Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Smaller Male Squid Have Bigger Sperm |
| Counterfeit Pilot IDs and Uniforms Will Now Be Sufficient to Bypass Airport Security »
August 11, 2011
Security Flaws in Encrypted Police Radios
"Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System," by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze.
Abstract: APCO Project 25a (“P25”) is a suite of wireless communications protocols used in the US and elsewhere for public safety two-way (voice) radio systems. The protocols include security options in which voice and data traffic can be cryptographically protected from eavesdropping. This paper analyzes the security of P25 systems against both passive and active adversaries. We found a number of protocol, implementation, and user interface weaknesses that routinely leak information to a passive eavesdropper or that permit highly efficient and difficult to detect active attacks. We introduce new selective subframe jamming attacks against P25, in which an active attacker with very modest resources can prevent specific kinds of traffic (such as encrypted messages) from being received, while emitting only a small fraction of the aggregate power of the legitimate transmitter. We also found that even the passive attacks represent a serious practical threat. In a study we conducted over a two year period in several US metropolitan areas, we found that a significant fraction of the “encrypted” P25 tactical radio traffic sent by federal law enforcement surveillance operatives is actually sent in the clear, in spite of their users’ belief that they are encrypted, and often reveals such sensitive data as the such sensitive data as the names of informants in criminal investigations.
I've heard Matt talk about this project several times. It's great work, and a fascinating insight into the usability problems of encryption in the real world.
Posted on August 11, 2011 at 6:19 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
They should all just use "Bruce Schneier" as encryption key. The crypto won't dare to fail them. ;)
So if you want wireless security ask an actress not a policeman!
Hedy Lamarr ftw!
That's Hedley! Hedley! :-)
Unfortunately, this sad result is the consequence of a too-close relationship between large equipment manufacturers and government. Political pressure was used to sweep aside alternatives to the P25 system and mandate its use by public agencies of all kinds. Innovation was stifled by the rush to standardize around an obviously defective technology. As the article demonstrates (and in some cases, thankfully omits details), it is far too easy to exploit of defeat these systems.
Yet, even today, the promise of interoperability that the radio industry used to persuade everyone to go down the P25 road remains elusive. Agency interoperation on encrypted channels is virtually non-existent for simple practical reasons and clear-text interoperability has been limited by the sheer complexity of the radios themselves. This paper provides a glimpse of this problem in the discussion of the user interface confusion.
All-and-all, Motorola shareholders are smiling and radio users everywhere are frustrated and vulnerable.
As someone who has, at times, followed P25 closely, I want to observe that jimr is probably completely correct.
I was actually at the presentation and what I consider a huge bit of good news is that on average there was only 20 minutes a day of recordable clear traffic. Considering the barriers of getting agencies to adopt crypto in the first place I think that's a huge win. Mopping up occasional mistakes in operational usage is a lot easier than getting someone to implement all the key management and security protocols in the first place.
Of course the fact that a child's toy can be modified to jam only encrypted packets and force a reversion to cleartext is a more serious problem that needs to be addressed.
Operator error (and laziness) remains in large part one of the biggest problems with these kind of secure-systems.
I am reminded of a tidbit I read somewhere on the Internet about the Secure Telephone Unit (STU-III). I don't give it much credibility, but it seems very plausible:
Phone lines known to be used for secure telephones, such as embassies, are assumed to be monitored and often were. The cryptography of the phones has not been broken, but a wealth of information was collected from the conversations that would happen before "going secure" - as well as entire calls on the secure line where the phone's secure mode was never entered.
In recent times one of the biggest risks is the proliferation of personal use consumer products (mostly handhelds) in enterprise environments. Sensitive but unclassified (SBU) information is routinely discussed over cellphones which from personal knowledge includes official use only (U//FOUO), Law Enforcement Sensitive (LES) and personal data (PII). This exists at all levels of local, state and federal government. Of course, the practice of e-mailing work documents to personal webmail accounts is very well known.
You wouldn't believe the amount of traffic on FRS/GMRS either. Everyone from private event security to small-town municipal departments have these things.
Similar to the P25 traffic analysis vulnerability discussed relating to plaintext unique radio IDs, cellular telephones broadcast a unique plaintext identifier, known as the ESN, MEID, or IMEI, that can be passively captured. This identifier is not easily changed, and in fact is generally illegal to do so, though software such as QPST/QXDM and CDMA Workshop that have this feature are widely available. The data gathered from monitoring cellular spectrum at select fixed site(s) of interest could be analyzed to reveal location patterns; one possibility I imagine is to combine this with automated vehicle tag (license plate / number plate) and biometric collection to identify individuals of interest.
