P25 radios have major security flaws, say researchers


A public safety land mobile radio standard for interoperability has major security vulnerabilities, finds a paper by University of Pennsylvania researchers.

The paper, presented August 10 at the Usenix Security Symposium in San Francisco, details how a P25 radios can be easily jammed with a low-power attack and finds that it would be "trivial for an adversary to masquerade as a legitimate user" and inject false voice traffic.

Researchers, led by computer scientist Matt Blaze, also find that federal law enforcement users of P25 radios have transmitted highly sensitive data in the clear when they thought they were using encryption.

"We monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and the Department of Homeland Security," the paper states. The researchers urge a top-to-bottom redesign of P25, saying that reform should be a high priority.

P25 security vulnerabilities stem in great measure from the P25 digital protocol used to transmit voice and low-bandwidth. A would-be disruptor wouldn't have to jam an entire transmission--an action which in analogue radio systems requires a high-powered transmitter--just a 64 bit portion of the 1,728 bit P25 digital frame, the paper says. The way the P25 frames are encoded make it "particularly easy and efficient for a jammer " to attack a frame subfield, the paper adds.

In addition, because the P25 protocol has an error tolerant design, frames aren't entirely encrypted. "This was a deliberate design choice, to permit undetected corruption of portions of the frame that are less important for intelligibility," paper authors note. But, it also means that an adversary can easily inject false voice traffic, even when radios have configured for encryption and have enabled it.

A jammer could also selectively look for frames indicating encryption and jam them in order to encourage a shift to in-the-clear transmissions, the paper says.

Were users accustomed to unreliable cryptography, they might do so without pausing to consider the possibility of an attack.

And in fact, users probably are so accustomed, the paper says, due to a cumbersome cryptographic keying model and an ambiguous user interface. P25 radios must receive an encryption key via an external keyloader machine or through an over the air transmission from a key management facility server. Users can't create ad hoc keys for short term use if it becomes apparent that a peer has a radio with an obsolete key. So, if users within a group of radio users step out of sync with each other in key management, all users must revert to clear transmissions if they're all to communicate.

P25 doesn't have a configuration option preventing the rejection of in-the-clear traffic, the paper says, which also means that a radio mistakenly switched to clear communications will continue to transmit to encrypted radios, without the user necessarily knowing that the transmission is no longer encrypted. Accidentally switching from encrypted to clear mode is easy to do when switching channels on the Motorola XTS5000 model radio researchers examined, the paper says. The radio also gave little indication that the mode had been changed, it adds.

Researchers over the course of 2 years monitored in-the-clear P25 traffic in two U.S. metropolitan areas with inexpensive over-the-shelf equipment and found clear examples of users transmitting in the clear to an encrypted group. Because users who had probably accidentally switched to clear mode nonetheless possessed a valid encryption key--and because other radio users in the group could continue to receive both encrypted and clear messages without clear indication of what mode the transmission was sent in--most users typically failed to detect what was going on, the paper says.

At other times, an entire group of users indicated that they believed they were operating in an encrypted mode but in fact operated in clear. More than once, one user described to another how to apparently switch to encrypted mode while actually transmitting instruction for how to set the radio to clear mode, the paper says.

Among the information that researchers saw being transmitted in the clear were the names and locations of criminal investigation targets, the names and other identifying features of confidential informants and undercover agents, and the location of surveillance operatives and their vehicles.

Along with a complete redesign of P25, paper authors also suggest that users minimize the number of times a radio must be rekeyed, changing them only after long intervals or if a radio has been lost. They also say radios should be configured so that a particular channel should be always encrypted or not.

For more:
- download the paper, "Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System" from the Usenix website (.pdf)
- go to a website set up by researchers on Matt Blaze's website (crypto.com) with tips on how to mitigate P25 security flaws

Related Articles:
Boyd: P25 doesn't necessarily mean interoperable 
Public officials frustrated with slow P25 progress