Kevin Mitnick figured out how to get around police radio encryption in the 90's. From 'Ghost in the Wires':
"Whenever I heard any hiss of communication, I’d hold down my Transmit button. That would send
out a radio signal on the same exact frequency, which would jam the signal.
Then the second agent wouldn’t be able to hear the first agent’s transmission. After two or three tries back and forth, the agents would get
frustrated with the radio. I could imagine one of them saying something like, “Something’s wrong with the radio. Let’s go in the clear.”
They’d throw a switch on their radios to take them out of encryption mode, and I’d be able to hear both sides of the conversation! Even today
I’m amused to remember how easy it was to work around that encryption without even cracking the code."
The first P25 standards came out in 1989, so encrypted police radios were certainly starting to be deployed in the early 90s. Obviously, adoption rate depended on the department budget, with many rural departments taking until the 2010s to finally switch.
If the user can fallback to not using encryption and that solves a problem they think they have, enough annoyance will make them do so. It's the entire reason HSTS exists.
Allow me to speculate massively. Hiss sounds more like weak signal acquisition. Perhaps in this case, Mitnick was interfering but not defeating encryption.
A bit more from the book (which is a great read, and available in it's entirety on archive.org):
"To enable its agents to communicate over greater distances, the government had installed “repeaters” at high elevations to relay the signals.
The agents’ radios transmitted on one frequency and received on another; the repeaters had an input frequency to receive the agents’
transmissions, and an output frequency that the agents listened on. When I wanted to know if an agent was nearby, I simply monitored the signal
strength on the repeater’s input frequency.
That setup enabled me to play a little game. Whenever I heard any hiss of communication..."
For anyone who's curious, the closest equivalent in the US is P25[1] or "Project 25". And if you're wondering, yes, P25 systems have been known to have their own share of vulnerabilities of various sorts. My favorite one[2] is the one that lets an attacker force a P25 radio to broadcast tokens "on demand" allow you to (theoretically, with the right receiving setup and software) track the location of P25 radios more or less in real-time.
And on a related note, for anyone who is interested in listening in on any local P25 transmissions, you can do so in a fairly inexpensive manner, using an RTL-SDR dongle and the Open Source op25[3] software package. No listening to encrypted traffic, but IME, many (maybe most) public safety agencies keep most of their traffic in the clear. More so for fire/ems traffic. Law enforcement is more likely to be encrypted, but even then, I find that many jurisdictions only encrypt a small number of channels, like maybe a dedicated vice/narc squad channel, SWAT team channel, etc. General LE dispatch and tac channels are still in the clear in many areas.
It's an active attack (requires you to transmit traffic to trick the radio into sending the response beacons) so at the very least you'd almost certainly be in violation of some FCC regs. So the charge might not be "tracking law enforcement" but rather would be "illegally transmitting on a public safety frequency without a license" or something along those lines. And if somebody got caught doing this, I'm reasonably sure they'd find a way to pile on a few more charges as well.
And note that since it is an active attack that requires the attacker to transmit, it opens up the possibility of the attacker giving up their own location in turn.
My take is that it's fun to think about, but largely lacking in real world applicability in most situations.
Transmitting on spectrum you don't have a license for- especially when the government WILL cast it as "interfering with emergency services" or just Big-T- very much is.
The local PD in my area has/had the laptops in their vehicles set to ad-hoc mode, and each broadcast static MAC addresses in the open, and could simply be looked up on the Wigle database. At about 100-yards, you could pick up the broadcast on any phone, and it would be trivial for someone to deduce that you could setup an active monitor w/ alerts for when these specific MAC addresses were present in a designated area, let alone what a distributed monitoring/alert effort would be capable of...
a distributed monitoring/alert effort would be capable of...
Thinking out loud... an RTL-SDR dongle costs like $35.00 or so (well maybe more now due to tariffs, I haven't bought one in a while), plenty of relevant software is open source (GNURadio etc.), drones are cheap, small solar panels are fairly inexpensive. Hmm... I almost think a motivated individual (or small group of individuals) could piece together a rather capable "distributed monitoring/alert" system.
Not that I'm encouraging anyone to do such a thing, of course.
I agree, it probably isn't really explicitly illegal. But if one put together such a thing, depending on how they decided to use it, I have a hunch that the State would find something to charge them with. I'll resist the temptation to say more, to avoid going too overtly political here.
