FCC Notice of Unlicensed Operation and Interfering with a Public Safety Trunking System

[Echo4Thirty]

(and even with an unencrypted control channel there are still encryption keys needed to affiliate with the system).

umm..what? The only time this is remotely true is when the system requires Link Layer Authentication. That however does not stop a radio from transmitting on the inbound control channel, it just results in denial of registration from the FNE.

You can also affiliate with an encrypted TG with no TEK loaded in your radio. Depending on your radio's and the system's programming you might even get a voice grant with no TEK. Regardless of how the radio and system is configured in this case, you are still transmitting on the inbound control channel. You just either get rejected (TG set to secure only) or your radio wont TX voice as it has no TEK loaded.

Encrypted Control Channel is supposed to solve this issue, but there are exactly ZERO systems using this technology currently. That said, I know of a ton of system managers that would love to have it. Most of those are on this site and are probably reading this thread and saving the PDFs from the FCC to show their local NAS guys what happens when you dont NAS right.

 

[mmisk]

Encryption doesn't stop a radio from attempting to affiliate.

But if they encrypt the control channel then it is game over. Scanners will not be able to follow talk groups.
Of course, if everything is encrypted including the CC it is a moot point I guess.
I would expect CC encryption is in the works now.

 

[mwjones]

umm..what? The only time this is remotely true is when the system requires Link Layer Authentication. That however does not stop a radio from transmitting on the inbound control channel, it just results in denial of registration from the FNE.

In the IT world we use the same technologies (I don't proclaim to be an expert in Trunked Radio Systems, but there are a lot of parallels to the IT systems I do know including "pre-shared keys" - PSK's that are commonly used in these applications) - That's the "locked door" analogy I was using. If a person is knocking on a locked door (aka Transmitting) even without an Authentication/Encryption key (which in the technology is the same thing, just different applications) it can still block other legitimate users.

You can also affiliate with an encrypted TG with no TEK loaded in your radio. Depending on your radio's and the system's programming you might even get a voice grant with no TEK. Regardless of how the radio and system is configured in this case, you are still transmitting on the inbound control channel. You just either get rejected (TG set to secure only) or your radio wont TX voice as it has no TEK loaded.

That is still a Denial-of-Service attack, be it on the Control Channel or Voice Channel (and ultimately the talk group)

Encrypted Control Channel is supposed to solve this issue, but there are exactly ZERO systems using this technology currently. That said, I know of a ton of system managers that would love to have it. Most of those are on this site and are probably reading this thread and saving the PDFs from the FCC to show their local NAS guys what happens when you dont NAS right.

Encrypted Control Channel sounds like a solution in search of a problem. In the case of Denial-of-Service attack, it will do nothing to stop it. Even a low-skill attack transmitting "noise" on the control channel - if it's strong enough to saturate the inputs could render a system/site unusable, and since it's not affiliated with the system, nor sending legitimate messages, there's no way to "inhibit" it - leaving it up to the fine folks at the FCC to track it down and pull the plug.

To me Encrypted Control Channel sounds like a way for the manufacturers to get more taxpayer dollars by requiring you to upgrade incompatible radios, even if they're still within their expected service life. Same goes for TDMA control channels (which as you notice only one company thus far supports them, and even now they are few and far between, with only a handful of non-public safety companies using them).

It all comes down to a mantra I use regularly - "Technology will never fix what is a human resources problem" - That's why I'll stick to the passive monitoring of a scanner (for as long as the industry will allow me).

 

[Echo4Thirty]

The layer 1 interface (and really layer 2 also) are very basic. Layer 1 attacks are very easy and the system tries to get around this by detecting rogue RF on the input (illegal carriers) and rolling the control channel to another.

The control channel has no PSK or TLS. On a system employing link layer authentication, there is some encrypted challenges that come into play but its more of a layer 4 process. LLA just really encrypts the registration payloads within the packets themselves with a key shared between the system and the SU. It does not encrypt the entire ISP/OSP stream. This is similar to how P25 handles encrypted voice traffic and data payloads.

All of this is a rough way to fit a P25 control channel into the OSI model.

What LLE (Control Channel Encryption) is designed to solve is exactly what is in this thread. A rogue radio cant decypt the control channel and thus cannot generate ISPs to transmit to attempt registration. This does lock out scanners and other RX only devices too, but there is so much data already sent in the clear with P25 (even with LLA and full AES TG encryption) that it makes some system managers nervous and rightfully so. The control channel is blasting out tons of system specific information that can be used against the security of the system. Imagine a wifi network telling anyone how to intrude into the network, sent in the clear for anyone with a $20.00 USB stick to pick up. A P25 control channel is really not much different from an open WIFI AP. And unlike WIFI, there is no WPA/WPA2 to employ... well not yet, hense LLE.

