 Like to introduce Matt Blaze, he told us he's a professor at U Penn where he does various kinds of hackery and I have to say one of the very few times I'm ever going to say this, if there's an academic paper with this man's name on it and you like what he's talking about you probably want to read it especially all this fun B-25 stuff but quite a bit of other things it's very interesting and just the silly things this man does to get himself in trouble but somehow gets out of trouble I really can't can't speak too highly of his work so today we'll be talking about sig int for the rest of us so thank you very much Matt okay so thanks uh hope you can hear me hi morning congratulations for making it up before making up before the crack of noon which is an accomplishment um at least for me um so I'm going to talk a little bit about some work I did in my lab with a bunch of incredibly talented other people including sandy Clark mouse who I think everybody either knows or should know and she's around somewhere and Travis Goodspeed a you know a hacker of ill repute who is also around as well as Perry Metzger, Zach Wasserman and Kevin Zew who are undergraduates in in my lab uh so I got this grant from uh the national science foundation there's nobody from the national science foundation here right okay so they give us this this the pile of money um to look at security in open telecommunications networks and basically that that kind of meant I think they thought that that meant cell phone networks and I thought okay that's that's kind of interesting to look at but we decided to start out by looking at other kinds of wireless um wireless communications networks and I just decided to you know kind of on a lark to look at the security standards used by public safety two-way radios um in particular the p25 standard and um so you know that that was kind of an excuse to buy lots of rf equipment and um and and start playing with it uh in the lab and putting antennas up and and doing all sorts of fun stuff um that you know kind of otherwise you you don't normally get to call research and um you know as soon as um I put in a receiver we turned it on and uh noticed that we could demodulate a digital signal and there's this like surveillance operation going on literally like two blocks away and they're reading off license plates and describing people and I could look out the window and see the people they were describing and this was like literally in the first 45 minutes after unpacking this fancy pants piece of uh rf intercept intercept gear that that we had picked up and I thought hmm that's interesting I'll bet they think that this is secure um and so what is this um so there's a a system called uh apco project 25 which is the successor to something called apco project 16 um so uh I'm not sure why what happened to nine of them uh in in there along the way this is a the the current standard for digital two-way radio for public safety and federal users um and so there are two kind of dominant standards for digital land mobile radio one of them is dmr a lot of hams like dmr um a an incompatible but remarkably similar standard is called apco project 25 it started a little bit earlier um started the standards uh started in the early 1990s and uh they and the intention was to be a drop-in replacement for analog fm radio which means um narrowband channels 12 and a half kilohertz channel spacing um and some modulation technique that would fit into the same size channel as an existing um narrowband fm but also allow it to be digital allow a messaging service but the primary application being the same kind of two-way voice okay so this is first of all an interesting limitation right from the beginning because if you were designing a digital communication system completely from scratch and you just got all the spectrum in the world that you might want um you would probably prefer a spread spectrum style option which has all sorts of properties uh that are uh in a lot of ways much more favorable than individual channelized spectrum use but this is you know starting out with a kind of legacy problem but this is the uh the state of the art now they added later on cryptographic security options to the p25 standard so this was uh you know not exactly an afterthought but it wasn't the part of the initial standard so they kind of figured out the bearer channels and all of the the basic signaling and the modulation and the vocoder and then they said we should definitely get a working group to come up with crypto standards for this so throughout the 1990s they were kind of grafting on more and more crypto standards and then 2000 kind of the first encrypted versions of p25 equipment started to become commercially available um on a on a wide scale and deployed on a wide scale um and the encryption standards the security standards group uh working on p25 continues its work uh today so this was not something that security was really designed in top to bottom from the beginning so here we are a group of radio geeks at a security geek oriented conference and you can kind of you know from the beginning your skepticism should be you know uh heavily uh uh uh attuned okay so here's some you know examples of typical p25 this is a Motorola XTS 5000 that's the radios that the goons use here so this is kind of a first generation or second generation of the subscriber equipment that's available Motorola is by far the dominant vendor although there are other vendors of the equipment um Motorola is also interestingly the only vendor that produces key loaders so if you want to use the encryption option you are you're you're you're kind of bought into Motorola as it is because they're the only they're the only company that actually makes the equipment that can load keys into the into the radios um so there's a fairly wide range of equipment all of it is shockingly expensive um the um you know here's uh these can be bought on the surplus market for you know in the neighborhood of 500 bucks um this is the current latest and greatest version of this this is an all band that is VHF UHF 700 800 megahertz p25 radio it has speakers on both sides and the keypad and a fancy display and you know it cost some shockingly large amount of money but it can you know interoperate with with anything so there's a fairly wide range of of equipment available and you know they look like walkie talkies from police movies in the 1980s um because they're all kind of big and clunky okay now um the p25 is intended not just is intended primarily for public safety