kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
Most, if not all, current P25 radios should have, or have the option to add, LLA.
MARCS Radio Authentication
- Thread starter AMDXP
- Start date
- Status
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
LLA, or any sort of challange/response system, should have been a basic security feature of the P25 protocol.
As it is, there is ZERO security or access control to a P25 network. Let's be honest, the 'system key' as a security device to prevent unauthorized programming of subscribers was absolutely broken LOOOONG before 9600baud trunking was even a thing.
Just the need for specific software to watch for cloned/hacked/unauthorized radios goes to show just how badly APCO failed in the development of Project 25.
As it is, there is ZERO security or access control to a P25 network. Let's be honest, the 'system key' as a security device to prevent unauthorized programming of subscribers was absolutely broken LOOOONG before 9600baud trunking was even a thing.
Just the need for specific software to watch for cloned/hacked/unauthorized radios goes to show just how badly APCO failed in the development of Project 25.
Link layer has been part of the P25 standard for a long time. The disconnect occurred when manufacturers were allowed to make it optional on the systems and subscriber units, leaving us in the pickle we‘re in now.
Got news for you, but the same software exists for DMR and NXDN. P25 isn’t the only victim, and those others were not developed by APCO. It’s an industry-wide failing.
Last edited:
Use of the ESN vs programmable RID would have been one method to reduce cloning. Would have been nice if they had defined the structure of the core so you could use equipment from any manufacture instead of being married for life to one. This will all be moot once FirstNet is fully built out and PS moves to an LTE based network.
So, when a radio is 'authenticated', it is as was said, but it does get tied to a serial number, since if you try another radio with the same ID, it won't allow it. I haven't actually seen a case yet, but I think if you try to authenticate a second radio withe the same ID as one that has already been authenticated, it throws up a flag.
But even on systems that do not use this, if it's a multi-site (not simulcast) system, and two radios with the same ID try to access from different sites, it will eventually deny both radios. Two radios with the same ID can't be logged into two different sites at the same time. That is something I've seen with MARCS in years past.
But even on systems that do not use this, if it's a multi-site (not simulcast) system, and two radios with the same ID try to access from different sites, it will eventually deny both radios. Two radios with the same ID can't be logged into two different sites at the same time. That is something I've seen with MARCS in years past.
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
For Both tier 3, and NXDN type-c there are further provisions to prevent cloned and unauthorized radios from accessing the system. This isn't an additional feature, it's how it's designed to operate. There is nothing, if LLA isn't used and enforced, with P25.
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
Trequiri validation of the ESN+RID would stop any unauthorized radios. Especially if it was required the ESN+RID be sent OTA encrypted. Even better would he having a trunked transmission flag that subscribers would recognize and ignore if it is on a conventional channel(like NXDN)
First Net is not going to replace LMR for first responders any time soon. Cell companies are not in the habit of building coverage were there are not people.
Not soon, but 10-15 years we'll see the transition to LTE begin. The cost of infrastructure and ongoing maintenance will drive this move similar to how technology costs are driving dispatch consolidation. This assumes the First Net Authority has built out enough sites to support it.
The second radio overrides the first in the authentication server. Hopefully the first and all radios are programmed to honk if affiliation fails so they are aware the radio will not work.
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
FirstNet isn't building sites, AT&T is.
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
No, the disconnect was APCO not including it in the ORIGIONAL publication of Project 25, and making it a functional requirement in the protocol. It was an after thought.
The challange/response of needing a valid ESN AND matching the RID provisioned in the system core, to even allow a subscriber to receive traffic like NXDN Type-C trunking that Kenwood brought to market is how P25 trunking should have been designed.
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
On a system that requires LLA, you have to have a LLA key loaded into the legit radio. When the radio goes to register, the controller will challange the radio in response to its registration attempt. If it is a legit subscriber, it will respond to the challange, and if it is the correct response, the controller will allow the registration, and let the radio affiliate to the selected talkgroup(assuming the talkgroup is valid on the site).
If a cloned radio, with the same RID attempts to register, the same sequence of events will occur, except the cloned radio will not have a valid LLA key. When the radio does not give the correct response to the controllers challange, the controller will deny the registration and ignore the cloned subscriber. Nothing should happen to the legit radio.
Under contract with FirstNet Authority.
FirstNet is a specialized wireless communications network, not a traditional cellphone company. It is designed specifically for first responders and public safety personnel across the United States. Here are the key points about FirstNet:
Overview of FirstNet
- Purpose: FirstNet was established to provide a reliable and secure communications platform for first responders, ensuring they have prioritized access during emergencies when commercial networks may be congested or fail
- Network Structure: It operates as a mobile virtual network operator (MVNO), meaning it does not own its own cellular infrastructure but instead uses AT&T's network to provide coverage
Features
- Prioritized Connectivity: FirstNet users have priority access to the network, particularly during times of high demand, such as natural disasters or large public events
- Dedicated Spectrum: It utilizes Band 14, a specific spectrum set aside for public safety, which enhances reliability and performance during critical situations
- Broad Coverage: The network claims to cover over 99% of Americans, extending its reach to rural and underserved areas
Target Audience
- First Responders: The primary users of FirstNet are firefighters, police officers, paramedics, and other emergency personnel who require dependable communication tools in their line of work
- Families of First Responders: There are also plans available that allow family members of first responders to benefit from the same network services
jrothwell
Member
This is not "two factor authentication", it's "single factor authentication". What do you think the second factor is?
RID + key
jrothwell
Member
RID is not authentication. RID is like a username. I would not consider a username without a password, an authentication factor.
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
Again, FirstNet isn't building anything.
kayn1n32008
ØÆSØ Say it, say 'ENCRYPTION'
So what happens when FirstNet/AT&T shots the bed and the network fails?
And coverage, 99% of population coverage is NOT the same as geographic coverage. I doubt FirstNet will ever be able to deliver even 4 9's of coverage, capacity or reliability.
When the next wacko blows up a RV in Nashville in front of the AT&T Building and takes down 1/2 the US like last time no Emergency Service works on FirstNet.
- Status
Similar threads
