Russia hacked lightweight FBI radios
- Thread starter zerg901
- Start date
- Status
mmckenna
I ♥ Ø
They got hacked, but to be fair, they were using PTT cellular. Someone got cheap and lazy, and it bit them in the hiney, as it usually does.
It was also their portable 2 way radios too read this. So much for AES i guess.
From the story
"That effort compromised the encrypted radio systems used by the FBI’s mobile surveillance teams, which track the movements of Russian spies on American soil, according to more than half a dozen former senior intelligence and national security officials. Around the same time, Russian spies also compromised the FBI teams’ backup communications systems — cellphones outfitted with “push-to-talk” walkie-talkie capabilities. “This was something we took extremely seriously,” said a former senior counterintelligence official."
From the story
"That effort compromised the encrypted radio systems used by the FBI’s mobile surveillance teams, which track the movements of Russian spies on American soil, according to more than half a dozen former senior intelligence and national security officials. Around the same time, Russian spies also compromised the FBI teams’ backup communications systems — cellphones outfitted with “push-to-talk” walkie-talkie capabilities. “This was something we took extremely seriously,” said a former senior counterintelligence official."
Last edited:
The PTT was a back up, not the original "lightweight" comms. My guess is they used something with 40 bit keys. Both were compromised.
Most like DES or similar. There wasn't much with 40 bit keys in use around 2010ish... DES was just starting to be phased out for AES around that time.
prcguy
Member
Around 1995 the FBI was issued some really small lightweight hand held radios from Racal that had Type 1 encryption, which will do both FED-STD-1023, at 12 kilobits per second, and VINSON, at 16 kilobits per second . Not sure if that is what was hacked, but the same encryption is used today through top secret level. Before that the FBI had Motorola Sabers with Type 1 encryption.
Last edited:
Probably used Chinese software too.
I've seen DEA and Marshalls here use ADP.
This is a fact I've seen with own eyes and commented on it and got the smart reply with smirk.
This is a fact I've seen with own eyes and commented on it and got the smart reply with smirk.
Update
maybe the Russians actually hacked nothing
maybe the Russians actually hacked nothing
The DEA quite regularly use P25 in the clear for surveillance. I hear them quite regularly from the Rochester area.
prcguy
Member
The DEA has also used UHF Satcom with Type 1 encryption. But this thread is about the FBI.
Investigation into senior RCMP official stemmed from disruption of encrypted phone service: sources - senior RCMP officer arrested for trying to sell secrets via an encrypted criminal cellular Email system
Strange - "encryption" bursts into the international criminal news twice in one week
Strange - "encryption" bursts into the international criminal news twice in one week
My bets here are the Russians probably were tracking the encrypted simplex communications of the FBI's counterintelligence teams. I believe even in 2012 those would have been simplex P25 encrypted with AES-256.
If the Russians simply sent out a subject they suspected of being watched by the counter intelligence teams and then had their own teams monitor for encrypted P25 simplex comms within the general vicinity of the subject, they would know that the subject was indeed being watched.
Even though it's almost certain that the Russians were not able to actually decrypt AES-256 P25 transmissions, there are a number of key meta-data variables in the FBI's simplex P25 communications that would be available. The Unit ID of the portable radio, and the current KeyID of the AES-256 encryption. Presumably, the counter-intel teams had their own personnel assigned radios which have unique P25 unit IDs, and most likely had their own team unique AES encryption keys loaded into the radios.
If you couple the ability to monitor each of those metadata variables with knowing that simplex communications are short range (local to just you) and even employ some rudimentary DF (direction finding) capabilities into the equation, and it would be very simple for the Russians to determine which of their assets were being tracked by the FBIs counter-intel teams, and even possibly which individual agents were part of the tracking and close to the target (by cross-referencing P25 unit IDs)
If the Russians simply sent out a subject they suspected of being watched by the counter intelligence teams and then had their own teams monitor for encrypted P25 simplex comms within the general vicinity of the subject, they would know that the subject was indeed being watched.
Even though it's almost certain that the Russians were not able to actually decrypt AES-256 P25 transmissions, there are a number of key meta-data variables in the FBI's simplex P25 communications that would be available. The Unit ID of the portable radio, and the current KeyID of the AES-256 encryption. Presumably, the counter-intel teams had their own personnel assigned radios which have unique P25 unit IDs, and most likely had their own team unique AES encryption keys loaded into the radios.
If you couple the ability to monitor each of those metadata variables with knowing that simplex communications are short range (local to just you) and even employ some rudimentary DF (direction finding) capabilities into the equation, and it would be very simple for the Russians to determine which of their assets were being tracked by the FBIs counter-intel teams, and even possibly which individual agents were part of the tracking and close to the target (by cross-referencing P25 unit IDs)
Last edited:
Just to kind of expand on this. Some things the Russians could figure out even without decrypting the actual communications:
1) Which radio was transmitting (unit ID)
2) Where the radio was transmitting from (general vicinity in the case of simplex comms or more specific location if DF was used)
3) Who had the radio (Russian could do visual identification of an agent)
4) Where the radio was from (radio IDs assigned to field agents, radio ID ranges assigned to field offices and/or teams)
5) Which team or even *operation* was in progress (encryption keys assigned to teams, projects, cases etc) - for example, if the FBI was investigating one of their own, like in the Richard Hanson case, you'd assign an encryption key unique to that operation that no one else had access to. That key has an ID that is transmitted over the air, and even though you can't get to the key, it has an identifier that tells the radio which key to use.
Some other variables to consider
1) Simplex communications from an aircraft would have a steady strong state, allowing you to quickly understand if aircraft or helicopter surveillance was being employed
2) Employing heuristics on when and where communications occurred. I.e. target subject gets in the car and moves, communications "light up" and start.
