Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Similar documents
Wireless Network Security Spring 2016

Wireless Network Security Spring 2014

AM and FM analogue signal demodulation

Prevention of Selective Jamming Attack Using Cryptographic Packet Hiding Methods

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

Communicating with Other Hams

Simple Algorithm in (older) Selection Diversity. Receiver Diversity Can we Do Better? Receiver Diversity Optimization.

Proceedings of Meetings on Acoustics

Using the IFR 2975 for Advanced Project 25 Keyloading Capabilities and AES/DES Encryption

Access Methods and Spectral Efficiency

Wireless Network Security Spring 2015

Surveillance Transmitter of the Future. Abstract

Technician Class Course. Session 1

Chapter 7 GSM: Pan-European Digital Cellular System. Prof. Jang-Ping Sheu

CS 6956 Wireless & Mobile Networks April 1 st 2015

MIDLAND RADIO CORPORATION

Application Note. Testing SmartNet TM /SmartZone TM Systems. Rob Barden Senior Product Marketing Manager

Keywords: Network Security, Wireless Communications, piggybacking, Encryption.

Avoiding Selective Attacks with using Packet Hiding Approaches in Wireless Network

CSRmesh Beacon management and Asset Tracking Muhammad Ulislam Field Applications Engineer, Staff, Qualcomm Atheros, Inc.

RF Management in SonicOS 4.0 Enhanced

Block Ciphers Security of block ciphers. Symmetric Ciphers

Understanding and Mitigating the Impact of Interference on Networks. By Gulzar Ahmad Sanjay Bhatt Morteza Kheirkhah Adam Kral Jannik Sundø

USD-FH: Jamming-resistant Wireless Communication using Frequency Hopping with Uncoordinated Seed Disclosure

CL4790 USER GUIDE VERSION 3.0. Americas: Europe: Hong Kong:

amplification: The process of increasing the strength of a radio signal.

Cellular systems 02/10/06

S-COR. FIGURE 1 Wiring Diagram NOTE: To reset S-COR to factory settings, press and! hold < and > buttons upon power up. INSTALLATION INSTRUCTIONS

3.6. Cell-Site Equipment. Traffic and Cell Splitting Microcells, Picocelles and Repeaters

Multiplexing Module W.tra.2

GSM Interceptor Fast and reliable interception of GSM traffic

Voice Data Encryption AT Crypt One

Multiple Access. Difference between Multiplexing and Multiple Access

Multiple Access Schemes

Data and Computer Communications. Chapter 10 Cellular Wireless Networks

Minimization of Jamming Attack in Wireless Broadcast Networks Using Neighboring Node Technique

By Ryan Winfield Woodings and Mark Gerrior, Cypress Semiconductor

Cooperation in Random Access Wireless Networks

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

Wireless Network Security Spring 2015

Network Security: Secret Key Cryptography

Personal Communication System

Alaska Land Mobile Radio Communications System. Radio Concepts

Communication Systems GSM

Wireless Network Security Spring 2016

RECOMMENDATION ITU-R BS

IJSER 1. INTRODUCTION 2. ANALYSIS

IFH SS CDMA Implantation. 6.0 Introduction

CHAPTER 2. Instructor: Mr. Abhijit Parmar Course: Mobile Computing and Wireless Communication ( )

(Refer Slide Time: 2:23)

An E911 Location Method using Arbitrary Transmission Signals

CESEL: Flexible Crypto Acceleration. Kevin Kiningham Dan Boneh, Mark Horowitz, Philip Levis

10EC81-Wireless Communication UNIT-6

Physical Layer. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

o Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary

LMR Encryption Navigating Recent FCC Rule Changes

Spread Spectrum Communications and Jamming Prof. Debarati Sen G S Sanyal School of Telecommunications Indian Institute of Technology, Kharagpur

Managing Encryption. A guide for public safety decision makers. White Paper.

Universal Radio Hacker

Introduction to Digital Mobile Radio (DMR)

PRINCIPLES OF COMMUNICATION SYSTEMS. Lecture 1- Introduction Elements, Modulation, Demodulation, Frequency Spectrum

Signals and Systems Lecture 9 Communication Systems Frequency-Division Multiplexing and Frequency Modulation (FM)

Erik Haas and Michael Schnell German Aerospace Center - DLR. J. Prinz, C.Rihacek, and M. Sajatovic Frequentis Nachrichtentechnik G.m.b.H.