The funny thing about this is that my municipality just recently started encrypting their radios at all. And it was controversial! Residents liked being able to listen in to the scanners.
Along with radicaldreamer suggestions it's also common to be really effective at stonewalling police while on secure wire cameras with audio recording and to have very good criminal lawyers on retainer. Also having patches and wannabes who are prepared to scapegoat themselves.
This isn't so much directly evading law enforcement but it's effective as it can easily cause police take actions that cause evidence and cases to be thrown out, raise reasonable doubt, etc.
Depleting resources and diversions are also relatively common, creating a 'fake' public threat or hate crime to investigate bleeds police resources away from ongoing investigations, etc.
The tango between gang squads and organized criminal groups is an ongoing escalating battle. The EncroPhone transcripts revealed a lot.
In europe when the police comes to a loud party, they come and tell the people to please be more silent. (And if it is just minor kids, ask for a adult) So if the party dispersed in panic before they even arrive .. problem solved fpr them?
Or does the US police busts loud parties gun blazing in general?
> Or does the US police busts loud parties gun blazing in general?
Nah, but lots of these parties have kids below than 21 (or whatever the legal drinking age is). So they get fined or arrested if caught so they leg it.
A friend attended a Chicago-suburb high school for a year (exchange student). Said he had to run from cops at private parties about a handful of times in that year, and that it was pretty normal in his group.
How does one perform oversight of a police department if the comms are encrypted? Do I FOIA all the communications? How specific does that request have to be? Are the comms even recorded? How long are they retained? What happens when the recordings are "lost"?
Much more likely is that the opacity of encryption lends advantage to the unsophisticated bad actors (ie, the 'official' ones).
I think most of us, at least in the USA, are far more ready to take our chances with these hypothetical sophisticated bad actors than to reduce the real-time transparency of verified ones.
I'll never forget 8 years ago someone managed to set off every tornado siren in Dallas for an entire Friday night, apparently because they're controlled by radio and the control signal was not encrypted, so the "hacker" just recorded it during a real alert and then played it back to attack the system.
Yeah, it's complicated! Europe goes the other way on this, apparently, so much so that it's headline news when someone comes up with cryptographic attacks on their police radios. Here, on the other hand, people committing crimes can (or could, a few months ago) just listen on their iPhones to see if anybody is on to them.
The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
> The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
It sounds sane! Though I wonder if like body cams the decrypted channel will have mysterious malfunctions every so often when anything interesting happens?
Seems reasonable on the surface. Has anyone ever audited this? Are there gaps in the recordings? If the PD fails to reproduce the recordings what are the consequences?
At some point, this needs to turn a corner into real-time resistance, and massive community presence to assist regular people in asserting their rights.
Most communities are far more victimized by property crime than they are by the police. Anti-police activists tend to premise their arguments on the idea that everybody opposes police intervention, but read transcripts of neighborhood meetings in Black neighborhoods: the more common complaint is that the police aren't responding and aren't taking their complaints seriously.
So the bad guys scope out a Hyundai or whatever and then listen to the scanner for a while until they're confident there are no cops in the area and then steal the car? Is it feasible to call in a distraction and listen for that?
I'm not saying there's no concern. I'm just not sure if this 30 min delay is as effective as it sounds at first glance. My gut reaction has been wrong enough times in my life that I have gotten in the habit of challenging my own assumptions.
No, this story is about TETRA radios, which are used in Europe; I'm in Chicago, on Motorola's STARCOM (P25), which is ostensibly AES (it wouldn't be shocking to find vulnerabilities; in fact shocking not to, but it won't be as crazy as TETRA, which freelanced its entire encryption stack).
I listened to your great podcast and the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close" made me wonder if anyone has built a simple signal intensity detector for the encrypted radios. You don't need to hear the contents to know that the radios are closing in on you. I can't imagine police forces practice RF silence like special forces do.
It really would be better to hide in the noise of 5G.
For about $700, you can get some pre-made kit to use SDR to do Radio direction finding. IIRC this device uses the same chips as a RTL-SDR, but it uses 4-5 of them, all synchronized and has a signal emitter for calibration, and a nice web ui to report the data.
(I have not used it, but I've been learning about all sorts of neat radio products as I'm dabling and learning about SDR)
No current ability to track trunked radio units, though arguably thats 'just a software problem'.
I have one and have found it to be quite easy to hunt down ham repeaters that you can get to transmit more or less non-stop... but relatively hard to use for intermittent transmitters.
