Russia hacked lightweight FBI radios

Status
Not open for further replies.

fulcrum

Newbie
Joined
Nov 8, 2009
Messages
1
It's more complicated than it appears, suggest reading Matt Blaze's excellent paper on issues with P25 encryption, covering both technical and social issues, the difficulty of deployment, protocol design, radio UI problems and so on. Very well done.. Matt Blaze: Why (special agent) Johnny (still) Can't Encrypt
Great read! Interestingly this appears to have been published right before the Russians started successfully targeting counter intel agents. :censored:
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
7,471
Great read! Interestingly this appears to have been published right before the Russians started successfully targeting counter intel agents. :censored:

The FBI should have read and reread Matt Blaze's fine work. Shame on industry (Moto) for not locking down the encryption requirements better in P25.
 

2wayfreq

Member
Premium Subscriber
Joined
Jun 8, 2004
Messages
504
Location
NM Kirk City
I really don't think the FBI would have kept old surplus and dusted off some grungy "Securenet Sabers" loaded with ancient DES. This was probably small, lower budget ADP radios where you throw a code number in CPS and write it. Supposedly a long time ago, the NEXTEL network was being utilized exclusively by the Government. If they were actually using old VSELP PTT, that could be easily decoded.
 

prcguy

Member
Premium Subscriber
Joined
Jun 30, 2006
Messages
16,570
Location
So Cal - Richardson, TX - Tewksbury, MA
The only "lightweight" FBI radios I know of where the Racal MSHR's which had Type 1 and DES encryption. They replaced the older Sabers with Type 1 encryption.

I really don't think the FBI would have kept old surplus and dusted off some grungy "Securenet Sabers" loaded with ancient DES. This was probably small, lower budget ADP radios where you throw a code number in CPS and write it. Supposedly a long time ago, the NEXTEL network was being utilized exclusively by the Government. If they were actually using old VSELP PTT, that could be easily decoded.
 

prcguy

Member
Premium Subscriber
Joined
Jun 30, 2006
Messages
16,570
Location
So Cal - Richardson, TX - Tewksbury, MA
I believe this is the radio in question. Its very rare in civilian hands as most are destroyed, probably the rarest hand held I know of. This one was Govt de-milled with the Type 1 crypto removed, otherwise its fully functional. It will do FPP 136-174MHz FM with DES right now and I have the slide in mobile amp/remote control for it.




MSHR.JPGMSHR2.JPG
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
7,471
Would FBI have been using DES or a Type 1 like :

FASCINATOR is a digital voice encryption standard for the Federal Government. It is based on voice being digitized using 12 kbit/s Continuously Variable Slope Delta modulation (CVSD) and then encrypted using a National Security Agency (NSA) Commercial COMSEC Endorsement Program (CCEP) Type I encryption algorithm.

FED-STD-1023 Governs the design and interoperability requirements for Facinator.

Fascinator is used on a 25 KHz channel above 30 MHz.

Encryption of the digitized voice shall be accomplished with the encryption algorithm used in the INDICTOR and WINDSTER COMSEC Modules using the cryptographic mode that has cryptographic compatibility with the KY-57/58.

Fascinator encryption modules are considered Controlled Cryptographic Items (CCI).
 

prcguy

Member
Premium Subscriber
Joined
Jun 30, 2006
Messages
16,570
Location
So Cal - Richardson, TX - Tewksbury, MA
Fascinator is usually a Motorola thing but I'm not sure if the FBI ever used that. I've seen other Sabers with Type 1 encryption that had an even longer case than the typical secure Saber/Systems Saber and I think it had little switches near the bottom of the radio. I'm guessing that might have been VINSON compatible encryption.

The Racal MSHR has, according to an article in Signal Magazine, "The radio’s embedded Type-1 encryption includes both federal standard (FED-STD)-1023, at 12 kilobits per second, and VINSON, at 16 kilobits per second", so no Fascinator in the MSHR. They also go on to say the FBI wanted to add DES to the Racal MSHR radios and Racal added that later with a new firmware download. I believe the MSHR was the worlds first mass produced DSP SDR handheld and a predecessor to the MBITR.

Would FBI have been using DES or a Type 1 like :

FASCINATOR is a digital voice encryption standard for the Federal Government. It is based on voice being digitized using 12 kbit/s Continuously Variable Slope Delta modulation (CVSD) and then encrypted using a National Security Agency (NSA) Commercial COMSEC Endorsement Program (CCEP) Type I encryption algorithm.

FED-STD-1023 Governs the design and interoperability requirements for Facinator.

Fascinator is used on a 25 KHz channel above 30 MHz.

Encryption of the digitized voice shall be accomplished with the encryption algorithm used in the INDICTOR and WINDSTER COMSEC Modules using the cryptographic mode that has cryptographic compatibility with the KY-57/58.

Fascinator encryption modules are considered Controlled Cryptographic Items (CCI).
 

Token

Member
Joined
Jun 18, 2010
Messages
2,426
Location
Mojave Desert, California, USA
The word use was skillful in that article and some may infer incorrect conclusions. Blanton's post of what may have occurred is plausible to the extent conveyed in the article. The actual decryption of intelligible voice communication was not noted in the article.

I don't know, while reading the article I was taken aback (enough so to mention the issue to my wife) by the use of the term "counterintelligence" when referring to Russian activities in the US. Russian activities in the US would be intelligence gathering, while US efforts to thwart Russian intel operations, in the US or against US sources, would be "counterintel".

T!
 

INDY72

Monitoring since 1982, using radios since 1991.
Premium Subscriber
Joined
Dec 18, 2002
Messages
14,855
Location
Indianapolis, IN
Just to kind of expand on this. Some things the Russians could figure out even without decrypting the actual communications:

1) Which radio was transmitting (unit ID)
2) Where the radio was transmitting from (general vicinity in the case of simplex comms or more specific location if DF was used)
3) Who had the radio (Russian could do visual identification of an agent)
4) Where the radio was from (radio IDs assigned to field agents, radio ID ranges assigned to field offices and/or teams)
5) Which team or even *operation* was in progress (encryption keys assigned to teams, projects, cases etc) - for example, if the FBI was investigating one of their own, like in the Richard Hanson case, you'd assign an encryption key unique to that operation that no one else had access to. That key has an ID that is transmitted over the air, and even though you can't get to the key, it has an identifier that tells the radio which key to use.

Some other variables to consider

1) Simplex communications from an aircraft would have a steady strong state, allowing you to quickly understand if aircraft or helicopter surveillance was being employed
2) Employing heuristics on when and where communications occurred. I.e. target subject gets in the car and moves, communications "light up" and start.

There is a lot a intelligence team can gather without ever even needing to decrypt the communications.
Add to this simply doing a WiFi search and seeing FBI Van xx... Yes they really are that stupid to actually name the mobile hotspot on the van that.
 

PrivatelyJeff

Has more money than sense
Premium Subscriber
Joined
Jun 5, 2016
Messages
1,067
Location
Kings County, CA
Add to this simply doing a WiFi search and seeing FBI Van xx... Yes they really are that stupid to actually name the mobile hotspot on the van that.

it was probably an idiot agent naming his phone that. My dad did that for his phone.
 

krokus

Member
Premium Subscriber
Joined
Jun 9, 2006
Messages
6,136
Location
Southeastern Michigan
Add to this simply doing a WiFi search and seeing FBI Van xx... Yes they really are that stupid to actually name the mobile hotspot on the van that.

Whenever I am around any actual assets, they have nothing like that. I have seen a few WAPs with labels like that, in neighborhoods.
 
Status
Not open for further replies.
Top