Whether it's a lawful surveillance operation targeting known criminal activity, foreign spies watching our State Department employees, drug cartels monitoring Federal agents or RF hackers snooping on anyone and everyone, our cellular infrastructure is sadly over ripe for exploitation.
The biggest hurdle to interoperability is not technology, it is people.
That just made me smile...thanks
So if you want wireless security ask an actress not a policeman!
Hedy Lamarr ftw!
Posted by: Christian at August 11, 2011 7:51 AM
That's Hedley! Hedley! :-)
Posted by: Ross Patterson at August 11, 2011 8:03 AM
Nice, as in epic fail nice. One of the biggest problems I see is the ease of exploiting the waveform, esp the selective jamming of subframes. Why couldn't they have gone wideband with DSSS or OFDM? Even frequency hopping would be more robust. Forget legacy narrowband FM, they could easily have put a second transceiver for fm, some cellphones do that. (well, a receiver). I know this development started a while back, but sometimes it is better to build something the size of a breadbox as a prototype and wait for moore's law.
@moo: I'd like to see Bruce's take on that one. I get the entropy, but "correct horse battery staple" is 100% based on dictionary words with only lower case characters. I would think even a simple variation based on that passphrase and a numreric pin used to determine which letter to capitalize would increase robustness. So use a numeric pin of 5231 to get "corrEct hOrse baTtery Staple". Of course, this may be naive conjecture, but simple dictionary words, even in a phrase, make me shudder.
@Gabriel: Why does it make you shudder? Sure, the 100,000-word (1e5) dictionary will make short work of a "rosebud" password, but "chooserosebudaspassword" forces a search space of 100000000000000000000 (1e20) ... not quite so quick to crack. In fact, if you were checking one million passwords per second, it would take 3.17 million years to exhaustively search that password space.
Drop the dictionary to 10k words, and you'll still take 317 years to search that space.
Actually, a four-word passphrase is starting to sound pretty good.
"Why couldn't they have gone wideband with DSSS or OFDM? Even frequency hopping would be more robust. Forget legacy narrowband FM"
That's a technical argument and as it turns out the least relevant...
In most parts of the earths (solid) surface the radio spectrum is "regulated" and this may take over 25 years to make even a very minor change. As a highly visable example of this, in Europe the "FM Broadcast Band" was supposed to have been "freed up" (ie stoped being used) and replaced with DAB by 2010, but as anyone with an FM Band receiver in Europe will tell you it's still going strong, with no real likelyhood it will go any time in the foreseeable future.
Well in the UK part of the FM band around 100MHz used to be used by the Police, as well as a chunk up near the 144MHz amature radio band. The police and other emergancy services have been forced to give these up with a hugh expense of redundant equipment.
Part of the "faustian bargin" struck at the time was that they would be allocated on a permanent basis other parts of the Radio Spectrum. Which unfortunatly was required to be NBFM with seperated TX RX frequencies to enable "relay" working through base stations.
The investment in this new infrastructure was immense and the investment could not be written off again for political reasons.
Now again for political reasons there was not a budget allocated for "switch over" there for new systems have to be phased in alongside and often using existing equipment in part.
Thus you have the constraint of existing radio systems to work within. Also in the UK we have the three basic emergancy services (Ambulance, Fire, Police) and sundry others Coast Gaurd, Port Authorities, Life boat, air sea rescue, air ambulance and some military detachments.
A series of "disasters" has shown that all of these services need not just an integrated radio system but integrated command and control system to be able to function when we have disasters such as underground railway fires (Kingscross) and trains smashing into buffers (Moorgate) and likewise surface trains (Clapham Junction et al).
Now the bureaucrats and the political masters do not want to allocate the resources, worse they see all this radio spectrum as something to be sold off for raising tax. So the emergancy services have ended up with much less radio spectrum.
Now there are a bunch of "chancers" (see the usual suspects) one of which is Motorola who have proven they realy do not understand complex radio systems in the manner required to do this sort of major task (have a look at why GSM is replacing the Motorola shambolic cell phone systems). But they know how to sell a line and then not deliver, and also have a fist full of patents...
So in Europe a decision was made to do the same as was done for mobile phones. So we now have a standard for european wide systems known as "Trans-Eropean Trunked Radio Architecture" or "TETRA" which has the potential to provide a Europe wide solution.