I need to see if I can figure out how to plub in my GNSS compass output because inferring orientation from motion requires an awful lot of moving around and is less reliable than I'd like.
Some transmitters have such a distinct sound that you can identify them with just your unassisted human hearing. Back in my firefighting days, I remember that certain trucks or stations had transmitters where you could identify them from the half second or so of "hum" between the time somebody keyed up the mic and the time they started talking. Using ML / signal processing stuff on a computer, yeah, you can probably get pretty fine grained at discriminating these things.
> the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close"
Criminals sophisticated enough to do that are usually not going to get caught regardless, encryption or no and are generally savvy enough to not make themselves a serious threat to public comfort and order.
I don't think its a long reach to say that the public may be better off with more ability to monitor police activity at a cost of being weaker against that kind of criminal.
I think that was truer 15 years ago, but every criminal now carries a police scanner with them (in the form a phone), and the residents in my area who most avidly follow police scanners are not the most technical people in the area.
(Having said all that, our muni voted against encrypting radios; we lost 2-1 in a vote with the 2 other munis we share dispatch with).
Unless you're talking about criminals doing traffic analytic RF attacks, in which case, I agree, who cares?
"which is ostensibly AES" in the 5% or less of deployments that turn that on
Both of the systems are crap, when we were evaluating them for nationwide purchase we chose TETRA because of systemic safety features (like local DMO handover modes for public safety use in noisy environments), but when I read their crypto choices I made screwy faces constantly, I wasn't in the slightest bit surprised when this research came out.
I remember at the time some ex signals military folks trying to tell me that the encryption barely matters as the channel selection rate is so high you'd need multi-site intercepts to even make heads of tails of it, sadly they didn't really seem to understand how far SDR and compute has come. The whole experience to this day flavors a lot how I think about military and telco thinking around the whole space, everything touching that boundary feels infected with oldthink.
> everything touching that boundary feels infected with oldthink.
I'd guess that's due to the expense of the equipment and all the regulations coupled with the lack of immediate usefulness to a casual hobbyist. Without the sort of vibrant wild west ecosystem that FOSS provides innovation happens much more slowly and most of the participants will be entrenched.
Northern California services use P25 but with encryption turned off. They also have analogue repeaters. Presumably because that way they can still use old radios and don't have to worry about key rotation.
The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.
Not like there’s not enough problems with P25… until the day they can deploy LLE (link-layer encryption) across all P25 systems, there will always be a way to gather some kind of intelligence about the system and its radio traffic.
(And the fact that it’s taking so long to implement link layer authorization, barely a scratch in the security dent…)
I believe TETRA was already vulnerable to being broken based of some research that a group did into the protocol. They showed a proof video but didn't release any technical info or poc due to security fear.
Very interesting, curious how long it would take to brute force the 56 bit key, with something like a GPU/FPGA. It looks like hashcat supports DES, which is also 56 bit.
I think what you may be thinking of is the export from the US of strong encryption products under ITAR. It was challenged by djb (of qmail/djbdns fame, among many other things) and the result was roughly that publishing software is protected expression like any other publishing (prior to that it was classified as munitions and required an export license).
Its also illegal to report hospitals that post PHI (protected health information) over POCSAG or FLEX - pager networks. Of course, theres no encryption or anything. The encoding is plain text.
Yes, it is also illegal to post PHI over pagers, due to HIPAA addendum in 2016.
But 1986 ECPA law forbids decoding pager messages unless they were intended for you.
I've done that. It seemed like Wired got lost on the road for a while, but lately they're back with a vengeance, which I'm delighted to see (and to support).
Kevin Mitnick figured out how to get around police radio encryption in the 90's. From 'Ghost in the Wires': "Whenever I heard any hiss of communication, I’d hold down my Transmit button. That would send out a radio signal on the same exact frequency, which would jam the signal. Then the second agent wouldn’t be able to hear the first agent’s transmission. After two or three tries back and forth, the agents would get frustrated with the radio. I could imagine one of them saying something like, “Something’s wrong with the radio. Let’s go in the clear.” They’d throw a switch on their radios to take them out of encryption mode, and I’d be able to hear both sides of the conversation! Even today I’m amused to remember how easy it was to work around that encryption without even cracking the code."
It's a perfect example of why security is never just about the algorithm
That is the most 90s story I've heard. Nowadays you'd be shot.
