Russia hacked lightweight FBI radios

[fulcrum]

It's more complicated than it appears, suggest reading Matt Blaze's excellent paper on issues with P25 encryption, covering both technical and social issues, the difficulty of deployment, protocol design, radio UI problems and so on. Very well done.. Matt Blaze: Why (special agent) Johnny (still) Can't Encrypt

Great read! Interestingly this appears to have been published right before the Russians started successfully targeting counter intel agents.

 

[RFI-EMI-GUY]

Great read! Interestingly this appears to have been published right before the Russians started successfully targeting counter intel agents.

The FBI should have read and reread Matt Blaze's fine work. Shame on industry (Moto) for not locking down the encryption requirements better in P25.

 

[2wayfreq]

I really don't think the FBI would have kept old surplus and dusted off some grungy "Securenet Sabers" loaded with ancient DES. This was probably small, lower budget ADP radios where you throw a code number in CPS and write it. Supposedly a long time ago, the NEXTEL network was being utilized exclusively by the Government. If they were actually using old VSELP PTT, that could be easily decoded.

 

[prcguy]

The only "lightweight" FBI radios I know of where the Racal MSHR's which had Type 1 and DES encryption. They replaced the older Sabers with Type 1 encryption.

I really don't think the FBI would have kept old surplus and dusted off some grungy "Securenet Sabers" loaded with ancient DES. This was probably small, lower budget ADP radios where you throw a code number in CPS and write it. Supposedly a long time ago, the NEXTEL network was being utilized exclusively by the Government. If they were actually using old VSELP PTT, that could be easily decoded.

 

[RFI-EMI-GUY]

The only "lightweight" FBI radios I know of where the Racal MSHR's which had Type 1 and DES encryption. They replaced the older Sabers with Type 1 encryption.

Thales Cougar 2000 perhaps?

 

[prcguy]

I can't find any references where the FBI purchased or used Cougar 2000 radios where they did purchase lots of MSHRs.

Thales Cougar 2000 perhaps?

 

[911_Radioman]

No surprises here since the FBI procurement people are owned by McRola...

 

[eg2138c]

What was very common was Motorola DVP ENC sounded like open SQ. I was told it was a easy crack. Adding NEXTEL was a big backup back then.

 

[911_Radioman]

Two words: 'Hanuan Jin'...

 

[prcguy]

I believe this is the radio in question. Its very rare in civilian hands as most are destroyed, probably the rarest hand held I know of. This one was Govt de-milled with the Type 1 crypto removed, otherwise its fully functional. It will do FPP 136-174MHz FM with DES right now and I have the slide in mobile amp/remote control for it.

 

[RFI-EMI-GUY]

Would FBI have been using DES or a Type 1 like :

FASCINATOR is a digital voice encryption standard for the Federal Government. It is based on voice being digitized using 12 kbit/s Continuously Variable Slope Delta modulation (CVSD) and then encrypted using a National Security Agency (NSA) Commercial COMSEC Endorsement Program (CCEP) Type I encryption algorithm.

FED-STD-1023 Governs the design and interoperability requirements for Facinator.

Fascinator is used on a 25 KHz channel above 30 MHz.

Encryption of the digitized voice shall be accomplished with the encryption algorithm used in the INDICTOR and WINDSTER COMSEC Modules using the cryptographic mode that has cryptographic compatibility with the KY-57/58.

Fascinator encryption modules are considered Controlled Cryptographic Items (CCI).

 

[prcguy]

Fascinator is usually a Motorola thing but I'm not sure if the FBI ever used that. I've seen other Sabers with Type 1 encryption that had an even longer case than the typical secure Saber/Systems Saber and I think it had little switches near the bottom of the radio. I'm guessing that might have been VINSON compatible encryption.