There is a lot a intelligence team can gather without ever even needing to decrypt the communications.
1) Which radio was transmitting (unit ID)
2) Where the radio was transmitting from (general vicinity in the case of simplex comms or more specific location if DF was used)
3) Who had the radio (Russian could do visual identification of an agent)
4) Where the radio was from (radio IDs assigned to field agents, radio ID ranges assigned to field offices and/or teams)
5) Which team or even *operation* was in progress (encryption keys assigned to teams, projects, cases etc) - for example, if the FBI was investigating one of their own, like in the Richard Hanson case, you'd assign an encryption key unique to that operation that no one else had access to. That key has an ID that is transmitted over the air, and even though you can't get to the key, it has an identifier that tells the radio which key to use.
Some other variables to consider
1) Simplex communications from an aircraft would have a steady strong state, allowing you to quickly understand if aircraft or helicopter surveillance was being employed
2) Employing heuristics on when and where communications occurred. I.e. target subject gets in the car and moves, communications "light up" and start.
There is a lot a intelligence team can gather without ever even needing to decrypt the communications.
What was thinking - plus more.
Heck, even us lowly scanists follow Unit ID on Enc comms
Even if not simplex, knowing which sites they associate with would help to deerminelocation.
What's left out of the story, and the comments, is that radio technology, whether it be simple analog or digital-encrypted, to the average law enforcement personnel, is somewhere between "Star Wars" (the movie) and "Star Wars" (The Reagan-era defense system), and totally not understood or, at least, misunderstood.
Except for one or two...maybe even three...agents...or even cops...in an agency, mostly assigned to tech details, no one has a grasp of how or why a radio system works, its advantages and disadvantages. I don't think I need to tell anyone here how many times cops, or their bosses, all think that, as in NJ's case, the statewide digital system is some "secret" system that "no one can listen to...." only to be astounded to find that the teenage buff with the hand-held scanner is walking down the street monitoring the that department.
The same people in these agency who are making the ultimate decisions on radio systems (usually based solely on costs) find it almost impossible to hook up their own cable box to their TVs at home.
I would say the same thing happened with this FBI situation: they under-estimated the ability of the Russians, and OVER-estimated their own knowledge, as it related to their radio systems.
Too late now....
Except for one or two...maybe even three...agents...or even cops...in an agency, mostly assigned to tech details, no one has a grasp of how or why a radio system works, its advantages and disadvantages. I don't think I need to tell anyone here how many times cops, or their bosses, all think that, as in NJ's case, the statewide digital system is some "secret" system that "no one can listen to...." only to be astounded to find that the teenage buff with the hand-held scanner is walking down the street monitoring the that department.
The same people in these agency who are making the ultimate decisions on radio systems (usually based solely on costs) find it almost impossible to hook up their own cable box to their TVs at home.
I would say the same thing happened with this FBI situation: they under-estimated the ability of the Russians, and OVER-estimated their own knowledge, as it related to their radio systems.
Too late now....
Attached is a good example of how this process worked for the Russians.
This is a screenshot of DSDPlus sitting on an FBI simplex surveillance channel this morning in an area very local to me right now. I'm not going to say where exactly this was captured or what frequency... but, what can we ascertain here? Well, let's see:
1) All the communications are encrypted using P25 AES encryption with KeyID 5412
2) There are 4 agents on this surveillance with the following Unit IDs
3491016
3491037
3491098
3491306
This was just 15 minutes of monitoring a locally used FBI frequency, and watching and logging the traffic. I have no idea what they are saying, but if I was to use some pretty basic direction finding techniques I bet I could find the agents and their cars/aircraft and start putting unit IDs to faces and vehicles pretty quickly. Start to build a database of frequencies, unit IDs, and AES KeyIDs and a picture develops very quickly of what is going on.
Just imagine the picture you are able to develop just by adding the general location where this was monitored, and the frequency.
Then add in historical data such as which unit IDs have worked together over the past month, and where they have worked together and a complete picture begins to develop without ever having to listen to the agent's communications.
This is a screenshot of DSDPlus sitting on an FBI simplex surveillance channel this morning in an area very local to me right now. I'm not going to say where exactly this was captured or what frequency... but, what can we ascertain here? Well, let's see:
1) All the communications are encrypted using P25 AES encryption with KeyID 5412
2) There are 4 agents on this surveillance with the following Unit IDs
3491016
3491037
3491098
3491306
This was just 15 minutes of monitoring a locally used FBI frequency, and watching and logging the traffic. I have no idea what they are saying, but if I was to use some pretty basic direction finding techniques I bet I could find the agents and their cars/aircraft and start putting unit IDs to faces and vehicles pretty quickly. Start to build a database of frequencies, unit IDs, and AES KeyIDs and a picture develops very quickly of what is going on.
Just imagine the picture you are able to develop just by adding the general location where this was monitored, and the frequency.
Then add in historical data such as which unit IDs have worked together over the past month, and where they have worked together and a complete picture begins to develop without ever having to listen to the agent's communications.
Last edited:
RayAir
Member
- Joined
- Dec 31, 2005
- Messages
- 1,930
From what I read, the operation went beyond intercepting, locating, and attempts to identify based only on metadata. It said they did actually crack some codes which were described as "moderately encrypted". It was said the compromised communications were from outdated devices.
That sounds like something still using DES to me.
I thought all federal agencies were mandated to use AES in 2007?
Sounds like someone didn't get the memo.
That sounds like something still using DES to me.
I thought all federal agencies were mandated to use AES in 2007?
Sounds like someone didn't get the memo.
The word use was skillful in that article and some may infer incorrect conclusions. Blanton's post of what may have occurred is plausible to the extent conveyed in the article. The actual decryption of intelligible voice communication was not noted in the article.
- Status
Similar threads