users that's the sort of uh and like so police fire ambulance services not all of them need security options and the basic uh model uh for it you know is assuming things like traffic analysis and so on even for the encrypted users are not a particular threat um but in fact uh if you kind of poke around you can see that well here's a an encrypted radio standard that exists and you can just buy off the shelf equipment and it has some security options so it has more users than it was a more different kinds of users than it was designed for here's a picture from i believe this was from afghanistan and if you look really closely you can see one of those xps 5000s on the front of that warfighter here's a photo from a white house event this is the back of a oops back of a secret service agent um who has a p25 radio in her evening gown um with one of those little earphones so these are used by everything from the military to the secret service to you know pretty much all of the federal law enforcement agencies um but also you know local police and fire and so on um p25 by the way can work with both trunked and conventional um systems so you can kind of drop it into a trunk system or you can just drop it into conventional repeater to analyze options it has both for the most part um uh state and local is using trunk using trunk systems more than non-military federal um military is using chiefly trunked systems uh federal law enforcement is using chiefly conventional systems although you know this varies based on areas so how does this work okay so basically um you have an existing narrow band channel and so the first question is how much bandwidth can you fit in there digitally and they're being fairly conservative in that they're using a um 4800 symbols per second those are two bit symbols so that's uh 9600 bits per second for the encoding which pretty comfortably fits into a 12 and a half uh killer's channel if you um uh kind of do the nyquist math um and it can kind of coexist relatively comfortably with analog fm in that it you know has a pretty similar shape of the curves and the spillover to adjacent channels so the vocoder for the audio is um a proprietary system called imbe most dmr and so on is using ambi this is very very similar except it's incompatible that's its main difference but it's you know fundamentally very similar the audio sounds very the same it does a respectable job of replicating human voice in uh 9600 bits per second um interestingly it really really really wants to be implemented in hardware um if you do a software implementation you need a pretty fast computer to uh to to keep up with the uh audio streaming particularly on the decoding side um so you you really want hardware to be able to just do the vocoder um digital analog conversion for that um the way they do this is uh they give uh basically have um a train of uh voice frames that are each um 1728 bits long which uh if you divide this up is 180 milliseconds of audio so every 180 milliseconds of audio is kind of separately encoded into these uh two voice frames that they've got now it's not quite that simple in fact there are two kinds of these voice frames called a logical data unit one and a logical data unit two they both contain 180 milliseconds of audio the difference is that half of the metadata that's thrown along with it is in the first one and half is in the second one and they keep repeating and the idea is that after two of these frames you've now got enough information to start decoding the rest of it and you have all the metadata that's associated with it now another interesting kind of design constraint and this is no surprise to radio geeks but is a surprise to computer security and protocol design geeks is that this is designed even though we call these things two-way radios this is a one-way protocol right this is a broadcast oriented protocol and I'm I'm you know I'm I'm stating the obvious kind of slowly partly because I'm a professor and that's what I do for a living but uh but also because this will be important as we go forward when you're designing a security protocol almost all of the security protocols that we design you know involve two-way handshakes between the initiator and the responder and we we tend to design protocols in which I say here's what I'm about to send you here's my key material send me so send me yours back oh yes we're happy to communicate now we are we've done our handshake and we are synced up and that almost everything that we know how to design starts with the premise that you can do round trips between the the sender and the receiver here even though all of the receivers have the capability to transmit we're operating on a broadcast model in which you basically put stuff over the air and it is up to the recipient to pick out everything they need to decode it without any round trips with you and that's partly so that you don't have to know who all the recipients are in advance and you you have kind of a broad standard broadcast model now there are a few things that do involve round trips for the messaging protocols that that are built on top of this but chiefly this is basically a one-way protocol for two-way radio okay so how does security get grafted on to this okay first of all there is no public key cryptography at all and that's unsurprising given that this is a one-way protocol instead it's built entirely based on symmetric encryption you know it supports AES, DES and a couple of proprietary systems that you'd never want to use most of them are 40-bit RC4 as well as an option to include type 1 classified ciphers or sweet A classified ciphers as they now call them although I have never seen any evidence in the wild of anything other than AES and DES and God awful RC4 being used out out there in the field almost everybody on current systems is using AES, DES or RC4 in practice the keys need to be loaded into the radio in advance you know before before being able to be using them and the sender and recipient have to share keys because it's you know symmetric key encryption now keys can get into these radios in one of two ways one way is to use a key loading device so if you look at these if you were to look at these radios if you have very good eyesight you can look at mine if you don't have good eyesight buy one and and look at it you can see there are a whole bunch of pins on here so a couple of them are serial ports that go directly into the encryption module so there's a kind of direct path into the encryption module to the key loader that can blast key