It's an odd story, since until pretty recently most North American police radio was plaintext to begin with.
The first P25 standards came out in 1989, so encrypted police radios were certainly starting to be deployed in the early 90s. Obviously, adoption rate depended on the department budget, with many rural departments taking until the 2010s to finally switch.
I should have said FBI radio encryption. I wonder if the technique would still work today...
If the user can fallback to not using encryption and that solves a problem they think they have, enough annoyance will make them do so. It's the entire reason HSTS exists.
> hiss of communication
Allow me to speculate massively. Hiss sounds more like weak signal acquisition. Perhaps in this case, Mitnick was interfering but not defeating encryption.
A bit more from the book (which is a great read, and available in it's entirety on archive.org): "To enable its agents to communicate over greater distances, the government had installed “repeaters” at high elevations to relay the signals. The agents’ radios transmitted on one frequency and received on another; the repeaters had an input frequency to receive the agents’ transmissions, and an output frequency that the agents listened on. When I wanted to know if an agent was nearby, I simply monitored the signal strength on the repeater’s input frequency. That setup enabled me to play a little game. Whenever I heard any hiss of communication..."
Not IA
What's IA?
Internal Affairs? But I'm not sure why that's relevant to encryption or Mitnick.
I have heard of them having stricter radio protocols which strikes me as sensible
Intelligence Agencies
For anyone who's curious, the closest equivalent in the US is P25[1] or "Project 25". And if you're wondering, yes, P25 systems have been known to have their own share of vulnerabilities of various sorts. My favorite one[2] is the one that lets an attacker force a P25 radio to broadcast tokens "on demand" allow you to (theoretically, with the right receiving setup and software) track the location of P25 radios more or less in real-time.
And on a related note, for anyone who is interested in listening in on any local P25 transmissions, you can do so in a fairly inexpensive manner, using an RTL-SDR dongle and the Open Source op25[3] software package. No listening to encrypted traffic, but IME, many (maybe most) public safety agencies keep most of their traffic in the clear. More so for fire/ems traffic. Law enforcement is more likely to be encrypted, but even then, I find that many jurisdictions only encrypt a small number of channels, like maybe a dedicated vice/narc squad channel, SWAT team channel, etc. General LE dispatch and tac channels are still in the clear in many areas.
[1]: https://en.wikipedia.org/wiki/Project_25
[2]: https://www.reddit.com/r/tacticalgear/comments/1f4d5dr/psa_p...
[3]: https://github.com/boatbod/op25
I wonder if it would be illegal to employ this method. Tracking law enforcement isn’t explicitly illegal, right?
It's an active attack (requires you to transmit traffic to trick the radio into sending the response beacons) so at the very least you'd almost certainly be in violation of some FCC regs. So the charge might not be "tracking law enforcement" but rather would be "illegally transmitting on a public safety frequency without a license" or something along those lines. And if somebody got caught doing this, I'm reasonably sure they'd find a way to pile on a few more charges as well.
And note that since it is an active attack that requires the attacker to transmit, it opens up the possibility of the attacker giving up their own location in turn.
My take is that it's fun to think about, but largely lacking in real world applicability in most situations.
Transmitting on spectrum you don't have a license for- especially when the government WILL cast it as "interfering with emergency services" or just Big-T- very much is.
What's 'Big-T'?
Terrorism
Yup. And I'll note phrasing it the way I did is openly derisive of its overuse by law enforcement.
That’s quite the private phrase to be presenting publicly.
The local PD in my area has/had the laptops in their vehicles set to ad-hoc mode, and each broadcast static MAC addresses in the open, and could simply be looked up on the Wigle database. At about 100-yards, you could pick up the broadcast on any phone, and it would be trivial for someone to deduce that you could setup an active monitor w/ alerts for when these specific MAC addresses were present in a designated area, let alone what a distributed monitoring/alert effort would be capable of...
What's wild is how often agencies spend millions on comms gear and security tools, but overlook basics like this
a distributed monitoring/alert effort would be capable of...
Thinking out loud... an RTL-SDR dongle costs like $35.00 or so (well maybe more now due to tariffs, I haven't bought one in a while), plenty of relevant software is open source (GNURadio etc.), drones are cheap, small solar panels are fairly inexpensive. Hmm... I almost think a motivated individual (or small group of individuals) could piece together a rather capable "distributed monitoring/alert" system.
Not that I'm encouraging anyone to do such a thing, of course.