However that is not how it's turned out (yet). As normal those in charge don't step back far enough from the problem to get a real grip on it so we end up with a dogs breakfast of a system which will in many peoples opinons not work under ordinary situations let alone disasters, and so far that appears to be how the replacment systems are panning out...
The big problem realy is that there is not enough bandwidth and authorities buy the lowest spec equipment for budget reasons. Thus unlike GSM there has not been the "customer driven" improvment in equipment or spectrum.
Now... If we look at the likes of many of the utility companies, they have gone not with expensive trunked radio systems with problems of limited bandwidth and expensive radio equipment. No they have gone with systems based on GSM cell phones. It has it's problems but it works way way better than the boondongle of the trunked radio system foisted onto the emergancy services.
And if we go and look at what the Military are doing on the ground in the current war zones we find iPhones in use as they are more reliable for command and control at anything above basic tactical level....
Thus the solution to all of these LEO and other services is infact to use commercial grade kit.
Which brings us onto the subject area that Nick P gets most upset about. That is the various Governments want "high security" for their comms and "zero security" for everyboody else. Well you just cannot do that if you want to leverage the commercial channel to get your systems for bureaucracies...
Nice to know the Feds commo can be messed up and intercepted...
As Dick Marcinko's instructors used to say, "Pay attention. You will see this material again."
So I'm saving that PDF and the article. Could come in real handy some day.
The more I look at systems like this, the more I wonder why the relevant authorities don't just take their frequency allocation and run a complete set of cellular gear off of it. Add a secure phone conferencing system on the back-end (like a private instance of InterCall - I'm sure they'd happily license the tech for a reasonable amount of gov't money) and you've got the broadcast radio that people are looking for.
If done right, all of the authorities would then be able to use the latest and greatest cellular technology, get compatible technology upgrades and still be able to talk to each other as needed.
An offer to buy a bunch of base-stations and 100ks of handsets will also get some input into the wireless spec for required security, too, so it would be a diffuse cost.
"Thus the solution to all of these LEO and other services is infact to use commercial grade kit"
It's interesting to watch the commercial kit evolve, a couple of years ago a cell phone chip company figured out a way to improve throughput and connection stability in poorly planned GSM phone systems. The chips even maintained the link better in the presence of jammers.
Well they took the product to a big phone maker in a northern European country and got slammed over spec incompatibility issues. Even though nobody could ever find a network where the improvements failed.
OK so march forward a few years and that same Northern European company is quickly loosing market share in India and China. When they investigate they're told that the competitions phones work better. In true European style they send an engineering team to lecture the cell phone operator on correct frequency planning procedures. Oh course that lecture feel on death ears because the operators already had a chip solution that tolerated their sloppy frequency planning.
So even in a product area as regulated as GSM there is an invisible hand that guides the product towards the best possible solution, for real world usage. I think most military solutions look better on paper than in reality, because they lack this "invisible hand" that maximizes the useability even if the spec definition needs to take a little beating in the process.
I'm one of the authors of the paper in question.
You might also be interested in our mitigation guide: http://www.crypto.com/p25
@Clive: that was insightful. I know spectrum is a royal pain, but the politics is a royal pain around it, with all due respect to her majesty. Gsm is a good workaround, especially if regulations can require carriers to keep a certain percentage open for public safety, with the ability to take more during a mass catastrophe.
@Brian: I would still rather add some type of character variation, such as caps. Also, should three/four word passwords become the norm, then the attack algorithm would probably be changed to death in that space first, with parallelism probably employed. Add fpgas in the mix to accelerate, especially the hashing. I wonder if a random walk would have the best average case or would an intelligent algorithm work better, one capable of learning (would eat memory). Just saying the four caps would greatly expand the search space. Especially if based off a seemingly random offset for each letter. So, I overall agree with the approach vs something that looks like corrupted leet speak. Just don't like the all lower case, since they are dictionary words.
It's a long time since I was involved in anything like this, but about 15 years ago I was a technical contractor to a police department that was implementing a secure trunked radio system.
I was only very peripherally involved in that project (as in "discussed some of the issues over a beer", and helped test one base station.) However I clearly recall that confidentiality security was quite a long way down the list of requirements.
In fact quite to the contrary, there was a requirement that outside groups with a "legitimate interest" be able to listen in. This included police beat reporters, because there was a major requirement that the department not be seen as concealing operations from public scrutiny.
The number one requirement was that reliability of reception be as good as the existing system, in difficult reception areas such as underground parking garages. All the digital systems being evaluated had extreme difficulty meeting this requirement. In fact in the end I think none of them actually passed with the recommended number of base stations and the installer had to agree to put in nearly twice as many as they wanted.