material into the radio another way to do it is through an over-the-air protocol called OTAR over-the-air rekeying in which the radio has an initial key set up dedicated to it it can communicate with a base station to get the current traffic keys to be used over the air and essentially it's up to the radio to have the correct keys that better being used by whatever group they're communicating with and if you don't have the correct keys you're out of luck and if you do then then great now again there are no sessions in a communication because this is a one-way protocol you you just transmit you encrypt and you now can be received by people who have the key material who are tuned to the correct channel okay so that's the kind of security model now that security model means the sender makes all the security decisions the receive the recipient has no role in negotiating with the sender the sender basically has to select encryption to be turned on and it's up to the receiver to receive now this design is intended for public safety users that is the people who they were thinking of when they designed this were cops and firefighters and paramedics out there in the field and the model for them is you want to air on the side of ability to communicate and so they they made a a design decision that actually makes a lot of sense for that category of users which is that receivers pry aggressively to receive if you send something with a key and the receiver has that key loaded in their radio they will demodulate it if you send something in the clear and the recipient is set to encryption mode they'll demodulate it so we air on the side of demodulation and that kind of makes sense because it's you know you're saying help someone shooting at me I hope my mic wasn't peed help someone shooting at me the you really want people to be able to receive it if your crypto switch was in the wrong wrong place okay so there's no authentication the and there's no protection against things like replay or anything like that because those all require the concept of a of a communication session that doesn't exist okay so we looked at this protocol and we discovered a number of weaknesses of the design first of all it's pretty ad hoc the security stuff is was clearly grafted on at the end but interestingly they seem to make all of the bearer channel encryption stuff does not make a lot of the mistakes that you could make for example you know if you X or the first frame with the second frame the key doesn't fall out right or or anything like that so they seem to have done the the actual AESDS encryption reasonably reasonably competently with the exception that there's no authentication built in but but in terms of actually successfully encrypting when the encryption is turned on it seems to it seems to actually do that without any embarrassing cryptographic mistakes that we've found yet um you know I have to add that that but it does have some significant protocol weaknesses that can be exploited in practice some of them are consequences of the lack of authentication um some of them are consequences of the enormous susceptibility to traffic analysis which I'll talk about in a second in particular there seems to have been a simple mistake made that there's metadata sent that includes a unique unit identifier for every radio so your radio has a unique serial number that it sends over the air with each packet if you turn encryption on that stays in the clear so even if you're encrypting somebody doing um intercept can kind of keep track of what units are in the area when they're on when they're off what channels they're on and and who they're working for and that appears to have simply been a design error in the way it was constructed it doesn't appear to be necessary for anything about how the system operates the second is we found that it was vulnerable because of the way they're doing forward error correction radio systems really need some sort of error correction going on um they do something very aggressive in that they error correct every metadata field separately so we send things like the unit ID and that has its own error correction and then we send the what kind of a packet is this and that's error corrected separately and then we have the bulk voice um and that's um sent separately and that turned out to allow for a uniquely favorable to the attacker denial of service attack where this is the only system i've seen that requires less energy to jam than it does to legitimately use so usually you want to design a system where you need more energy for to jam this actually requires less and i'll describe how you'd actually do that so here's some some sort of here's the smart stuff we found okay first is that voice traffic is not authenticated and one of the things is that that means is that um that you can replay encrypted traffic at will so you might not be able to demodulate it but you can just grab the rf off of it and play it back and it will happily do that in the voice of whatever they said and if you can figure out what's going on um you could might be able to use that to your advantage as an active attacker um another uh uh issue is the uh susceptibility to both passive and act um active traffic analysis so passive traffic analysis is easy because even when encryption is on the 24-bit unit ID is sent in the clear but that only works when they choose to transmit so we also found an active attack that allows you to ping radios to um uh that allows you to ping radios to basically get the induce them to transmit and the interesting thing about this is that it takes advantage of the one area of the data service that does actually do authentication uh except this system includes both axe and max so if you if i send you something a text message over this and you have the correct key material to decrypt it you'll send back and i got your text message if i don't have the correct key material to decrypt it it will send me back a get lost um you don't have the right key material um with a um with the unit ID helpfully included um and so what that means is that um you can create kind of harry potter's marauders map um of all of the local law enforcement agencies by simply going down the list and pinging and setting up a little system to direction find and triangulate where they're located and you can do that you know with kind of sdr equipment and and uh three or four uh base stations uh at regular intervals and do it infrequently enough occupy little enough bandwidth that nobody is ever going to uh notice okay so um