P25 Link Level Encryption

[kk6yus]

One of well known security flaws (if you'll call it that) is the ability to monitor talkgroup/user IDs even on encrypted systems. As the article quoted states, Link Level Encryption is in the works. (http://www.project25.org/images/stories/ptig/P25_Standards_Updates/TR8_2016_summary_6.09.16.pdf)

My questions to you all are,

Does anyone have an updated progress or timeline report?

What do you suppose the financial costs for such a change would be?

Would implementing this be likely for current encrypted systems, or something for when the system upgrades way after P25 Phase 11?

Would it require new equipment?

Would it make it essentially impossible to monitor any talk groups, encrypted or not?


Many questions I know but its a concern when purchasing future scanning equipment.

It appears that the P25 standard has encrypted control channels proposed.

Updates on P25 Security, Wireline Interfaces Among January Work


Sent via Tapatalk

-73

 

[jim202]

One of well known security flaws (if you'll call it that) is the ability to monitor talkgroup/user IDs even on encrypted systems. As the article quoted states, Link Level Encryption is in the works. (http://www.project25.org/images/stories/ptig/P25_Standards_Updates/TR8_2016_summary_6.09.16.pdf)

My questions to you all are,

Does anyone have an updated progress or timeline report?

What do you suppose the financial costs for such a change would be?

Would implementing this be likely for current encrypted systems, or something for when the system upgrades way after P25 Phase 11?

Would it require new equipment?

Would it make it essentially impossible to monitor any talk groups, encrypted or not?


Many questions I know but its a concern when purchasing future scanning equipment.


-73

What difference does it make if the control channel gets encrypted? You can't listen to the talkgroup if the talkgroup is already encrypted.

End user customers have been asking for the control channel to be encrypted for well over 10 years now.

If encrypting the control channel will require new user equipment and maybe the tower radio equipment may depend on just how new it is and how much free memory the radio has left to incorporate the new feature. I am sure we will see it coming down the pipe sometime in the future.

 

[kk6yus]

Thank you for your response. I am curious because it eliminates the possibility traffic analysis. While it is considered a passive attack by some, it is a hobby of others. I had never considered the memory constraint.

Edit- Some trunked systems also have both encrypted and unencrypted talkgroups, so I imagine an encrypted CC would not allow monitoring of even unencrypted talkgroups I.e. Public works, animal control

 

[RFI-EMI-GUY]

Encrypted control channels might be the end for hobbyist scanning . The security flaw is serious. If an adversery can determine that secure voice activity is occurring and can link that to specific talk groups or units it is a tactical deficiency.

Sent from my SM-T350 using Tapatalk

 

[mancow]

Another solution looking for a problem.

 

[kk6yus]

Encrypted control channels might be the end for hobbyist scanning . The security flaw is serious. If an adversery can determine that secure voice activity is occurring and can link that to specific talk groups or units it is a tactical deficiency.

Sent from my SM-T350 using Tapatalk

You're certainly right. Technology is an interesting thing.

 

[kk6yus]

Any speculation on how conventional operations would be effected, such as simple repeater or simplex channels?

 

[RFI-EMI-GUY]

Any speculation on how conventional operations would be effected, such as simple repeater or simplex channels?

The P25 control codes for encryption are wide open in conventional mode. There was a paper published that described a cheap and simple method of jamming just those bits so that radio users would find themselves forced to turn encryption off simply to be heard. Also the TG and user ID info is in the clear.

Sent from my SM-T350 using Tapatalk

 

[kk6yus]

The P25 control codes for encryption are wide open in conventional mode. There was a paper published that described a cheap and simple method of jamming just those bits so that radio users would find themselves forced to turn encryption off simply to be heard. Also the TG and user ID info is in the clear.

Sent from my SM-T350 using Tapatalk

I've just read this puplication. There is also a less informative YouTube video. It seems link level encryption is just one of many serious security flaws in the P25 suite, albeit all systems have them.

A glimmer of light for hobbyists may be that conventional modes will remain unobscured by an encrypted control channels. Time shall tell it seems, so I'll keep listening!

 

[toastycookies]

The P25 control codes for encryption are wide open in conventional mode. There was a paper published that described a cheap and simple method of jamming just those bits so that radio users would find themselves forced to turn encryption off simply to be heard. Also the TG and user ID info is in the clear.