This might be a bit of a road block for advanced modulation systems that are more susceptible to edge fading and multi-path interference, such as some spectrum spreading systems. (OTOH, CDMA is a widely deployed SS system that manages MPI very well.)
Regarding confidentiality, there was some concern about drug labs using scanners for advance warning of a raid, but it was easily dealt with by ad hoc codewords. There was also a concern about ram-raiders using scanners to detect and evade police response. This was largely obviated by the police developing more sophisticated tactics than "get to the scene and chase them."
Genuinely confidential matters, such as criminal intelligence on organised crime gangs, has always been forbidden from over-the-air discussion --- by radio, cellphone, or any other means.
So if 20 minutes a day are decryptable, or even if 20% is decryptable, I expect there will be no interest whatsoever.
The possibility of jamming is of much greater concern. Many police dispatchers are retired military radio operators, and there has always been a concern about the potential for jamming. So far as I am aware, it has never happened, but they do have plans in place, just in case. However it would be a cause for concern if protocol flaws enable jamming to be effective at low transmission power.
The only thing the authors of this paper demonstrated was there lack of understanding of the subject. There bias and ignorant abounds throughout the paper (and the presentation from the authors that is online). They did not illustrate a single flaw in the APCO 25 (from the point of view of the goals of APCO 25) system. The authors used terms like type 1 or type 3 encryption but it is obvious they don’t know the different or the significance what the terms mean. They use computer terms to describe radio problems. The threat from unintended interception of police/fire radio system has existed from the first use of radios but is consisted such a low threat as to barely be a concern to the users of the radios system. It is so low the if adding encryption had added significantly to the cost or subtracted from the performance (i.e. reduced range)it would have been dropped from the standard. In fact the use of encryption is optional by intent for the controllers of the radio systems. As for the MEJI issues the authors were so proud to point out it doesn’t even make the list.
When police/fire are struggling (to the point of almost collapsing) trying to get enough radios for their personal and spectrum to use them on the last thing that is needed is some know nothing academics clouding the issues as these originations try to convincing the public/politicians of the need to spend 10s on millions (billions nationwide) for new radio systems with nonexistent problems.
@Matt Blaze: Matt, I'm interested in hearing your response to Dean Zierman's claim that the vulnerabilities you have identified are, in the bigger picture, "such a low threat as to barely be a concern to the users of the radios system"?
Also, regarding non-encryption of the LCW field: Since this field will typically contain non-varying plaintext, about half of which is constant across all traffic and systems, would encrypting it make the keystream itself more vulnerable to attack - which could be considered a greater risk than traffic analysis using the clear LCW?
It's hard to comment on Mr. Zierman's accusations because I don't actually understand them (which, admittedly, probably demonstrates our ignorance even more). But there are a wide range of P25 users. Many of them don't use (or want or need) encryption, and for those users, obviously, encryption usability is not an issue. But for others, such as tactical operations against sophisticated targets, it is very much an issue.
As for known plaintext in the LCW, that's true, but modern ciphers, including the AES-256 algorithm used in P25, are designed with the assumption that the adversary has access to large volumes of known plaintext. So encrypting the LCW would not represent a security risk, done properly.
I blog a bit about the implications of our paper at http://www.crypto.com/blog/p25/
I will try to clear up some assumptions about P25 and encryption.
Form the start of the use of radios in the public safety it has been possible (and widely accomplished) to monitor the radios. The threat from all MEJI type issues has always been present but has been shown to be historically low. Nothing about the threat has really changed.
Type 3 encryption became available to the public safety in the 80s. For the most part it was not used because of radio range issues, cost and complexity. There have been a small group inside of the public safety that have a need for type 3 encryption (and a slightly larger group that would like to have it but can't justify the cost) but this is in the single digit number by percentage.
Type 3 encryption is like your school locker with the 3 spin lock on it. Type 2 is like a bank vault in comparison. Type 3 is for voice privacy and is not considered safe for real secrets. It is a compromise for security to cost and is assumed that it can leak or be broken with enough effort.
In the late 80s the public safety organizations were going to the FCC asking for more spectrum as they needed to get more radios into the hands of more public safety people. The FCC told them they could have some but the the well was running dry and the public safety organizations would need to be more efficient in the use of spectrum. This was the start of the APCO project 25. APCO is a group of public safety organizations and some of the companies that support them.
