For anyone who's curious, the closest equivalent in the US is P25[1] or "Project 25". And if you're wondering, yes, P25 systems have been known to have their own share of vulnerabilities of various sorts. My favorite one[2] is the one that lets an attacker force a P25 radio to broadcast tokens "on demand" allow you to (theoretically, with the right receiving setup and software) track the location of P25 radios more or less in real-time.
The funny thing about this is that my municipality just recently started encrypting their radios at all. And it was controversial! Residents liked being able to listen in to the scanners.
LeoPanthera · 1h ago
> Residents liked being able to listen in to the scanners.
They're a public service funded by taxpayer dollars. Knowing what they're doing seems reasonable.
beambot · 3m ago
Oversight & accountability are different from operational security.
Leaving the radios unencrypted merely lends advantage to more-sophisticated bad actors.
hypercube33 · 38m ago
Many many years ago a buddy of mine loved listening to the scanners.
One evening we are on AIM chatting and he explains what is going on: noise complaint at a house down the block (kids partying)
He looks the address up and calls them to warn them and sits back to see if they do anything.
sounds like they managed to bail before anyone showed up to the address.
baby_souffle · 31m ago
Not all heros wear capes. Some of them keep their ears glued to the scanners...
I'll never forget 8 years ago someone managed to set off every tornado siren in Dallas for an entire Friday night, apparently because they're controlled by radio and the control signal was not encrypted, so the "hacker" just recorded it during a real alert and then played it back to attack the system.
andrewflnr · 1h ago
That might still work even with encryption, if they don't specifically prevent replay attacks.
lazide · 2h ago
Previously you could hear what was going on in town - a degree of transparency around police.
Now you can’t. For better or worse, eh?
tptacek · 1h ago
Yeah, it's complicated! Europe goes the other way on this, apparently, so much so that it's headline news when someone comes up with cryptographic attacks on their police radios. Here, on the other hand, people committing crimes can (or could, a few months ago) just listen on their iPhones to see if anybody is on to them.
The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
cptskippy · 1h ago
San Diego?
ronsor · 3h ago
And now they're going to be unencrypted again, but not by choice!
tptacek · 3h ago
No, this story is about TETRA radios, which are used in Europe; I'm in Chicago, on Motorola's STARCOM (P25), which is ostensibly AES (it wouldn't be shocking to find vulnerabilities; in fact shocking not to, but it won't be as crazy as TETRA, which freelanced its entire encryption stack).
colmmacc · 2h ago
I listened to your great podcast and the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close" made me wonder if anyone has built a simple signal intensity detector for the encrypted radios. You don't need to hear the contents to know that the radios are closing in on you. I can't imagine police forces practice RF silence like special forces do.
It really would be better to hide in the noise of 5G.
mystraline · 2h ago
I have a BT scanner app for my phone. "BLE Radar".
I have a detection on there for the MAC address "00:25:DF:*". That's the MAC OUI prefix for Taser International.
I keep it on while driving, because the badgecams and hardware in cop cars spurts this out regularly. So even unmarked cars show themselves.
For about $700, you can get some pre-made kit to use SDR to do Radio direction finding. IIRC this device uses the same chips as a RTL-SDR, but it uses 4-5 of them, all synchronized and has a signal emitter for calibration, and a nice web ui to report the data.
(I have not used it, but I've been learning about all sorts of neat radio products as I'm dabling and learning about SDR)
nullc · 1h ago
No current ability to track trunked radio units, though arguably thats 'just a software problem'.
I have one and have found it to be quite easy to hunt down ham repeaters that you can get to transmit more or less non-stop... but relatively hard to use for intermittent transmitters.
I need to see if I can figure out how to plub in my GNSS compass output because inferring orientation from motion requires an awful lot of moving around and is less reliable than I'd like.
buildbot · 2h ago
I’ve long wanted to do this with an SDR and maybe some simple ML, build a dataset by driving by cars/things with frequencies of interest.
Now I wonder if you can fingerprint antennas…
dumah · 2h ago
You can fingerprint transmitters.
Antennas would be much more difficult and likely moot.
> the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close"
Criminals sophisticated enough to do that are usually not going to get caught regardless, encryption or no and are generally savvy enough to not make themselves a serious threat to public comfort and order.
I don't think its a long reach to say that the public may be better off with more ability to monitor police activity at a cost of being weaker against that kind of criminal.
tptacek · 1h ago
I think that was truer 15 years ago, but every criminal now carries a police scanner with them (in the form a phone), and the residents in my area who most avidly follow police scanners are not the most technical people in the area.
(Having said all that, our muni voted against encrypting radios; we lost 2-1 in a vote with the 2 other munis we share dispatch with).
Unless you're talking about criminals doing traffic analytic RF attacks, in which case, I agree, who cares?
genocidicbunny · 2h ago
Huh, I was catching up on DEFCON videos recently, and just earlier this morning watched the talk about Tetra. How serendipitous.
Note this affects TETRA which is not used in North America. Most US systems use P25 which is not mentioned in the article.
LeoPanthera · 1h ago
Northern California services use P25 but with encryption turned off. They also have analogue repeaters. Presumably because that way they can still use old radios and don't have to worry about key rotation.