Lesson 4: Frequencies & Privileges

Monthly Professional Development Service. Generally Hot Topics or Topics of High

Future ready: How can agencies invest wisely in public safety communications with so much change on the horizon?

2.4GHz & 900MHz UNLICENSED SPECTRUM COMPARISON A WHITE PAPER BY INGENU

Public Safety Radio Frequency Spectrum: A Comparison of Multiple Access Techniques

GSM and Similar Architectures Lesson 04 GSM Base station system and Base Station Controller

Transcoding free voice transmission in GSM and UMTS networks

Future radio access implementation & demonstration Scandinavian workshop on testbed-based wireless research November 27 th 2013

MOTOBRIDGE IP Interoperable Solution

UNIT- 3. Introduction. The cellular advantage. Cellular hierarchy

Version 9.2. SmartPTT PLUS. Capacity Max Configuration Guide

An Opportunistic Frequency Channels Selection Scheme for Interference Minimization

CDMA Physical Layer Built-in Security Enhancement

Public Safety Radio Bands. VHF Low Band: 25 MHz to 50 MHz VHF High: 138 MHz to 174 MHz UHF: 408 MHz to 512 MHz 700 MHz (new) 800 MHz 4.

Security Enhancement of Frequency Hopping Spread Spectrum Based On Oqpsk Technique

MILnews. IP-based split-site operation with the R&S M3SR Series4100 HF radios. Offprint from MILnews 12. Electronics for security and defense

Satellite Basics Term Glossary

Product Summary, CA12CD S Cordless Push to Talk Adapter

PROTECTED SATELLITE COMMAND AND CONTROL (C2) WAVEFORMS AND ENHANCED SATELLITE RESILIENCY. Bryan Butler

2 meter refarming proposal. Uniform 15 khz proposal

Underwater Communication in 2.4 Ghz ISM Frequency Band for Submarines

Cryptography Based Method for Preventing Jamming Attacks in Wireless Network Ms. Bhoomi Patel 1

The number theory behind cryptography

Spread Spectrum. Chapter 18. FHSS Frequency Hopping Spread Spectrum DSSS Direct Sequence Spread Spectrum DSSS using CDMA Code Division Multiple Access

Evaluation of HF ALE Linking Protection

An Overview of the QUALCOMM CDMA Digital Cellular Proposal

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

Achieving Network Consistency. Octav Chipara

UNIT 6 ANALOG COMMUNICATION & MULTIPLEXING YOGESH TIWARI EC DEPT,CHARUSAT

CDMA is used to a limited extent on the 800-MHz band, but is much more common in the 1900-MHz PCS band. It uses code-division multiple access by

Spread Spectrum: Definition

Microwave Engineering Project Use Cases

Running head: SIMPLE SECRECY. Simple Secrecy: Analog Stream Cipher for Secure Voice Communication. John Campbell

Random Bit Generation and Stream Ciphers

Physical Layer: Outline

Chapter 1 Acknowledgment:

Transcription:

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Sandy Clark Travis Goodspeed Perry Metzger Zachary Wasserman Kevin Xu Matt Blaze Usenix 2011

P25 Modulates voice and textual signals into radio packets Current versions transmit at 9600 baud Frame-based protocol Frame begins with 48-bit synchronization pattern 12-bit network identifier, frame type, error correction bits 16-bit header - specifies talk group frame belongs to 96 bits - crypto IV, algorithm ID, key ID Header frame is followed by 1728-bit data frames, then eventually a terminator Data frames are split - first half contains transmitter source ID, and either a destination receiver ID or a talk group ID Second half contains cryptographic information Headers are never encrypted! Supports encryption through AES, 3DES, and DES Replaces cleartext FM broadcast

Radio Operation Models Simplex Operation Communication goes from one transceiver to another. Repeater Operation All communications are relayed through a central transceiver that broadcasts them out with higher power. Digital repeaters allow linked communication between distant precincts. Trunking Operation Spread-Spectrum communications Central controller dynamically allocates bandwidth on a set of channels to allow for multiplexing. Allows for virtual channels, where users can have more separate conversations simultaneously than there are available frequencies.