I don't even know that it's explicitly illegal. Google maps is allowed to warn you about speed traps.
I agree, it probably isn't really explicitly illegal. But if one put together such a thing, depending on how they decided to use it, I have a hunch that the State would find something to charge them with. I'll resist the temptation to say more, to avoid going too overtly political here.
I'm pretty sure it's not outside of the range of ANYONE to whip up in a fortnight, and have distributed near instantaneously.
If anything, it's the most basic of "wireless site survey" applications.
> an RTL-SDR dongle costs like $35.00 or so
FuzzyDunlop has graduated to HissyMarconi in The Wire season 12 :)
The funny thing about this is that my municipality just recently started encrypting their radios at all. And it was controversial! Residents liked being able to listen in to the scanners.
And yeah, the scanner culture thing is real
> Residents liked being able to listen in to the scanners.
They're a public service funded by taxpayer dollars. Knowing what they're doing seems reasonable.
Many many years ago a buddy of mine loved listening to the scanners.
One evening we are on AIM chatting and he explains what is going on: noise complaint at a house down the block (kids partying)
He looks the address up and calls them to warn them and sits back to see if they do anything.
sounds like they managed to bail before anyone showed up to the address.
Not all heros wear capes. Some of them keep their ears glued to the scanners...
Now replace "kids" with gangs and other organized crime, and it makes a little more sense why they'd want to encrypt it.
Gangs and organized crime have more sophisticated ways of avoid law enforcement
Do they? What are they?
Bribery is a common one, counterintelligence is another, compromising people who are investigating them (or their family members)
Along with radicaldreamer suggestions it's also common to be really effective at stonewalling police while on secure wire cameras with audio recording and to have very good criminal lawyers on retainer. Also having patches and wannabes who are prepared to scapegoat themselves.
This isn't so much directly evading law enforcement but it's effective as it can easily cause police take actions that cause evidence and cases to be thrown out, raise reasonable doubt, etc.
Depleting resources and diversions are also relatively common, creating a 'fake' public threat or hate crime to investigate bleeds police resources away from ongoing investigations, etc.
The tango between gang squads and organized criminal groups is an ongoing escalating battle. The EncroPhone transcripts revealed a lot.
...so the gangs will continue the crimes?
So the organization can't alert each other when they hear one of their locations or operations on dispatch.
Huh?
In europe when the police comes to a loud party, they come and tell the people to please be more silent. (And if it is just minor kids, ask for a adult) So if the party dispersed in panic before they even arrive .. problem solved fpr them?
Or does the US police busts loud parties gun blazing in general?
> Or does the US police busts loud parties gun blazing in general?
Nah, but lots of these parties have kids below than 21 (or whatever the legal drinking age is). So they get fined or arrested if caught so they leg it.
A friend attended a Chicago-suburb high school for a year (exchange student). Said he had to run from cops at private parties about a handful of times in that year, and that it was pretty normal in his group.
Many times they’ll take an interest in underage drinking or recreational drug use, which the party attendees might prefer they didn’t get tagged for.
Also depends on which neighborhood and whose house it is.
https://news.ycombinator.com/item?id=44830592
Oversight & accountability are different from operational security.
Leaving the radios unencrypted merely lends advantage to more-sophisticated bad actors.
Its literally opsec for the bad actors, the cops, to more effectively terrorise the civilian population.
But in the USA there is ample evidence that the police are often bad actors.
How does one perform oversight of a police department if the comms are encrypted? Do I FOIA all the communications? How specific does that request have to be? Are the comms even recorded? How long are they retained? What happens when the recordings are "lost"?
...I'd like to see evidence for that claim.
Much more likely is that the opacity of encryption lends advantage to the unsophisticated bad actors (ie, the 'official' ones).
I think most of us, at least in the USA, are far more ready to take our chances with these hypothetical sophisticated bad actors than to reduce the real-time transparency of verified ones.
I'll never forget 8 years ago someone managed to set off every tornado siren in Dallas for an entire Friday night, apparently because they're controlled by radio and the control signal was not encrypted, so the "hacker" just recorded it during a real alert and then played it back to attack the system.
The majority of EAS equipment responds this way. That's why the tones are so strictly regulated on broadcasts.
https://docs.fcc.gov/public/attachments/DA-19-758A1.pdf
That might still work even with encryption, if they don't specifically prevent replay attacks.
Previously you could hear what was going on in town - a degree of transparency around police.
