FBI, DHS radio prone to hacking with a child's toy

Security flaws in portable radios used by federal law enforcement agents allowed researchers to intercept sensitive information, a new study has bared. Worse, the study showed the radios can be jammed using an electronic child’s toy – and allow attackers to potentially track the radio’s user. “Our analysis found significant - and exploitable - security deficiencies in the P25 standard and in the products that implement it. These weaknesses, which apply even when encryption is properly configured, leak data about the identity of transmitting radios, enable active tracking and direction finding of idle (non-transmitting) users, allow highly efficient (low-energy) malicious jamming and denial of service, and permit injection of unauthenticated traffic into secured channels," they said in a mitigation guide published online. The team included University of Pennsylvania Professor Matt Blaze, Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, and Kevin Xu. According to the team, many of these vulnerabilities result from basic design flaws in the P25 protocols and products, and may need an overhaul of the standard and products. "While we are unaware of incidents of criminals carrying out the active attacks we discovered, the hardware resources required to conduct them are relatively modest. As technology advances, these attacks will demand increasingly fewer resources and less sophistication to carry out," it said. On the other hand, the team discovered a serious practical problem that can be exploited easily today against fielded P25 systems: "a significant fraction of sensitive traffic that users believe is encrypted is actually being sent in the clear." It said it intercepted literally thousands of unintended clear transmissions each day, often revealing highly sensitive tactical, operational, and investigative data. "In every tactical system we monitored, encryption was available and enabled in the radios' configurations (and, indeed, was used correctly for the majority of traffic). Yet among the encrypted traffic were numerous sensitive transmissions sent in the clear, without their users' apparent knowledge," it said. Such unintended clear sensitive traffic can be monitored easily by anyone in radio range, including surveillance targets and other adversaries, using only readily available, inexpensive, unmodified off-the-shelf equipment, including many of the latest generation of "scanner" radios aimed at the hobby market. Unintended cleartext therefore represents a serious practical threat to communications security for agencies that rely on P25 encryption, it said. Configuring P25 systems for more reliable security The team suggested measures to configure P25 systems for more reliable security: 1. Disable the "Secure" Switch and make encryption a permanently enabled or disabled function of the selected channel. If an agency has a frequency called Tac1 in which both encrypted and clear communication take place, radios should be configured with two Tac1 channels, one with encryption always enabled and the other with encryption always disabled. 2. Prevent Mixed Encrypted/Clear Communication with Separate Network Access Codes (NACs). 3. Use Long-Term, Non-Volatile Keys. Jammed by a child’s toy The Wall Street Journal blog said the radios at present can be jammed with a $30 toy pager for preteens. “We monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and the Department of Homeland Security," said the researchers led by computer science professor Matt Blaze. The WSJ blog said the researchers plan to reveal their findings Wednesday in a paper at the Usenix Security Symposium in San Francisco. They noted the system is used by the Federal Bureau of Investigation and Homeland Security as well as state and local law enforcement. Members of the research group said they have contacted the Department of Justice, Homeland Security and other agencies. — TJD, GMA News