Public safety organizations have next to no pull when it comes to this kind of thing. As an example a well known cell company was using a type of high power narrow band cell system adjacent to some public safety organizations. This was making the public safety channel useless. The rules on this are very clear that the transmitting station is not allowed to interfere with receiving stations out side there bands. The FCC can close down the transmitting station and seizure the equipment if they need to to stop it. The FCC has never (as far as I know) lost in court doing this. The complaints went to the FCC and the cell company and it went around and around for more then 10 years but the public safety organizations could never get it to stopped. Final the cell company offered 10 cents on the dollar (cost for the public safety organizations to move) to make it go away. Some took the money because it was better then no money and that was all they were going to get.
The main goals of P25 was more efficient on the use of spectrum to get more radios into the public safety at a cost effective means that the companies supporting public safety organizations could provide. DSSS was looked at and rejected as there is no contiguous bandwidth available. TDMA was also looked at but except for a special case that I will get into later was also rejected as there was not enough spectrum to give any real process gain so no improvement in spectrum efficiency. In the end because of the way the spectrum is all chopped up the only options was technology’s for better narrow banding looked to be workable. Cell companies have large chunks of spectrum they can move around so the can use these more efficient systems. Some of this may change as a chunk of 700MHz has opened up to public safety but that is in the future.
Using software controlled radios (not software defined) and better digital modulation systems was detriment to be the way to go. In phase 1 the space needed would be half as much as the old FM system would need. But to use a digital system it had to have a range about the same as the old FM system or it would take more repeaters and that would not only mean more cost (less radios) but require more spectrum defeating the purpose. As this new system would be digital if there was not a stranded then the different companies would have incompatibly system increasing cost and making interoperability much harder. Also as this new system would be digital some new things could be added at little to no cost increase like encryption. If the public safety organizations had been told that they could have encryption but it would cost more and get no more spectrum then encryption would not be in the standard. Only because encryption was getting in cheap was it in for the most part. Just using digital gave most of the users something like type 4 encryption and that was better then they had before. Of course that goes away with the introduction of digital scanners.
Because of the need to have a system that was somewhat robust for range and be usable/maintainable some things need to be out in the open like the radio ID. As MEJI is not a consideration and this encryption is only type 3 this is more then acceptable.
Part of the P25 is the use of trunking systems. This was used in the old FM systems but was propriety to the company making the system. A trunking system uses multiple channels that are given to the users as there are needed and pulled back for reuse when not. It is a kind of FDMA on demand system. This increases spectrum efficiency and reduce overall cost as the cost is shared over more users. As this is a major improver of spectrum it was imperative that this be in the standard. Trunking systems are much harder (but not impossible) to monitor as the channel is usually different every time the PTT is used. In phase 2 of P25 the channel spacing will be ¼ of the FM system and the trunking will use TDMA. Most of what was monitored was probably local (not trunking) on small tactical teams. As the MEJI threat is so low most police are not well trained on radio security. Even less on OPSEC. So that they can get sloppy is not a surprise. If the threat does increase this will change to meet the new threat and as this was the only real issue from the report (understanding that this is a type 3 system) then the P25 system is more then good for the encryption that is needed.
Most of the companies that support public safety organizations can't even make a ECCM radio. There is a new company in the market that can but as this is not a issues to public safety organizations TRANSEC is not going to be in any new P25 system even from them. The key loader that was talked about in the report from Motorola is (As far as I know) the only key loader you can get because the market is so small that no other company wants to spend the money to make one. As for its size some type 1 key loaders are smaller and simpler to use but NSA is phasing them out as small is a security issue as it is easier to sneak one out of building.
As P25 is a standard about the only ways for the companies to compete is in the packaging (user interface) and the cost. As the P25 people are smart enough to realize they can't think of every thing and the user interface is not needed as part of the standard it is left to the companies. What was displayed in the report was an older radio but it is adequate for the job. Some radios don't even have displays. The newest radios have much better displays to show many more things.
As for a type 1 system like a STE the key management for a type 1 system is draconian. This is the difference between a type 1 and a type 2 is the key management. You can still have the same mistakes on a type 1 system as on the P25 but the users are a little more careful as you can be fired/jailed for those mistakes. When they put STEs on the state governors desks you should have heard how some of them cred about being treated like children because they had to obey standard rules for type 1 equipment. Type 1 or 2 is just not a option for public safety organizations and the weakest part of the type 3 system is probably the key management. If the soviets could turn and pay someone like Walker for the keys to the kingdom what do you think some drug lords money would buy some under payed radio tec with no key management tracking.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.