APCO International convention came to an end in Philadelphia in 2011 concerned about the determination of the Project 25 two-way radio system’s security weaknesses, while the news was flouting for another meeting which was expected to take place in San Francisco. In August 2011, the report was delivered at the 20th USENIX Security Symposium where University of Pennsylvania researchers presented a two-year investigation finding on the susceptibility and flaws of the Project 25 radio communications standards, which was financed by the National Science Foundation.

The researchers have investigated the flaws in the usability, implementation, and number of protocols that permit active assaults and can reveal data to a passive eavesdropper. The practical protocol vulnerabilities include weaknesses in the error correction codes, use of stream ciphers, unauthenticated message traffic, and unprotected metadata; and weaknesses in usability and implementation include cumbersome keying, user interface weaknesses, and missing option for configuration to mute/reject clear traffic when they are in the encrypted mode. However, Project 25 systems are particularly vulnerable to active traffic analysis attacks, which permit selective jamming attacks and radio user locations’ covert determination, further triggering the blocking of certain communication types such as key management traffic or encrypted messages. Additionally, they have noted that whenever the messages are transmitted in segments over the radios, jamming takes place even when there is a small number of these blocked segments. To prove the phenomenon of jamming and eavesdropping, they have used equipment pricing less than $1,000 to implement a system for intercepting Project 25 transmissions. The researchers also discovered that the P25 protocols are susceptible to effective “jamming attacks” that make use of both the methods of transmitted messages’ structure and the narrowband modulation. Moreover, described the utilization of an integrated circuit RF transceiver chip which was also found in the pink electronic children’s toy for the implementation and deployment of a P25 radio system jammer, and especially proposed jamming software in their published article. Their findings of the proposed technique inspired many P25 radio systems owners to seek advice on how to improve their system’s security against jamming prevention and eavesdropping techniques.

The Technology Interest Group of P25 offers links to a Library of P25 Encryption Resources and Security and National Security Agency (NSA) Type 1 cryptography, AES, AES-256, and DES, are all supported by the encryption techniques provided by P25 suppliers in terms of eavesdropping. During storage and transfer, these techniques help prevent data breaches and provide reliable and secure radio traffic with encryption if appropriately implemented by the system owners. When encryption keys are changed frequently and not stored properly then security flaws might develop which results in unintentional sensitive data transmission as the users are frequently required to enable encryption where they failed to do so.

Effective training will help to mitigate these types of risks. Regrettably, funding for reinforcing radio user training is not provided by many agencies. The result of this flaw leads to discreetly disclosing sensitive information to eavesdroppers frequently causing a slow erosion of operational procedures and appropriate management. In this regard, we can preview an example as the user gradually creeps up to every 2 months or, worse, and never change the security keys. Permitting an excessive number of users agencies, the capacity to field radios’ programs is another element of system susceptibility. Keeping these perspectives, unskilled radio programmers may unintentionally expose confidential data to unauthorized individuals and may disable crucial features of radio security.

Operational design can potentially produce vulnerability as a byproduct which can be due to missing/broken authentication, insecure deserialization, broken access control, security misconfiguration, buffer overflow, flaws in injection, exposure of sensitive data, and bugs. However, the network security of radio is significantly influenced by how much freedom owners give users to choose if or when communications should be in effective mode and how they create discussion group structures. In the discussion group structures, the decision that should be forced is an effective approach to handle the clear dilemma vs. encryption. Additionally, it is likely to create discussion group structures that instantly activate the private and secure modes when they are selected by a fixed dispatcher/user or in the field. The phenomenon prompts ad-hoc field decision-making and reduces the likelihood of a judgment by an errant operator to some extent. The discussion group structures can streamline field operations for both emergency and routine requirements if experienced workers are reliable to make discussion group programming/development decisions.

What About Jamming?

A subset of denial of service (DoS) attacks that hinder a receiver from correctly deciphering a signal by injecting malicious codes or noise onto the legitimate communication channel, when transferred via point-to-point microwave, or radio — LMR causing intentional networks’ Interference is known as Jamming. It simply takes a little more creativity and planning to jam frequency-hopping (spread spectrum) radio communications systems contrary to popular assumption. However, the communication is also susceptible to deliberate and accidental interference unless it is confined within a physical fiber optic medium, coaxial cables, or a secured copper wire.

Project 25 radios often can’t communicate with each other because of incompatible frequency, encryption, or both. The researchers argued that a device with low power requirements and the right configuration might damage P25 radio systems utilized for public safety. Truly speaking, the dangerous interferers are also subject to the same physical laws that allow designers of the radio system to fit handheld low-powered portable radios inside dense structures of the building anyplace in a typical metropolitan area. Alternatively, in a specific region, if the radio system is licensed by the FCC and is intentionally implemented to accommodate the weakest public-safety radio signals, it will also be susceptible to malicious interference from those parties.

On various wireless networks, the same frequency usage by two or more radios results in radio frequency interference. While electrical equipment and transmitters also result in the same phenomenon. We can easily disable interference in Single-channel radio networks although they are very prone to it. The outcome of the mobile unit’s mic Push-To-Talk (PTT) button gets stuck in the seat of the car which is a well-known phenomenon to a person who has used a UHF/VHF digital or analog conventional repeater system. However, if interference is present then P25 or Project 16 trunked radio systems randomly alter their control channels and these systems are considerably more stimulating to jammer attacks than those with a variety of operating channels. A person wishing to interfere with numerous operational channels along with the communications in a major metropolis served by numerous simulcast trunked tower sites would be practically and physically constrained in their capacity to perform so.

Although, beyond the nuisance level, it gets harder to generate disruptive interference as a system gets larger in terms of frequencies, geographic footprint, and tower sites. The efficient design of the radio network systems should incorporate backup systems that can be deployed in the case when there is a catastrophic failure of the primary radio system, as can happen during floods or hurricanes when high devastating winds affect large geographic areas.

Without connectivity, antennae, or electricity between tower sites, no radio system can function. Any radio system designer should consider the components of the radio system as they are highly susceptible to risks. In this regard, LMR encryption should be considered including securing sensitive information and communication that can influence the public personnel’s safety or the public information, mitigating sensitive information, time-sensitive incident/disaster response plan, investigative/tactical communications, monitoring personally identifiable information, and securing sensitive law enforcement information.


-Brian Martin

Global Communication Services, LLC

GCS Out!