uh so that is probably more of a threat for the military users than it is for uh the local public safety because police cars have like markings that say police on the side and lights and sirens so you know where they're located isn't all that secret but military operations are often kind of concerned with this sort of stuff okay so denial of service was kind of the the most fun of the active attacks that we saw um and um oh so here's basically the idea um so there's this aggressive error correction going on and what that means is every field of the the 1728 bit uh 180 millisecond frames every subfield of that is separately error corrected one of those subfields identifies what kind of packet this is one of the types of packets is this is a voice frame and it basically there's a four bits encoded over uh over 64 bits that say you know this is a voice frame this is a text message this is something else um if the recipient isn't able to decode that frame they ignore the rest of it because it basically tells you what the meaning of the rest of the frame is sent toward the beginning now helpfully this frame is sent immediately after a synchronization frame that tells you I'm about to send you this all important 64 bit error corrected field that you very definitely want to be able to receive so you could in principle you know jam 32 symbols out of 864 symbols and render the entire 864 bit symbol packet unusable by the recipient just by selectively at the right time transmitting more energy than the recipient for that brief instant of time and you know if you do a calculation that means the energy use that you're using compared with the um uh compared with the legitimate user is 14 dbs less than the then you're required to communicate so this is phenomenally awful in terms of traffic analysis resistant and it helpfully provides a synchronization symbol built in for you to use so we really wanted to kind of implement this attack and you know we were thinking about well how do we implement this well we're going to have to build some sort of sdr and we're going to have to load some custom fpga in there in order to be able to get the timing right to decode this um um synchronization frame uh this is going to be really expensive we better ask the nsf for more money so we can buy you know um big uh racks of equipment and then travis came along and said oh i can do that um and so what travis did is he took this little device called a girl tech um uh i i am me uh instant messenger which he observed has a chip in it that does a uh um and over the air um c4 fm protocol similar enough to p25 that it can be abused in to decoding it in real time and then he loaded um uh some firmware this is the same device that a spectrum analyte he also built a spectrum analyzer out of um he loaded some firmware into it to recognize the train the synchronization train and transmit well above its designed maximum power uh for the few milliseconds required to jam those 32 uh symbols at just the right time now these devices are kind of interesting uh they were marked uh first of all the chip that you want is called a ti cc uh 1110 but the the chip costs more than these devices do on the surplus market so you can buy these for about 10 bucks a pair um on ebay although after we give this talk the price goes up a little bit so you know wait a little while um the um you can buy these things on ebay the development kit with a sample chip costs about 40 but you can get two of them for about 10 in these and this hopefully comes with a power supply and a nice purple case um and so we call it the my first jammer um and um basically it will look for the synchronization train on a given channel and transmit now that's um that's sort of interesting because this also gives you about a 20 db price advantage um assuming that power is money um over the legitimate user as well the jamming equipment is both low energy and phenomenally cheaper uh than this stuff and you can imagine sprinkling these around a metropolitan area ideally you'd want to put them near the receivers of repeaters um so that they just uh uh jam the equipment um so that you can get the maximum energy advantage that you have um and this would be a fairly economical uh thing to do uh don't do this by the way um okay so that was one thing you could do but okay that just causes havoc that might not be um uh you know turning off your local fb i surveillance or whatever is a is is one thing but what another more interesting use of this might be to train your local law enforcement agency that encryption doesn't work and so rather than just um looking for the synchronization train what we looked for was the synchronization train followed by the packet type that says this is encrypted and only jammed encrypted uh traffic um and so you can make um you can selectively jam only certain kinds of signals to train users uh to in various kinds of behavior uh that you'd like now we published this paper um uh when we published this paper kind of an interesting um uh side note we published this paper and at the same time our paper came out kevin mitnick's memoir of his life on the run came out um and apparently he was back in the old analog days monitoring the fbi people who were looking for him and they had some encrypted radios um as well at the time although this was before p25 and he was really annoyed when they would switch to encrypted mode and so he apparently got a uh a walkie-talkie and anytime he saw encrypted traffic he would jam it and eventually he would hear them in the clear say is it working now i don't know there was something wrong with the switch um so it turns out we um we had a sort of parallel um discovery of the same uh attack um except that we didn't actually go on the run and field this i will point out um okay so how does this work in practice um okay so this symbol uh is the um um symbol on the encryption switch uh as you can see it's very obvious what it is um so you know there are some potential usability problems with these systems one is that there's poor feedback um about whether you're encrypted when you're using the radio um so basically the recipient does nothing about this the um transmitter makes all the decisions and whether it is in encrypted mode or not depends entirely on the toggle switch on the radio and i'll show you what that looks um like uh in a bit the second problem is that um the over-the-air rekeying protocol is used to very frequently rekey sensitive agencies because we all know that you're supposed to change your passwords more