Now you can’t. For better or worse, eh?
Yeah, it's complicated! Europe goes the other way on this, apparently, so much so that it's headline news when someone comes up with cryptographic attacks on their police radios. Here, on the other hand, people committing crimes can (or could, a few months ago) just listen on their iPhones to see if anybody is on to them.
The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
> The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
It sounds sane! Though I wonder if like body cams the decrypted channel will have mysterious malfunctions every so often when anything interesting happens?
That's a great compromise.
Seems reasonable on the surface. Has anyone ever audited this? Are there gaps in the recordings? If the PD fails to reproduce the recordings what are the consequences?
If it ‘helps’, every police force was already using personal text messages/signal/etc for sensitive calls and discussions anyway.
At some point, this needs to turn a corner into real-time resistance, and massive community presence to assist regular people in asserting their rights.
A 30-minute delay crushes that.
Most communities are far more victimized by property crime than they are by the police. Anti-police activists tend to premise their arguments on the idea that everybody opposes police intervention, but read transcripts of neighborhood meetings in Black neighborhoods: the more common complaint is that the police aren't responding and aren't taking their complaints seriously.
Does a 30 minute delay assist the police in preventing or responding to property crime?
Yes? The concern is people committing crimes with the scanner playing waiting to see if the police are on to them.
I don't care one way or another, but it's silly to say there's no actual concern there, I think.
So the bad guys scope out a Hyundai or whatever and then listen to the scanner for a while until they're confident there are no cops in the area and then steal the car? Is it feasible to call in a distraction and listen for that?
I'm not saying there's no concern. I'm just not sure if this 30 min delay is as effective as it sounds at first glance. My gut reaction has been wrong enough times in my life that I have gotten in the habit of challenging my own assumptions.
Criminals generally don’t have that type of impulse control. Ain’t nobody waiting 30 minutes to decide if they’re going to steal a Hyundai.
Boston?
San Diego?
And now they're going to be unencrypted again, but not by choice!
No, this story is about TETRA radios, which are used in Europe; I'm in Chicago, on Motorola's STARCOM (P25), which is ostensibly AES (it wouldn't be shocking to find vulnerabilities; in fact shocking not to, but it won't be as crazy as TETRA, which freelanced its entire encryption stack).
I listened to your great podcast and the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close" made me wonder if anyone has built a simple signal intensity detector for the encrypted radios. You don't need to hear the contents to know that the radios are closing in on you. I can't imagine police forces practice RF silence like special forces do.
It really would be better to hide in the noise of 5G.
I have a BT scanner app for my phone. "BLE Radar".
I have a detection on there for the MAC address "00:25:DF:*". That's the MAC OUI prefix for Taser International.
I keep it on while driving, because the badgecams and hardware in cop cars spurts this out regularly. So even unmarked cars show themselves.
https://www.krakenrf.com/
For about $700, you can get some pre-made kit to use SDR to do Radio direction finding. IIRC this device uses the same chips as a RTL-SDR, but it uses 4-5 of them, all synchronized and has a signal emitter for calibration, and a nice web ui to report the data.
(I have not used it, but I've been learning about all sorts of neat radio products as I'm dabling and learning about SDR)
No current ability to track trunked radio units, though arguably thats 'just a software problem'.
I have one and have found it to be quite easy to hunt down ham repeaters that you can get to transmit more or less non-stop... but relatively hard to use for intermittent transmitters.
I need to see if I can figure out how to plub in my GNSS compass output because inferring orientation from motion requires an awful lot of moving around and is less reliable than I'd like.
I’ve long wanted to do this with an SDR and maybe some simple ML, build a dataset by driving by cars/things with frequencies of interest.
Now I wonder if you can fingerprint antennas…
You can fingerprint transmitters.
Antennas would be much more difficult and likely moot.
https://arxiv.org/html/2402.06250v1
Some transmitters have such a distinct sound that you can identify them with just your unassisted human hearing. Back in my firefighting days, I remember that certain trucks or stations had transmitters where you could identify them from the half second or so of "hum" between the time somebody keyed up the mic and the time they started talking. Using ML / signal processing stuff on a computer, yeah, you can probably get pretty fine grained at discriminating these things.
> the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close"
Criminals sophisticated enough to do that are usually not going to get caught regardless, encryption or no and are generally savvy enough to not make themselves a serious threat to public comfort and order.