My personal opinion is that we will see a broad jump to cellular technologies before we see a massive rollout of LLE enabled LMR systems. Of course these IP based (Cell/WiFi) systems are inherently unmonitorable anyway so LLE might be moot.

As for jamming attacks, RF is RF. How do you propose solving it? Even on wireless and cellular networks with all kinds of access controls, basic transmitters can take them down. We once had a BDA go into self oscillation and it took out not only our closest P25 subsite, but also AT&T on 880. There is no technology that can mitigate this just as if you were trying to talk to your buddy 6 feet away and I am screaming in your ear right in front of you. The loudest signal wins (even in spread spectrum this is true, it just raises the BER)

 

[GTR8000]

And in case it is not clear, once a transceiver like this is programmed for a system (with or without and encryption key), if you switch to a talk group, and do not even key the mic!, the transceiver still transmits to the system to register itself. And if the dispatcher is watching things, she sees that. So without keying the mic and without having a key, you have interfered.

Dispatchers do not see registrations/affiliations. They will likely see the subscriber ID on the console during a transmission, but they're not seeing any of the other control channel messaging.

 

[SigIntel8600]

He wanted to be the cool kid on the block with the APX. He is screwed. I'll stick to my SDS-200 and Unication G-5.

 

[kayn1n32008]

Not necessary to prevent system access, and the RFI from kerchunkers will still interfere.

Encrypted control channel prevents a shot ton of meta data from being revealed, and will keep hacked radios from being able to even passively monitor the system.

LLA does the same thing, except it doesn't prevent the disclosure of Metadata.

Frankly all P25 systems should have 100% voice traffic should be encrypted, because it would just discourage these whacked from attempting to even try to listen, encrypted control channel and LLA ensure they can't.

In the IT world we use the same technologies (I don't proclaim to be an expert in Trunked Radio Systems, but there are a lot of parallels to the IT systems I do know including "pre-shared keys" - PSK's that are commonly used in these applications) - That's the "locked door" analogy I was using. If a person is knocking on a locked door (aka Transmitting) even without an Authentication/Encryption key (which in the technology is the same thing, just different applications) it can still block other legitimate users.

It can, but once the system does not receive the correct response to its challange, it ignores that radio and acts like it isn't there. I'm sure the system can also be set up to issue an inhibit command to the RID with out the correct LLA key

That is still a Denial-of-Service attack, be it on the Control Channel or Voice Channel (and ultimately the talk group)

They system can see that the noise floor has risen to the point point of making the CC or VC unusable, it can temporarily remove them from the usable pool of channels(stop using the VC, amd rotating the control to a new RF channel)

Encrypted Control Channel sounds like a solution in search of a problem. In the case of Denial-of-Service attack, it will do nothing to stop it. Even a low-skill attack transmitting "noise" on the control channel - if it's strong enough to saturate the inputs could render a system/site unusable, and since it's not affiliated with the system, nor sending legitimate messages, there's no way to "inhibit" it - leaving it up to the fine folks at the FCC to track it down and pull the plug.

While true, the site should be alerting the system admin to the interference problems with the site.

To me Encrypted Control Channel sounds like a way for the manufacturers to get more taxpayer dollars by requiring you to upgrade incompatible radios, even if they're still within their expected service life.

No, encrypted control channel keeps Metadata about the system from being used to collect Intel on the system.

Same goes for TDMA control channels (which as you notice only one company thus far supports them, and even now they are few and far between, with only a handful of non-public safety companies using them).

TDMA control channel frees up half the RF channel and adds an available voice path. It's a way to add capacity, with out adding RF resources.

It all comes down to a mantra I use regularly - "Technology will never fix what is a human resources problem" - That's why I'll stick to the passive monitoring of a scanner (for as long as the industry will allow me).

Lmao.

 

[dlwtrunked]

Dispatchers do not see registrations/affiliations. They will likely see the subscriber ID on the console during a transmission, but they're not seeing any of the other control channel messaging.

In a system that I was on, when I was unable to raise a unit, the dispatcher told me the unit I called was on the air but had they had made no voice transmission (I was listening as were the dispatcher). (The person had turned on the radio and fallen promptly asleep--I found that out by going to that building.) This was a DOD P25 trunked system. Of course anyone watching the control channel can see this. My conclusion is that at least some dispatchers (or techs in the same room) are seeing the control channel information. On another system, I saw a PC in the transmitter building showing such information (in a crude program) although no one sat at that (that was later removed).

 

[talviar]

pretty soon P25 systems will have encrypted control channels and you can thank people like this for it..

Probably more with Radio Authentication ..... Going thru with this now. Spoke with Dave Dombrowski a while back regarding same issue. Looks like a way has finally been located to help nail some of these folks that won't go out and buy a scanner.

 

[EAFrizzle]

It's refreshing to see that none of the people here that have posted have any inclination at all towards criminality.

Were I to actually be a criminal, suffice it to say, encryption wouldn't affect my work in any way.