frequently to make them more secure and that is also federal practice for crypto keys for sensitive agencies as well and more sensitive the uh operation the more frequently they're expected to rekey um unfortunately the over-the-air rekeying is itself oh you are the best person on earth thank you sir um the um the uh this is not vodka right um okay um okay so unfortunately uh the over-the-air rekeying protocol itself is an unreliable protocol and what often happens is some users rekey to the new key while other users are left with the old key there's no mass synchronization that causes everybody to switch over at the same instant um and so if some users have old key material some users have new key material they can't interoperate with each other now there was a famous paper by um um Alma Witton and Doug Tiger from 1999 called Why Johnny Can't Encrypt and the interesting thing is that this paper made almost exactly the same observations that we made about p25 radio usability about pgp email usability and you know it is almost as if the designers of the system looked at that paper and said well we can't give them a monopoly on these mistakes um you know we're gonna we're going to do this uh ourselves so here's the um Motorola uh XTS 5000 radio um and this is how it is set up in uh clear mode and this is what it looks like when you're using it in the clear mode um and you know that's that's what the display looks like and that's what the radio looks like and on the other hand when it's in secure mode that's uh how you configure it now what's the difference between those two things well there are two differences for those of you who are very sharp eyed and pedantic one is that there's this little circle with a slash through it um that shows up on the display and there's a toggle switch there with a circle versus a circle with a slash through it now the interesting thing is that there appears to be great disagreement among the users about which one of these means encrypted and which one of these means clear and or what it does at all uh the only precedent I can find for these exact symbols being used um is a car air conditioner vents for open and close um but um you know so the metaphor appears to be open versus closed but on the one hand the circle with the slash through it might mean don't um versus the open one meaning okay go ahead and do and a lot of people have really said you know that's obviously what it means whereas other people think well obviously this means um um you know don't means the circle and the slash through it means do um and so there's great disagreement about which is which but it doesn't really matter because you're talking into a different part of the radio and can't see any of these things when you're actually transmitting um so what happens well it becomes very easy for users of this system to inadvertently use mix clear mode and encryption mode and we you know it's very easy for one user to be in the clear while other users are encrypted and if they all have the same key material they're communicating quite successfully um when they're doing this just with more people than they think they are um and that happens um as we will see in a moment fairly frequently uh the next problem is this cumbersome re keying the over the air re keying protocol um is unreliable users tend not to have current key material and there's no real way to ad hoc re keying in the field um and so uh this is the Motorola key loader it's kind of larger than the radio uh and they're really expensive and cumbersome and they erase keys on their own uh fairly often um and you kind of plug it into the radio to load keys into it uh so that's one way the others with this over the air protocol so one of the questions we wanted to ask is we discovered a whole bunch of active attacks and a whole bunch of passive attacks we discovered ways to jam these systems we discovered ways to um see who is where by pinging radios and we discovered a number of ways in which encryption potentially could be turned off now um i'm old enough to have um been at the crypto 95 conference in Santa Barbara um and crypto 95 was particularly notable cryptos the conference were crypto geeks they meet in Santa Barbara not Las Vegas they're smarter than we are um uh every year in august and have a big beach barbecue and give talks they invited as their keynote speaker a fellow by the name of bob morris used to work at belab's and then went to work for the national security agency so it was a kind of big uh coup to get him to come and give a public talk at the uh crypto conference and he said he would uh and what he talked about was he said okay i'm going to tell you got up on stage and he said i'm going to tell you nsa's first rule of cryptanalysis and i got out my pen and everybody said oh nsa's first rule of cryptanalysis this is going to be good this is nsa's first rule of of cryptanalysis nsa's first rule of cryptanalysis according to the bob morris is first look for clear text um and so um we decided to um take that to heart and see how successful uh a sigint operation is if it simply looks out there for sigint that is to say we decided to build the wall of sheep uh at a large scale um so um you know how much unintended sensitive p25 clear text is there um in the field so um you know we don't quite have the resources of nsa and this was about 2010 that we kind of started to do this so we were looking at kind of 2010 technology for our model so one question is how would you build such a thing so first of all you'd need to get some locations to put sensors to put receivers and you know the um in in if you were a national government you might put them in your embassies in different places or rent spaces on towers or or what have you you know we just used all of our friends in as many cities as we could find and that basically means we could find sites in philadelphia which is where we are and we had one up in new york and one in central new jersey and we had one in boston for a while and chicago for a while and berkeley for a while and and and so on so we just ad hoc picked some the metropolitan areas that we had friends who were good enough friends to say we're going to put this box with an antenna in your apartment don't ask any questions um and hook it up to your network um and um you know who said yes and uh and so you know we basically built a little monitor the sensor monitoring network um in uh these various cities but the now the question is well what actually should we monitor so it turns out there are two um uh band