I don't think its a long reach to say that the public may be better off with more ability to monitor police activity at a cost of being weaker against that kind of criminal.
I think that was truer 15 years ago, but every criminal now carries a police scanner with them (in the form a phone), and the residents in my area who most avidly follow police scanners are not the most technical people in the area.
(Having said all that, our muni voted against encrypting radios; we lost 2-1 in a vote with the 2 other munis we share dispatch with).
Unless you're talking about criminals doing traffic analytic RF attacks, in which case, I agree, who cares?
"which is ostensibly AES" in the 5% or less of deployments that turn that on
Both of the systems are crap, when we were evaluating them for nationwide purchase we chose TETRA because of systemic safety features (like local DMO handover modes for public safety use in noisy environments), but when I read their crypto choices I made screwy faces constantly, I wasn't in the slightest bit surprised when this research came out.
I remember at the time some ex signals military folks trying to tell me that the encryption barely matters as the channel selection rate is so high you'd need multi-site intercepts to even make heads of tails of it, sadly they didn't really seem to understand how far SDR and compute has come. The whole experience to this day flavors a lot how I think about military and telco thinking around the whole space, everything touching that boundary feels infected with oldthink.
> everything touching that boundary feels infected with oldthink.
I'd guess that's due to the expense of the equipment and all the regulations coupled with the lack of immediate usefulness to a casual hobbyist. Without the sort of vibrant wild west ecosystem that FOSS provides innovation happens much more slowly and most of the participants will be entrenched.
This is what happens when security is treated like a checklist item instead of a core requirement
Huh, I was catching up on DEFCON videos recently, and just earlier this morning watched the talk about Tetra. How serendipitous.
https://www.youtube.com/watch?v=iGINoIYQwak
Note this affects TETRA which is not used in North America. Most US systems use P25 which is not mentioned in the article.
Northern California services use P25 but with encryption turned off. They also have analogue repeaters. Presumably because that way they can still use old radios and don't have to worry about key rotation.
The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.
Not like there’s not enough problems with P25… until the day they can deploy LLE (link-layer encryption) across all P25 systems, there will always be a way to gather some kind of intelligence about the system and its radio traffic.
(And the fact that it’s taking so long to implement link layer authorization, barely a scratch in the security dent…)
I believe TETRA was already vulnerable to being broken based of some research that a group did into the protocol. They showed a proof video but didn't release any technical info or poc due to security fear.
http://archive.today/5GMa5
Cool! Maybe all the apps and sites intended to let you keep track of what your local kopz are doing will work again!
Very interesting, curious how long it would take to brute force the 56 bit key, with something like a GPU/FPGA. It looks like hashcat supports DES, which is also 56 bit.
> The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms.
Got what they asked for.
Good. I used to listen to police calls in the US. I don’t like the fact that my police is now the “secret police” with encrypted digits radios.
I mean, in this day and age is it such a bad thing that police and military radio is crackable?
Is it still illegal in Europe to buy radios with 128 bit encryption?
As in TETRA? Probably not, as SDRs are widely available anyway, as are scanners capable of decrypting TETRA traffic.
You do need authorization to buy a transmitter though, at least where I live.
I meant like hand-held walkie talkies. But with 128 bit encryption.
Weird it's regulated, given you can use mobile phones like that (sure, you need coverage).
Mobile phones are backdoored and trackable by default.
I think on most public bands here, transmitting with encryption of any kind is banned regardless of the strength.
I think what you may be thinking of is the export from the US of strong encryption products under ITAR. It was challenged by djb (of qmail/djbdns fame, among many other things) and the result was roughly that publishing software is protected expression like any other publishing (prior to that it was classified as munitions and required an export license).
https://en.wikipedia.org/wiki/Bernstein_v._United_States
It's still illegal to point out that the emperor has no clothes
Its also illegal to report hospitals that post PHI (protected health information) over POCSAG or FLEX - pager networks. Of course, theres no encryption or anything. The encoding is plain text.
Yes, it is also illegal to post PHI over pagers, due to HIPAA addendum in 2016.
But 1986 ECPA law forbids decoding pager messages unless they were intended for you.
> You’ve read your last free article.
Haven't read a Wired article in months :-|
And thanks to poster for adding archive link.
Wired is killing it with great reporting this year. Worth subscribing and supporting.
I've done that. It seemed like Wired got lost on the road for a while, but lately they're back with a vengeance, which I'm delighted to see (and to support).