The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.
kotaKat · 3h ago
Not like there’s not enough problems with P25… until the day they can deploy LLE (link-layer encryption) across all P25 systems, there will always be a way to gather some kind of intelligence about the system and its radio traffic.
(And the fact that it’s taking so long to implement link layer authorization, barely a scratch in the security dent…)
I believe TETRA was already vulnerable to being broken based of some research that a group did into the protocol. They showed a proof video but didn't release any technical info or poc due to security fear.
anfractuosity · 2h ago
Very interesting, curious how long it would take to brute force the 56 bit key, with something like a GPU/FPGA. It looks like hashcat supports DES, which is also 56 bit.
theturtle · 2h ago
Cool! Maybe all the apps and sites intended to let you keep track of what your local kopz are doing will work again!
dokyun · 1h ago
> The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms.
Got what they asked for.
drumhead · 2h ago
I mean, in this day and age is it such a bad thing that police and military radio is crackable?
dist-epoch · 3h ago
Is it still illegal in Europe to buy radios with 128 bit encryption?
cluckindan · 3h ago
As in TETRA? Probably not, as SDRs are widely available anyway, as are scanners capable of decrypting TETRA traffic.
You do need authorization to buy a transmitter though, at least where I live.
dist-epoch · 3h ago
I meant like hand-held walkie talkies. But with 128 bit encryption.
Weird it's regulated, given you can use mobile phones like that (sure, you need coverage).
kevin_thibedeau · 6m ago
Mobile phones are backdoored and trackable by default.
sneak · 56m ago
I think what you may be thinking of is the export from the US of strong encryption products under ITAR. It was challenged by djb (of qmail/djbdns fame, among many other things) and the result was roughly that publishing software is protected expression like any other publishing (prior to that it was classified as munitions and required an export license).
It's still illegal to point out that the emperor has no clothes
mystraline · 2h ago
Its also illegal to report hospitals that post PHI (protected health information) over POCSAG or FLEX - pager networks. Of course, theres no encryption or anything. The encoding is plain text.
Yes, it is also illegal to post PHI over pagers, due to HIPAA addendum in 2016.
But 1986 ECPA law forbids decoding pager messages unless they were intended for you.
eitland · 2h ago
> You’ve read your last free article.
Haven't read a Wired article in months :-|
And thanks to poster for adding archive link.
robterrell · 2h ago
Wired is killing it with great reporting this year. Worth subscribing and supporting.
kstrauser · 2h ago
I've done that. It seemed like Wired got lost on the road for a while, but lately they're back with a vengeance, which I'm delighted to see (and to support).
[1]: https://en.wikipedia.org/wiki/Project_25
[2]: https://www.reddit.com/r/tacticalgear/comments/1f4d5dr/psa_p...
They're a public service funded by taxpayer dollars. Knowing what they're doing seems reasonable.
Leaving the radios unencrypted merely lends advantage to more-sophisticated bad actors.
One evening we are on AIM chatting and he explains what is going on: noise complaint at a house down the block (kids partying)
He looks the address up and calls them to warn them and sits back to see if they do anything.
sounds like they managed to bail before anyone showed up to the address.
Now you can’t. For better or worse, eh?
The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
It really would be better to hide in the noise of 5G.
I have a detection on there for the MAC address "00:25:DF:*". That's the MAC OUI prefix for Taser International.
I keep it on while driving, because the badgecams and hardware in cop cars spurts this out regularly. So even unmarked cars show themselves.
For about $700, you can get some pre-made kit to use SDR to do Radio direction finding. IIRC this device uses the same chips as a RTL-SDR, but it uses 4-5 of them, all synchronized and has a signal emitter for calibration, and a nice web ui to report the data.
(I have not used it, but I've been learning about all sorts of neat radio products as I'm dabling and learning about SDR)
I have one and have found it to be quite easy to hunt down ham repeaters that you can get to transmit more or less non-stop... but relatively hard to use for intermittent transmitters.
I need to see if I can figure out how to plub in my GNSS compass output because inferring orientation from motion requires an awful lot of moving around and is less reliable than I'd like.
Now I wonder if you can fingerprint antennas…
Antennas would be much more difficult and likely moot.
https://arxiv.org/html/2402.06250v1
Criminals sophisticated enough to do that are usually not going to get caught regardless, encryption or no and are generally savvy enough to not make themselves a serious threat to public comfort and order.
I don't think its a long reach to say that the public may be better off with more ability to monitor police activity at a cost of being weaker against that kind of criminal.
(Having said all that, our muni voted against encrypting radios; we lost 2-1 in a vote with the 2 other munis we share dispatch with).
Unless you're talking about criminals doing traffic analytic RF attacks, in which case, I agree, who cares?
https://www.youtube.com/watch?v=iGINoIYQwak
The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.
(And the fact that it’s taking so long to implement link layer authorization, barely a scratch in the security dent…)
Got what they asked for.
You do need authorization to buy a transmitter though, at least where I live.
Weird it's regulated, given you can use mobile phones like that (sure, you need coverage).
https://en.wikipedia.org/wiki/Bernstein_v._United_States
Yes, it is also illegal to post PHI over pagers, due to HIPAA addendum in 2016.
But 1986 ECPA law forbids decoding pager messages unless they were intended for you.
Haven't read a Wired article in months :-|
And thanks to poster for adding archive link.