frequency bands used by the federal government we decided to focus specifically on federal law enforcement users um who are doing sensitive stuff that is not ever supposed to be in the clear and um um so you know there are a lot of different federal users a lot of them are completely unsensitive right the post office trucks have radios in them and they use those frequency bands but those same frequency bands are also used by you know uh homeland security investigations and the secret service and the fbi and the postal inspector and uh customs and uh all of these other uh various agencies so the first task is to figure out what uh channels they're using there are about 2 000 discrete channels allocated exclusively in vhf and uhf to the federal government um in the 162 to 174 band and in the 406 to 420 uh band and uh you know 12 12 and a half kilohertz spacing uh between them a lot of them are are not in use uh in any given area uh a lot of them are used by nonsensitive agencies but mixed in there are some that are used by sensitive agencies so today if we were doing this what i would do is go and buy a sort of medium end sdr something along the lines of a lime sdr get one for each band uh conceptually that has enough um output uh throughput to be able to record all of the spectrum uh for later offline analysis within all of the federal frequency bands uh so in 2010 that wasn't quite true um in 2010 that would require you know in the north of a hundred thousand dollar level sdr equipment today it's the south of a thousand dollar uh levels would allow you to just record all of that uh we record all of that spectrum and pick out the p25 uh signals later for offline analysis this was not practical on our limited budget uh because actually by the time we started doing this all our money had run out um so we um uh found that the best price performance p25 receiver was a consumer grade um icom software controlled radio uh called an r2500 uh sold to the hobbyist market and it has a p25 board uh in it so it's not an sdr but it is a software controllable uh radio that has remarkably a remarkably good rf front end um for our purposes in our free and so the first thing we did was we configured this to um identify every channel with encrypted traffic on it why did we want encrypted traffic because those are the channels that have the sensitive operations on them and then we so we actually put two of these in each location one scanning looking for encrypted traffic on frequencies we don't know about and another recording all traffic and metadata on every channel that we did know about and that would allow us to not miss very much so this two receiver configuration although a bit clunky and suboptimal by modern standards effectively would allow us within a few weeks to discover a large fraction of the channels used for sensitive things and then record basically all the metadata and unencrypted voice traffic uh that appears uh the that appears on them um okay so what did we discover um so basically what we discovered was that with the exception of one agency um and i'll leave you to wonder what agency that was uh every federal law enforcement agency engaged in sensitive operations has um uh some unintentionally clear traffic um every day and sometimes it's entirely clear um and sometimes it's clear mixed in with um encrypted um and invariably the clear guy would be the one who has the transmissions along the lines of okay everyone hears the plan um and so um okay everyone hears the plan was one of the most common things that we would record along with all right i'm in encrypted mode now um so um uh we would actually hear that and you know if if i were less discreet than i am i would have brought a greatest hits tape of uh of uh of those things see me later um okay we we would get an average of about 30 minutes a day per agency for um metropolitan area of just unintentionally clear traffic so how sensitive is sensitive um what did we discover well we actually found kind of some of the most sensitive stuff you could imagine so we would get um the names um and other identifying features not only of the targets of surveillance but also of things like confidential informants um so you know we would you know we would hear i've got jose with me right now he's going to go and talk to the target you'll know him because he's going to be the guy wearing the white hat and uh you know and and that sort of thing so you know that's kind of useful information if you're the target um and not so great for jose if somebody picks that up um we would frequently get um and we were you know it's kind of like having your own private version of the tv show the wire which was still on uh that time we would get uh the wire tap plant that was set up to look at a target would often set up a radio base station and then it broadcasts out a summary of what's going on on the wire tap of the target so we would hear you know the target has just gotten a phone call from uh my favorite was an operation in which um uh there was a the target of the attack was named you know some name like we'll call him bobby but uh he was fencing um stuff that he was buying with stolen credit cards and this was a large carding operation and his fence was named louis the fence which is like the worst criminal name ever but um the um um so uh you know we would hear the ongoing uh narrative of what was going on on the target's wire tap quite frequently body wires were often uh so when they would wire up an informant the audio from an audio body wire would often be sent over a local tactical repeater more often than not in clear mode as well as traffic for um things like protective details of uh dignitaries going all the way up to the president so secret service uh and state department protective operations so you know we would you know one of the interesting things is that during the uh uh presidential conventions we would know the code names of the of the uh candidates before they would be get leaked to the news media so you know we would get a couple the secret service would start using them a few days after a few days before they got made public so uh that was uh you know that was sort of entertaining but we would also learn like where they were moving to and what the plan was and and so forth um so we would really hear a lot uh kind of some of the most sensitive stuff ever the interesting thing is we would uh and it was easy to identify what agency was what because we could uh direction find to where it was and also different agencies would be assigned