scrambled signal appears it takes about 2 seconds to display a code and unscramble the audio.
The code stays on the screen and the radio will decode using that key code until cleared.
The downside is if you have a frequency with both clear and scrambled traffic, entering or finding the key for the scrambled user makes users that were previously in the clear now scrambled..

Mike
 

wa8pyr

Technischer Guru
Staff member
Lead Database Admin
Joined
Sep 22, 2002
Messages
6,983
Location
Ohio
wa8pyr, mmckenna, both of you are right, but that's not the point of this thread. I do understand the reason of scrambling, encrypting, etc. but if there is some feature of that kind why not use it? :) Everyone who is going to use it, will do it on it's own responsibility :) Other than that, you know what they say - encryption is enemy number one of our hobby

You're basically right of course, but I'd make the argument that an even bigger enemy is illegal decryption, and companies like AOR providing a convenient way to decrypt transmissions. All it takes is for someone official to become "officially" aware of that feature and it's likely that the excreta will hit the rapidly spinning blades of the cooling device.
 

LimaZulu

Member
Joined
Jul 7, 2011
Messages
346
That's what called evolution :) Our ability to hear them, developed their need to go secure. Then we learned to pass their security so they become even more secure. And so on, and so on :)
 

mmckenna

I ♥ Ø
Joined
Jul 27, 2005
Messages
23,618
Location
Hiding in a coffee shop.
That's what called evolution :) Our ability to hear them, developed their need to go secure. Then we learned to pass their security so they become even more secure. And so on, and so on :)

AES256 isn't going to be as simple as 15 bit encryption. Plus there's a pretty healthy portion of the law enforcement and federal users that rely on it. They'll make sure that products that do this won't enter the country.
 

LimaZulu

Member
Joined
Jul 7, 2011
Messages
346
Well, nobody said nothing about cracking AES 256 :) Other than that, even if the type of encryption was the same, you can't compare 15 bit key with a 256 one :)
The whole thing is that NXDN standard include those 32766 keys by default. They are there, in the radio. It's like analog radio, where those type of 'security' measures are in the menu of the transciever. The only difference is that NXDN is doing this digitally. Like AES came to this world to replace DES, digital scrambler came here to replace the analog one (who knows what's coming one day to replace AES and all those other fancy encryption methods) :) And since they are in the radio it is a matter of time (a lot of time, and maybe even not enough if they change it regularly) to test them all and find the right one if you want. AOR receiver just do it easily for you :)
And let me point that I do not push anybody into illegal actions neither I am looking for a way to break the encryption! I was just wondering the way those receivers act - do they scan it only when they are receiving live signal or do they have an option for post processing a recorded one since they have the ability to record baseband audio. That's all :) It's up to the user to "think before act" and should you act if you have the ability to do it :)
 

mmckenna

I ♥ Ø
Joined
Jul 27, 2005
Messages
23,618
Location
Hiding in a coffee shop.
I think it was a good question. I've heard others talk about the decryption feature, but there was so little info on it, it was hard to confirm. Glad to see AOR finally did a better job of describing it.

It'll be interesting to see if they somehow get this into the USA. But I'm sure they'll find a way. Heck, looking at all the stuff that makes in on to the airwaves, this is probably the lest of the issues.
 

LimaZulu

Member
Joined
Jul 7, 2011
Messages
346
I do have such a signal in my area (I am not in US) and there is local AOR dealer here, but those scanners a pretty expensive for me to buy one just to test it. If anyone is interested in trying to feed in any way baseband audio to his scanner I can send him audio sample but other than that I can't be more helpful.
Seems that AR-5700D also support that feature:

........
It'll be interesting to see if they somehow get this into the USA. But I'm sure they'll find a way.......

Well, I'm sure they already did. For sure there is someone with good friends or relatives outside of US who will send/bring one :)
 
Last edited:

WX4JCW

Member
Premium Subscriber
Joined
Jun 26, 2006
Messages
3,403
Location
Stow, Ohio
I do have such a signal in my area (I am not in US) and there is local AOR dealer here, but those scanners a pretty expensive for me to buy one just to test it. If anyone is interested in trying to feed in any way baseband audio to his scanner I can send him audio sample but other than that I can't be more helpful.
Seems that AR-5700D also support that feature:



Well, I'm sure they already did. For sure there is someone with good friends or relatives outside of US who will send/bring one :)
always wanted to visit Tokyo :p .
but seriously, most agencies just wanted to keep the average scanner listener out//app user, if true Opsec was a priority it would be budgeted,
but there are always evil genius hackers out there who will eventually crack everything, then they get a job at the NSA, the evolution argument is correct. so to worry about NXDN keys is kinda useless if you are serious about Opsec
 
Status
Not open for further replies.
Top