 

[mwjones]

No, encrypted control channel keeps Metadata about the system from being used to collect Intel on the system.

TDMA control channel frees up half the RF channel and adds an available voice path. It's a way to add capacity, with out adding RF resources.

After I posted my last comment, I realized I should have included a comment about Encrypted Control Channel and TDMA control channel - yes, they have applications, but for sake of interoperability, many system administrators probably hesitate to consider implementing them.

In Texas there are no less than 62 independent P25 systems (not to mention the hundreds of non-trunked P25 users that may have access to neighboring trunked systems like my community does) being used by law enforcement (and in Dallas County alone there are 10). I know someone who works for a County that has a radio with no less than 3 systems (his home system and 2 others) in the code plug.

While the radios can likely be updated OTA to enable those features, the logistics of coordinating with all of those SysAdmins to update their code plugs is no small feat. The State of Texas has an extensive interoperability plan and assigns specific blocks of radio ID's to each agency to easily identify the "home system" of a roaming radio. They don't call out specifics on trunked systems beyond Radio ID's yet, but if all the players start going various ways then it would not surprise me that they reel them back in through this statewide plan.

 

[cg]

Next is likely an arrest warrant and another FCC letter with a request for $$ via a NAL.

 

[W1KNE]

In the past, for pirate broadcast violations, it would go in this order.

NOUO (your first letter to knock it off). Either a second NOUO or NOV (Notice of violation), this is the first step to getting in incredibly serious trouble. Followed by an NAL (Notice of apparent liability). Aka. a fine. The FCC has seized equipment, issued arrest warrants under the NOV warning as well, but typically the NAL appears first.

Now I am not sure how much has changed with the recent changes in the commission, nor if the violations herein are treated the same.

 

[prcguy]

Next is likely an arrest warrant and another FCC letter with a request for $$ via a NAL.

In my opinion probably no arrest looming. If the guy hands things over to an attorney to respond and be a go between I doubt if he will be assessed any fine. I've seen that happen in the past.

 

[kayn1n32008]

...yes, they have applications, but for sake of interoperability, many system administrators probably hesitate to consider implementing them.

Why? No different than doing encrypted interop. Not difficult to do properly, just takes coordination, planning and a willingness to work together between agencies that will be using different systems on a day to day basis, or even a once a year mutual aid event.

While the radios can likely be updated OTA to enable those features, the logistics of coordinating with all of those SysAdmins to update their code plugs is no small feat.

It would be something that would have to be worked towards. To think it could be done over night is just delusional.

However:

The State of Texas has an extensive interoperability plan and assigns specific blocks of radio ID's to each agency to easily identify the "home system" of a roaming radio.

This is a start, but I would have to be expanded to coordinate all the requirements to have LLA, and encrypted control channel.

They don't call out specifics on trunked systems beyond Radio ID's yet, but if all the players start going various ways then it would not surprise me that they reel them back in through this statewide plan.

This is the way it would need to be done. This would include non trunked P25 agencies when it comes to most aspects of encryption as well. It seems like a huge mountain to over come, it can be.

Is it an impossible task? No. However it would require everyone to be on the same team, with the same end goal, and ego would need to be left at the door.

 

[prcguy]

In my opinion probably no arrest looming. If the guy hands things over to an attorney to respond and be a go between I doubt if he will be assessed any fine. I've seen that happen in the past.

One case I'm a little familiar with from many years ago from a police dept I will not mention had an actual person jamming their fire or police, I forget which, and the city radio guy used an OAR direction finder and drove right to the persons truck and caught him jamming with microphone in hand. Police were dispatched and the suspect was roughed up and arrested. The info was sent to the FCC for action and they did nothing with it. That would be police records and city employees who would testify they saw and caught the person jamming public service comms. I think they had to eventually release the guy. So the FCC apparently doesn't pursue all cases. Too bad for the city of Long Beach, CA on that one.





Dohhh!

 

[buddrousa]

Just to play Devils Advocat here what could be done if during the investigation copies of unlicensed or illegal software was found in the person in questions possession?

 

[KK4JUG]

Just to play Devils Advocat here what could be done if during the investigation copies of unlicensed or illegal software was found in the person in questions possession?

Technically, that's probably not an FCC problem. They couldn't punish for that but it could possibly show intent and help further their case.

 

[CcSkyEye]

Technically, that's probably not an FCC problem. They couldn't punish for that but it could possibly show intent and help further their case.

I'm thinking the same.

I doubt the FCC is too concerned about boot-legged software, but I could be wrong.

 

[kc2asb]

In my opinion probably no arrest looming. If the guy hands things over to an attorney to respond and be a go between I doubt if he will be assessed any fine. I've seen that happen in the past.

Seems incredible that one can interfere with or attempt to illegally access a public safety system and basically just walk away. IMHO, appears the FCC takes busting pirate broadcasters more seriously.