different blocks of user IDs so we could use the um metadata to determine what agency was operating on a different channel because that's coordinated across the entire federal government um and um interestingly there was one agency that we have never collected a single clear transmission from any I guess I've told some people this but any idea uh no actually the CIA um well the CIA doesn't operate covertly within the United States but the security guards at CIA headquarters do and interestingly if you um if your car runs out of battery in the CIA parking lot they will help the security guards will helpfully um uh jump your car for you but they'll also read your license plate uh out over their unencrypted channel so no not the CIA um yeah ATF is um very entertaining um the um um the postal inspector don't mess with the postal inspector um they know what they're doing uh on encrypted radios and I actually was wondering about this and I found out and I asked a friend of mine who runs the radio system for police department he said uh and he said oh yeah I met the radio guy for the postal inspector and he was just this encryption fanatic and he basically anytime they would get a radio he would take some super glue and glue the encryption switch into the encrypted position and apparently that um uh continues uh to this day and that's why the uh the postal inspector's office don't mess with them they're uh they're they're they're serious okay so we've found you know basically what's going on we found basically there are kind of three classes of uh of mistakes going on here one is the kind of single user error where the switch is just in the wrong position for one user in a group and invariably it's the okay here's the plan guy um but um um uh somebody is transmitting part of the operation there's also kind of the group error where you have this incorrect information about what the encryption switch means and what it doesn't um and um you know no or nobody notices that they weren't and then finally you have the keying failure problem where a bunch of users in a group have one key a bunch have another key and the only way they can all interoperate is to switch to the clear because they're out of sync on their on their key material and we found that these three categories of um you know when we would sample what was going on it was roughly a 30 of uh of these um uh of each of these things and uh what's interesting is that if you go back to the standards people and say you know here's what we discovered about this they'd say well great it's all working properly right because the standard um is working according to spec if you go to the radio vendor they say we built radios according to the standard um and if you go to the user community you know they say well you know these are the radios that we're able to buy um and if they have usability problems you know this is what we're stuck with we have no real control over what the the standard is so this effectively ends up being nobody's fault which is familiar in many security uh problems okay so um um the you know a couple of uh you know kind of observation this was a great example of things a security being grafted on later with compromises from the beginning with very predictable consequences um the um we're seeing actually to this day our sensors are still in most of our cities the sensors are still running and what we've seen is that I've gone to every federal agency that we're seeing sensitive clear traffic to I've spoken to some senior person in charge of their communication system which by the way those are meetings which are really fun to set up um you know when when you call a federal law enforcement agency with lots of body armor and machine guns and handcuffs and you try to tell them that there's a mistake that they're making it's helpful to have friends introduce you um but uh so you know I go to those meetings with some trepidation but they're actually very receptive to that um but what I found is that every time you know when I meet with an agency and discuss what their real problems are and you know playing the audio is very helpful in driving home um uh some of some of these things um and in fact I remember one conversation in which I was talking to an agent and you know I was able to tell her how she likes her coffee um because I've heard one of somebody getting coffee for her during a surveillance operation um the you know the those those you know that that gets driven home and what we found is that we would see clear text go way down for about two weeks uh after um we would talk to them and then interestingly it would go up to a higher level than we had seen before why is that well as far as I can tell it's that you know the message goes out of exactly what to do and then um that message gets a little bit garbled over time and what people remember is pay extra attention to the position of that mysterious switch but they don't remember which position it's supposed to be in um and or they rekey more frequently which has the effect of taking making people go out of sync more frequently um and so um you know these are really fundamental problems that are easy to blame on the user but um aren't actually you know but that would be a terrible mistake um you know that would be a cop out on the part of the technology design of these that they've made a system that's so much easier to use or to misuse than to uh than to use um so you know we've developed some mitigation strategies uh for uh for them you know which which you know a kind of some set of better practices if not best practices but really the protocol itself needs to be and the usability needs to be redesigned from scratch so I also spent some time working with the p25 standards people and you know as receptive as the federal agencies were um this was a remarkably different experience so I had you know I'd gone to a number of federal law enforcement agencies spoke to them about you know what some of our findings were um and you know everybody was very interested and you know at least trying to fix the problem and then I took a trip down to uh uh to uh Charleston to the meeting of the p25 security working group um which consisted basically of vendors and a few assorted others and um the um first thing is I spoke to some of the federal representatives and I I said you know these protocols when I looked at them it kind of looked as if there was somebody from the nsa in the room for the first two meetings and then they stopped showing up because all of the language of the standard