Sent from my SM-T350 using Tapatalk

It can be done with a $25 toy.

https://www.cnet.com/news/security-flaw-found-in-feds-digital-radios/

https://www.youtube.com/watch?v=NW-jRRTPCuw

Project 25 Digital Radios (law enforcement grade) vulnerable to the IM-ME | Hackaday

 

[RFI-EMI-GUY]

Scary isn't it? The best minds designed P25 and it is fundamentally flawed. A low probability of intercept jammer from Target.

Sent from my SM-T350 using Tapatalk

 

[nrf]

it would definitely be a blow to the hobby if they decided to encrypt cc for channels that are not encrypted, But I am not seeing how it is such a big deal...If a certain channel is always 'protected', what benefit / intelligence can be gained from knowing it is active at a certain time? talk about a low bandwidth channel.

and if it is only sometimes protected, what is the danger of someone knowing they decided to encrypt it for a minute?

 

[kk6yus]

it would definitely be a blow to the hobby if they decided to encrypt cc for channels that are not encrypted, But I am not seeing how it is such a big deal...If a certain channel is always 'protected', what benefit / intelligence can be gained from knowing it is active at a certain time? talk about a low bandwidth channel.

and if it is only sometimes protected, what is the danger of someone knowing they decided to encrypt it for a minute?

Pretty sure that isn't available yet.


It would let one see when a canine officer switched to a given dispatch channel (manhunt in progress) or when the ETF did (barricaded suspect) or when those special event groups start loading up with radio affiliations at 4 am (drug raids at 5 am); these are all very useful things to know when you're the overnight ENG.

I'm sure others can find uses.


If the outbound CC is encrypted, why wouldn't the inbound also be?


Pretty sure that isn't available yet.


What additional Security Interfaces and Services are being worked on in TIA/P25?

Key Fill Interface to the KMF, Authentication Facility and between Key Fill devices.

Link Layer Encryption for protection of Control signaling and group/individual IDs on the trunking control channel, trunked and conventional voice channels and trunked and conventional data channels.

Traffic analysis could alert potential adversaries that a narcotics units is active, for example, because they've gathered the data and done the foot work to know. Especially with FOIA at state and local levels, one could easily match TG and Radio IDs to particular units.

It is scary, Id agree.

 

[TDR-94]

I can see the scanner 'rights' advocates throwing a fit already.

"It's your 'right' to be able to perform radio traffic analysis in order to find out the Radio ID's of your public safety officials and know which TG's they are active on!!!"

"You paid for this radio system as individual tax payers and it's your right as an 'individual' to keep tabs on them!"

Makes you wonder how much longer (if it ever comes to widespread adoption) it will be possible for certain companies to make money providing the public with the ability to monitor trunked P25 systems.

 

[kk6yus]

I can see the scanner 'rights' advocates throwing a fit already.

"It's your 'right' to be able to perform radio traffic analysis in order to find out the Radio ID's of your public safety officials and know which TG's they are active on!!!"

"You paid for this radio system as individual tax payers and it's your right as an 'individual' to keep tabs on them!"

Makes you wonder how much longer (if it ever comes to widespread adoption) it will be possible for certain companies to make money providing the public with the ability to monitor trunked P25 systems.

I believe the dedicated hobbyist and adversary alike will always be able to glean some sort of information, however minute, from such a system. With SDR applications I imagine P25 will also become less supported as it's progressively being encrypted, but still contain extractable information for more knowledgeable folks.

 

[Priority-One]

Would this also be similar to "whiting out" a system?

I've heard that in D.C there are systems where everything is "Whited out" to prevent any kind of signal from being received. I am unsure of the validity behind that, but i heard that here on RR years ago.

 

[RFI-EMI-GUY]

Would this also be similar to "whiting out" a system?

I've heard that in D.C there are systems where everything is "Whited out" to prevent any kind of signal from being received. I am unsure of the validity behind that, but i heard that here on RR years ago.

Are you talking about the National Radio Quiet Zone in Virginia? That is to protect a radio-telescope. A great place to live if you are afraid of radio waves or are a SWL!

As far as areas where there might be no radio coverage. I can tell from experience that the US Customs area of Orlando International Airport has absolutely no cellular service. They have signs posted to prohibit it and even then, there is no Verizon coverage. I am sure this is intentional to prevent conspiracy among travelers passing customs. Creating diversions etc. Not sure if they are jamming or have heavy shielding. I suspect they went out of their way to shield the rooms.