ka5lqj
Member
RADIO TECHNOLOGY: PROBLEMS WITH P25 SECURITY
While it’s not of much concern to hams who have adopted Project 25 digital audio, researchers looking at the security of this system have discovered that it's easily jammed, and almost as easily compromised. And all of this can be accomplished using a kid’s toy.
--
During a two-year study, researchers from the University of Pennsylvania found that encryption on a police P 25 network was not only routinely switched off, but also demonstrated how a 25 dollar toy called the "GirlTECH IM me" could be reprogrammed to jam transmissions and even exclude specific users or subnets. It also showed how a more-expensive option could track a specific user.
P 25 is the United States equivalent to the trans-European Trunked Radio or TETRA digital audio radio system. But unlike TETRA, which is deployed in a dedicated and fairly secure radio spectrum, P 25 had to be compatible with the existing analog systems, and is thus squeezed into a fixed 12.5 kilohertz split-channel spacing. However, that is not the only thing making it vulnerable. According to the report P 25 uses fixed-length packets, optionally encrypted using a symmetric key, distributed to handsets manually or over the air.
They say that the first problem is the key distribution doesn't always work. As such the research team found users frequently get cut out and have to ask the rest of the group to switch off encryption for the duration of the operation. Individual users can also, inadvertently, switch off their own encryption without other users being alert enough to notice.
The researcher's 16 page report does have practical advice for users of the P 25 digital audio mode. It suggests reprogramming handsets to make switching off encryption less obvious, and reminding users when it has been switched off. But the team also concludes that fundamentally the P 25 system wasn't designed with a properly layered security model, and that this will always leave it more vulnerable than it should be.
While it’s not of much concern to hams who have adopted Project 25 digital audio, researchers looking at the security of this system have discovered that it's easily jammed, and almost as easily compromised. And all of this can be accomplished using a kid’s toy.
--
During a two-year study, researchers from the University of Pennsylvania found that encryption on a police P 25 network was not only routinely switched off, but also demonstrated how a 25 dollar toy called the "GirlTECH IM me" could be reprogrammed to jam transmissions and even exclude specific users or subnets. It also showed how a more-expensive option could track a specific user.
P 25 is the United States equivalent to the trans-European Trunked Radio or TETRA digital audio radio system. But unlike TETRA, which is deployed in a dedicated and fairly secure radio spectrum, P 25 had to be compatible with the existing analog systems, and is thus squeezed into a fixed 12.5 kilohertz split-channel spacing. However, that is not the only thing making it vulnerable. According to the report P 25 uses fixed-length packets, optionally encrypted using a symmetric key, distributed to handsets manually or over the air.
They say that the first problem is the key distribution doesn't always work. As such the research team found users frequently get cut out and have to ask the rest of the group to switch off encryption for the duration of the operation. Individual users can also, inadvertently, switch off their own encryption without other users being alert enough to notice.
The researcher's 16 page report does have practical advice for users of the P 25 digital audio mode. It suggests reprogramming handsets to make switching off encryption less obvious, and reminding users when it has been switched off. But the team also concludes that fundamentally the P 25 system wasn't designed with a properly layered security model, and that this will always leave it more vulnerable than it should be.