has words that kind of look like good crypto speak they talk about key material and they talk about initialization vectors and it's all it's got all the right greek letters and everything is looks pretty good but then everything is just being used a little bit wrong and they said oh yeah that's actually exactly what happened he died um and um you know I mean that's very sad um but it's also very sad for the design of the protocol itself um and basically was never replaced so they were kind of left going on their own the standards group itself consists chiefly of vendors and mostly the meeting that I had with them uh consisted of the first hour and a half of them taking turns introducing themselves and telling me how utterly stupid and off base I was and now none of this is a problem and by the way you don't understand decibels um and um it was incredibly so they would go one after the other and and just tell me how utterly terrible it was and how awful it was and oh and by the way you know you're immoral because you're making us look stupid um and uh and and so on so it was a very very unproductive start and then of course we retreat to the bar and that's where all the kind of interesting uh work got done and so there's there's some hope of maybe the next generation it won't be called p26 because they apparently don't go by ones so you know when when they come up with p45 there's a chance that there'll be a clean slate but it looks as if this particular standard is kind of set in stone okay so what are the overall lessons learned the first is bob morris's first look for clear text which I thought was this trite joke turns out to work really well right looking for clear text uh in a sea of cipher text with the practical things that exist right now is a remarkably productive strategy um and in fact from the standpoint of the interceptor um in the old days when encryption wasn't available you um users of these things doing sensitive stuff had to be pretty circumspect in what they would say over the radio um because they knew that anybody could listen um now they have what they believe to be reliably secure communication and are much much more open in um what they talk about at the same time intercept technology um you know an sdr you know an under a thousand dollar sdr setup is sufficient to capture um in real time all of the i and q from all of the raw spectrum in the entire federal um frequency band and can um then offline pick out all the clear sensitive traffic um at your leisure or in real time depending on what your application is this is pretty much the you know a budget equivalent of precisely the sort of package nsa is installing in agencies around the world and the fsb is installing in uh in uh embassies in the us except that you can do it on kind of a hacker budget and um so now we have people who are very confident in the security of their communication and an intercept environment that allows uh passive intercept uh to happen very cheaply and really quite comprehensively um and so um you know arguably the situation is actually far worse than it was back in the days when when uh encryption uh wasn't available um you know the um uh you know i joke that uh you know this uh you know i'm looking into whether you know bank robbery is more lucrative than being a professor because this could really kind of give you a leg up um i don't make that joke in the talks with the federal agencies though um the uh so that's kind of the the first lesson look for clear text works and it's a lot cheaper to look for clear text the second is the sort of crypto lesson which is that grafting um encryption and security standards onto a legacy system has a long and distinguished history of failure that is unbroken by our experience with uh p25 this this really doesn't work and right now i'm just upgrading our sensor network to capture all of the uh traffic for offline uh analysis later and that seems to be working fairly um straightforwardly so we've got plenty of time if you want to ask any questions or throw anything or tell me why i don't understand decibels i'm happy to but try to use the mic for though yell at us yeah just come to the mic because it's just is there any is there any audio feedback if the received voice frames are not encrypted so you can you can configure the radio so that it'll beep on encrypted received or beep on encrypted on unencrypted received and there's disagreement about what the beep means unfortunately the same beep on the Motorola radios exactly the same beep is used to indicate low battery um so um it you can't win um and uh the other question is um can you have multiple k's inside the radio or is it one k for one group um you uh depending on how the radio is option yeah you can um you can load i think up to 64 keys on the radio thank you very cool um in a in a case of using aes if we wanted to mitigate like constant reking and all the traffic goes to that what sort of interval might you recommend you know so i i mean i think the that's sort of funny that federal guidelines basically have them reking about once a month for most agencies and the model appears to be kind of based on this middle military model in which you know some of your agents are being captured by the enemy right um which you know mostly doesn't happen to fbi agents um you know as far as we know they do lose radios uh from time to time but you know you know it's about as frequent as losing guns you know it happens but just not that often um you know and the problem is that if you rekey you're guaranteeing that lots of stuff is going to go out in the clear because the rekeying protocol isn't atomic across everybody um if you don't rekey you're guaranteed that any of your lost radios will be able to uh receive stuff you know that's less bad than guaranteeing that everybody is going to be able to receive so so you know i advocate very long-lived keys and um but getting that practice out in the in the field is is an uphill battle changing federal stand security standards is a non-trivial process yeah so uh is the over-the-air rekeying protocol secure as far as you can tell like not subject to replays no it's it's horrible um the uh so it's um it is vulnerable to a large number of active attacks and and manipulations um it does not appear to be possible to load selected selected chosen key material but you can do other kinds of mischief that are just as effective in practice in practice okay so thanks i'll uh see you next time oh and and i sure i would be remiss in saying come to the voting village