P25 Encryption Pre-shared symmetric key algorithms are used for all encryption. Keys can be entered manually with special hardware, or over the air via a secure protocol There s no method for quickly entering or creating new keys. Since users cannot rely on bit-for-bit fidelity when communicating via radio in real-world environments, standard cipher modes (like CBC) cannot be used. Converts block ciphers like AES and DES to stream ciphers via output feedback mode Shared key is used to encrypt output from a seeded PRNG, then XOR ed with the plaintext Stream ciphers are vulnerable to known-plaintext attacks when used without message authentication, which radio precludes

Metadata Leakage While P25 provides the capability to encrypt metadata, it s rarely (never) used. Individual unit ID numbers are transmitted in cleartext with every header frame. While tracking a unit s physical location requires an RDF setup, this information still allows an attacker to gain privileged knowledge Traffic Analysis Proximity detection

User Tracking When the receiver receives a frame that was meant for it, it will silently throw an error and transmit a re-transmit request. No warning is ever shown to the user about frame decoding failure, or about retransmitting a request. Fairly trivial for an attacker to repeatedly transmit a beacon, then triangulate the responses. Active detection is easier for this attack because of the high duty cycle on the attacker s transmitter.

Userland Issues A lack of standardized interfaces across devices makes it difficult to configure security options consistently. All handheld devices the researchers examined failed to provide a clear indication as to whether the device was transmitting in encrypted mode. Visual cues on the screen are rarely looked at The physical switch can be accidentally turned Audio cues are ambiguous Devices operating in encrypted mode will still receive cleartext transmissions, leaving no indication that data is leaking.

Jamming Techniques For narrowband FM broadcast, transmissions can only be jammed by delivering a 2-4x stronger signal to the receiver Very loud and obvious - the radio equivalent of a DDOS attack Spread spectrum communication can help prevent the signal from being consistently overpowered Digital modulation requires more fidelity, so it can be jammed by a signal 1x as strong as the desired signal P25 filters out frames by examining the talkgroup ID in the header, meaning that an attacker can cause frames to be dropped simply by jamming the bits associated with the talkgroup ID

Jamming In-Practice Once an attacker synchronizes with the P25 data stream, they need only transmit during the talkgroup ID bits, which last for about 1/100th of a second. At such a low duty cycle, it s very difficult to accurately triangulate a signal s origin An attacker could watch for the encryption header and only jam encrypted frames, forcing users back to cleartext communications Using a modified children s toy, the authors were able to jam encrypted communications between a nearby receiver and base station

Active Listening The authors spent two years recording unencrypted transmissions from local authorities. They intercepted, on average, 23 minutes of cleartext audio per day on channels that were meant to be encrypted. This audio contained communications by major (federal) government agencies, and sensitive details about police operations that could have compromised certain situations. Often, user interface failings led users to believe that they were talking behind encryption when they were not. The sensitivity of the conversation material did not seem to change even when users knew they were in cleartext.

Outreach The authors contacted agencies identified by their P25 listening and advised them on means to improve their security practices. Encryption could be locked on or off for any given channel in the user interface, preventing accidental cleartext transmission. Frequent key rotation likely causes more trouble than it prevents Issues with rotation train P25 users to simply expect encrypted communications to malfunction.

Mitigations Symmetric key cryptography exacerbates the logistics issues. Anything that requires bit-for-bit precision isn t going to work well over raw radio waves Proper use of spread-spectrum technology could minimize jamming. This is what spread spectrum was originally designed for It s available for P25 radios, just not widely used as a jamming prevention technique Certainly used to exploit available radio bandwidth. Metadata should be encrypted by default whenever voice encryption is enabled. Protocol should be restructured to prevent jamming by blocking just a few bits Receiver ID could rotate within data portion

Issues with over-the-air cryptography Encryption attempts to increase entropy of a message to make it indistinguishable from random noise Robust radio protocols attempt to make it as easy as possible to distinguish a signal from the background noise. Recoverable patterns in encrypted data have been used to eavesdrop on VOIP communications[1]. 1 - Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations (Usenix 2008)

Discussion Is it reasonable for law enforcement agencies to be concerned about these attacks? What steps can be taken to mitigate the attacks described by this paper? Is it the responsibility of developers to prevent users from accidentally compromising themselves? Did the authors take sufficient steps to responsibly disclose the flaws found? Is it even possible to build a secure, high-bandwidth communication system without relying on bit-level integrity?

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback