Kevin Mitnick figured out how to get around police radio encryption in the 90's. From 'Ghost in the Wires':
"Whenever I heard any hiss of communication, I’d hold down my Transmit button. That would send
out a radio signal on the same exact frequency, which would jam the signal.
Then the second agent wouldn’t be able to hear the first agent’s transmission. After two or three tries back and forth, the agents would get
frustrated with the radio. I could imagine one of them saying something like, “Something’s wrong with the radio. Let’s go in the clear.”
They’d throw a switch on their radios to take them out of encryption mode, and I’d be able to hear both sides of the conversation! Even today
I’m amused to remember how easy it was to work around that encryption without even cracking the code."
The first P25 standards came out in 1989, so encrypted police radios were certainly starting to be deployed in the early 90s. Obviously, adoption rate depended on the department budget, with many rural departments taking until the 2010s to finally switch.
If the user can fallback to not using encryption and that solves a problem they think they have, enough annoyance will make them do so. It's the entire reason HSTS exists.
First you need to make darn triple check extra sure that when you deploy it, you won't change it. It is a one-shot switch and whoever gets to your site is stuck with the configuration for days, weeeks, months. And you cannot tell them "my bad, try again".
Then if you have a sensible setup, you would redirect immediately to HTTPS anyway.
Sure, it protects you from some marginal risks (such as you not setting your cookies to secure mode) but then you have other problems and HSTS will bite you when you prod the security settings without a good plan.
Allow me to speculate massively. Hiss sounds more like weak signal acquisition. Perhaps in this case, Mitnick was interfering but not defeating encryption.
A bit more from the book (which is a great read, and available in it's entirety on archive.org):
"To enable its agents to communicate over greater distances, the government had installed “repeaters” at high elevations to relay the signals.
The agents’ radios transmitted on one frequency and received on another; the repeaters had an input frequency to receive the agents’
transmissions, and an output frequency that the agents listened on. When I wanted to know if an agent was nearby, I simply monitored the signal
strength on the repeater’s input frequency.
That setup enabled me to play a little game. Whenever I heard any hiss of communication..."
For anyone who's curious, the closest equivalent in the US is P25[1] or "Project 25". And if you're wondering, yes, P25 systems have been known to have their own share of vulnerabilities of various sorts. My favorite one[2] is the one that lets an attacker force a P25 radio to broadcast tokens "on demand" allow you to (theoretically, with the right receiving setup and software) track the location of P25 radios more or less in real-time.
And on a related note, for anyone who is interested in listening in on any local P25 transmissions, you can do so in a fairly inexpensive manner, using an RTL-SDR dongle and the Open Source op25[3] software package. No listening to encrypted traffic, but IME, many (maybe most) public safety agencies keep most of their traffic in the clear. More so for fire/ems traffic. Law enforcement is more likely to be encrypted, but even then, I find that many jurisdictions only encrypt a small number of channels, like maybe a dedicated vice/narc squad channel, SWAT team channel, etc. General LE dispatch and tac channels are still in the clear in many areas.
It's an active attack (requires you to transmit traffic to trick the radio into sending the response beacons) so at the very least you'd almost certainly be in violation of some FCC regs. So the charge might not be "tracking law enforcement" but rather would be "illegally transmitting on a public safety frequency without a license" or something along those lines. And if somebody got caught doing this, I'm reasonably sure they'd find a way to pile on a few more charges as well.
And note that since it is an active attack that requires the attacker to transmit, it opens up the possibility of the attacker giving up their own location in turn.
My take is that it's fun to think about, but largely lacking in real world applicability in most situations.
Transmitting on spectrum you don't have a license for- especially when the government WILL cast it as "interfering with emergency services" or just Big-T- very much is.
The local PD in my area has/had the laptops in their vehicles set to ad-hoc mode, and each broadcast static MAC addresses in the open, and could simply be looked up on the Wigle database. At about 100-yards, you could pick up the broadcast on any phone, and it would be trivial for someone to deduce that you could setup an active monitor w/ alerts for when these specific MAC addresses were present in a designated area, let alone what a distributed monitoring/alert effort would be capable of...
There is this Target Blue device that works in a similar way but based, i think on detection of p2000 encrypted signals. Basically an sdr. Anyway. I also believe it is highly illegal to use. Link: https://blu-eye.eu/
There was actually a good DC31 talk called "Snoop On To Them, As They Snoop On To Us" kinda in this vein, but with Bluetooth devices that are part of a lot of cop's gear.
Some people I know are building a similar system, watching for the printers that parking attendants carry to issue tickets. When they see one of those nearby, it starts the clock so that they move their car before the time expires.
a distributed monitoring/alert effort would be capable of...
Thinking out loud... an RTL-SDR dongle costs like $35.00 or so (well maybe more now due to tariffs, I haven't bought one in a while), plenty of relevant software is open source (GNURadio etc.), drones are cheap, small solar panels are fairly inexpensive. Hmm... I almost think a motivated individual (or small group of individuals) could piece together a rather capable "distributed monitoring/alert" system.
Not that I'm encouraging anyone to do such a thing, of course.
I agree, it probably isn't really explicitly illegal. But if one put together such a thing, depending on how they decided to use it, I have a hunch that the State would find something to charge them with. I'll resist the temptation to say more, to avoid going too overtly political here.
Why EU saw fit to buy very expensive proprietary software encryption, when there are open source standards, some of them designed in the EU itself is beyond me. Of course, you still someone to build the hardware and so on.
The funny thing about this is that my municipality just recently started encrypting their radios at all. And it was controversial! Residents liked being able to listen in to the scanners.
Along with radicaldreamer suggestions it's also common to be really effective at stonewalling police while on secure wire cameras with audio recording and to have very good criminal lawyers on retainer. Also having patches and wannabes who are prepared to scapegoat themselves.
This isn't so much directly evading law enforcement but it's effective as it can easily cause police take actions that cause evidence and cases to be thrown out, raise reasonable doubt, etc.
Depleting resources and diversions are also relatively common, creating a 'fake' public threat or hate crime to investigate bleeds police resources away from ongoing investigations, etc.
The tango between gang squads and organized criminal groups is an ongoing escalating battle. The EncroPhone transcripts revealed a lot.
In europe when the police comes to a loud party, they come and tell the people to please be more silent. (And if it is just minor kids, ask for a adult) So if the party dispersed in panic before they even arrive .. problem solved fpr them?
Or does the US police busts loud parties gun blazing in general?
> Or does the US police busts loud parties gun blazing in general?
Nah, but lots of these parties have kids below than 21 (or whatever the legal drinking age is). So they get fined or arrested if caught so they leg it.
A friend attended a Chicago-suburb high school for a year (exchange student). Said he had to run from cops at private parties about a handful of times in that year, and that it was pretty normal in his group.
How does one perform oversight of a police department if the comms are encrypted? Do I FOIA all the communications? How specific does that request have to be? Are the comms even recorded? How long are they retained? What happens when the recordings are "lost"?
Much more likely is that the opacity of encryption lends advantage to the unsophisticated bad actors (ie, the 'official' ones).
I think most of us, at least in the USA, are far more ready to take our chances with these hypothetical sophisticated bad actors than to reduce the real-time transparency of verified ones.
I'll never forget 8 years ago someone managed to set off every tornado siren in Dallas for an entire Friday night, apparently because they're controlled by radio and the control signal was not encrypted, so the "hacker" just recorded it during a real alert and then played it back to attack the system.
Yeah, it's complicated! Europe goes the other way on this, apparently, so much so that it's headline news when someone comes up with cryptographic attacks on their police radios. Here, on the other hand, people committing crimes can (or could, a few months ago) just listen on their iPhones to see if anybody is on to them.
The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
> The City of Chicago makes decrypted audio available, just on a 30 minute delay. That's a sane compromise, I think.
It sounds sane! Though I wonder if like body cams the decrypted channel will have mysterious malfunctions every so often when anything interesting happens?
Seems reasonable on the surface. Has anyone ever audited this? Are there gaps in the recordings? If the PD fails to reproduce the recordings what are the consequences?
At some point, this needs to turn a corner into real-time resistance, and massive community presence to assist regular people in asserting their rights.
Most communities are far more victimized by property crime than they are by the police. Anti-police activists tend to premise their arguments on the idea that everybody opposes police intervention, but read transcripts of neighborhood meetings in Black neighborhoods: the more common complaint is that the police aren't responding and aren't taking their complaints seriously.
> is people committing crimes with the scanner playing waiting to see if the police are on to them
That's ridiculous. I've seen one police chief give this testimony but I've seen no evidence anywhere or charges levied anywhere showing it has actually occurred and I can't actually parse out the criminal model.
You have to assume that they _absolutely will always_ broadcast the location of burglaries on the radio. They could just not do that. Perhaps they coordinate the arrest using cellphones which is something that happens all the time already. Then your listening in has cost you a person who could otherwise be stealing things and may end up being a highly unreliable indicator of imminent capture. Then you have to be sure you leave early enough and carefully enough that no one, not even a neighbors ring camera, sees you leave the scene or tracks your travel after the crime.
That's not to say I haven't seen "criminals" use them. Street takeovers will monitor traffic to frustrate responding officers. Cannonball run players will monitor traffic to avoid speed traps. I've also used them for skip tracing when trying to find an officer who is also a debtor, ironically, they often think themselves above civil law enforcement and are notoriously hard to collect on.
Anyways, it really seems like a weak dodge from police departments that would rather not be accountable to the public. Chicago is no exception. Delays of communications put control solely in their hands. I can't imagine a worse outcome. It should be a third party non-aligned agency that performs that task and it should take a call from the governor to prevent them from doing it.
So the bad guys scope out a Hyundai or whatever and then listen to the scanner for a while until they're confident there are no cops in the area and then steal the car? Is it feasible to call in a distraction and listen for that?
I'm not saying there's no concern. I'm just not sure if this 30 min delay is as effective as it sounds at first glance. My gut reaction has been wrong enough times in my life that I have gotten in the habit of challenging my own assumptions.
No, this story is about TETRA radios, which are used in Europe; I'm in Chicago, on Motorola's STARCOM (P25), which is ostensibly AES (it wouldn't be shocking to find vulnerabilities; in fact shocking not to, but it won't be as crazy as TETRA, which freelanced its entire encryption stack).
I listened to your great podcast and the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close" made me wonder if anyone has built a simple signal intensity detector for the encrypted radios. You don't need to hear the contents to know that the radios are closing in on you. I can't imagine police forces practice RF silence like special forces do.
It really would be better to hide in the noise of 5G.
For about $700, you can get some pre-made kit to use SDR to do Radio direction finding. IIRC this device uses the same chips as a RTL-SDR, but it uses 4-5 of them, all synchronized and has a signal emitter for calibration, and a nice web ui to report the data.
(I have not used it, but I've been learning about all sorts of neat radio products as I'm dabling and learning about SDR)
No current ability to track trunked radio units, though arguably thats 'just a software problem'.
I have one and have found it to be quite easy to hunt down ham repeaters that you can get to transmit more or less non-stop... but relatively hard to use for intermittent transmitters.
I need to see if I can figure out how to plub in my GNSS compass output because inferring orientation from motion requires an awful lot of moving around and is less reliable than I'd like.
Some transmitters have such a distinct sound that you can identify them with just your unassisted human hearing. Back in my firefighting days, I remember that certain trucks or stations had transmitters where you could identify them from the half second or so of "hum" between the time somebody keyed up the mic and the time they started talking. Using ML / signal processing stuff on a computer, yeah, you can probably get pretty fine grained at discriminating these things.
> the remark along the lines of "unencrypted police comms let the robbers know when the police are getting close"
Criminals sophisticated enough to do that are usually not going to get caught regardless, encryption or no and are generally savvy enough to not make themselves a serious threat to public comfort and order.
I don't think its a long reach to say that the public may be better off with more ability to monitor police activity at a cost of being weaker against that kind of criminal.
I think that was truer 15 years ago, but every criminal now carries a police scanner with them (in the form a phone), and the residents in my area who most avidly follow police scanners are not the most technical people in the area.
(Having said all that, our muni voted against encrypting radios; we lost 2-1 in a vote with the 2 other munis we share dispatch with).
Unless you're talking about criminals doing traffic analytic RF attacks, in which case, I agree, who cares?
"which is ostensibly AES" in the 5% or less of deployments that turn that on
Both of the systems are crap, when we were evaluating them for nationwide purchase we chose TETRA because of systemic safety features (like local DMO handover modes for public safety use in noisy environments), but when I read their crypto choices I made screwy faces constantly, I wasn't in the slightest bit surprised when this research came out.
I remember at the time some ex signals military folks trying to tell me that the encryption barely matters as the channel selection rate is so high you'd need multi-site intercepts to even make heads of tails of it, sadly they didn't really seem to understand how far SDR and compute has come. The whole experience to this day flavors a lot how I think about military and telco thinking around the whole space, everything touching that boundary feels infected with oldthink.
> everything touching that boundary feels infected with oldthink.
I'd guess that's due to the expense of the equipment and all the regulations coupled with the lack of immediate usefulness to a casual hobbyist. Without the sort of vibrant wild west ecosystem that FOSS provides innovation happens much more slowly and most of the participants will be entrenched.
Northern California services use P25 but with encryption turned off. They also have analogue repeaters. Presumably because that way they can still use old radios and don't have to worry about key rotation.
The audio quality on the analogue signal is a lot better than the P25 version, which is often harder to understand.
Not like there’s not enough problems with P25… until the day they can deploy LLE (link-layer encryption) across all P25 systems, there will always be a way to gather some kind of intelligence about the system and its radio traffic.
(And the fact that it’s taking so long to implement link layer authorization, barely a scratch in the security dent…)
I believe TETRA was already vulnerable to being broken based of some research that a group did into the protocol. They showed a proof video but didn't release any technical info or poc due to security fear.
Very interesting, curious how long it would take to brute force the 56 bit key, with something like a GPU/FPGA. It looks like hashcat supports DES, which is also 56 bit.
I think what you may be thinking of is the export from the US of strong encryption products under ITAR. It was challenged by djb (of qmail/djbdns fame, among many other things) and the result was roughly that publishing software is protected expression like any other publishing (prior to that it was classified as munitions and required an export license).
Its also illegal to report hospitals that post PHI (protected health information) over POCSAG or FLEX - pager networks. Of course, theres no encryption or anything. The encoding is plain text.
Yes, it is also illegal to post PHI over pagers, due to HIPAA addendum in 2016.
But 1986 ECPA law forbids decoding pager messages unless they were intended for you.
I've done that. It seemed like Wired got lost on the road for a while, but lately they're back with a vengeance, which I'm delighted to see (and to support).