The Racal MSHR has, according to an article in Signal Magazine, "The radio’s embedded Type-1 encryption includes both federal standard (FED-STD)-1023, at 12 kilobits per second, and VINSON, at 16 kilobits per second", so no Fascinator in the MSHR. They also go on to say the FBI wanted to add DES to the Racal MSHR radios and Racal added that later with a new firmware download. I believe the MSHR was the worlds first mass produced DSP SDR handheld and a predecessor to the MBITR.

Would FBI have been using DES or a Type 1 like :

FASCINATOR is a digital voice encryption standard for the Federal Government. It is based on voice being digitized using 12 kbit/s Continuously Variable Slope Delta modulation (CVSD) and then encrypted using a National Security Agency (NSA) Commercial COMSEC Endorsement Program (CCEP) Type I encryption algorithm.

FED-STD-1023 Governs the design and interoperability requirements for Facinator.

Fascinator is used on a 25 KHz channel above 30 MHz.

Encryption of the digitized voice shall be accomplished with the encryption algorithm used in the INDICTOR and WINDSTER COMSEC Modules using the cryptographic mode that has cryptographic compatibility with the KY-57/58.

Fascinator encryption modules are considered Controlled Cryptographic Items (CCI).

 

[Token]

The word use was skillful in that article and some may infer incorrect conclusions. Blanton's post of what may have occurred is plausible to the extent conveyed in the article. The actual decryption of intelligible voice communication was not noted in the article.

I don't know, while reading the article I was taken aback (enough so to mention the issue to my wife) by the use of the term "counterintelligence" when referring to Russian activities in the US. Russian activities in the US would be intelligence gathering, while US efforts to thwart Russian intel operations, in the US or against US sources, would be "counterintel".

T!

 

[INDY72]

Just to kind of expand on this. Some things the Russians could figure out even without decrypting the actual communications:

1) Which radio was transmitting (unit ID)
2) Where the radio was transmitting from (general vicinity in the case of simplex comms or more specific location if DF was used)
3) Who had the radio (Russian could do visual identification of an agent)
4) Where the radio was from (radio IDs assigned to field agents, radio ID ranges assigned to field offices and/or teams)
5) Which team or even *operation* was in progress (encryption keys assigned to teams, projects, cases etc) - for example, if the FBI was investigating one of their own, like in the Richard Hanson case, you'd assign an encryption key unique to that operation that no one else had access to. That key has an ID that is transmitted over the air, and even though you can't get to the key, it has an identifier that tells the radio which key to use.

Some other variables to consider

1) Simplex communications from an aircraft would have a steady strong state, allowing you to quickly understand if aircraft or helicopter surveillance was being employed
2) Employing heuristics on when and where communications occurred. I.e. target subject gets in the car and moves, communications "light up" and start.

There is a lot a intelligence team can gather without ever even needing to decrypt the communications.

Add to this simply doing a WiFi search and seeing FBI Van xx... Yes they really are that stupid to actually name the mobile hotspot on the van that.

 

[PrivatelyJeff]

Add to this simply doing a WiFi search and seeing FBI Van xx... Yes they really are that stupid to actually name the mobile hotspot on the van that.

it was probably an idiot agent naming his phone that. My dad did that for his phone.

 

[com501]

Doesn't everybody name their SSID something like that?

 

[PrivatelyJeff]

Doesn't everybody name their SSID something like that?

i prefer a little bit of security through obscurity. Home WiFi is “Home”, phone is “phone”, tablet is “tablet”, etc. It makes it harder for targeted attacks.

 

[appalling_hauling]

China already obtained encrypted technology in the 1990s.
Why anyone is surprised is a surprise to me.

 

[krokus]

Add to this simply doing a WiFi search and seeing FBI Van xx... Yes they really are that stupid to actually name the mobile hotspot on the van that.

Whenever I am around any actual assets, they have nothing like that. I have seen a few WAPs with labels like that, in neighborhoods.

 

[RFI-EMI-GUY]

Add to this simply doing a WiFi search and seeing FBI Van xx... Yes they really are that stupid to actually name the mobile hotspot on the van that.

We have one of those in the neighborhood.