Researchers at the University of Pennsylvania recently published a report on the security vulnerabilities of the P25 digital radio protocol. Everyone who is responsible for management or procurement of digital public-safety radio should be aware of the issues identified in this study.
This is scary stuff. The entire radio system is easily disabled, individual units can be tracked and targeted dramatically compromising officer safety.
An eavesdropper familiar with the frequencies used by a given agency may readily listen to that frequencyset and determine which group IDs are regularly in use, and may employ direction finding equipmentto locate the radios corresponding to a particular group. Group IDs are always sent in the clear.For most traffic a passive eavesdropper can track individual radios simply by noting the senders’UnitLink ID numbers sent in the clear in various metadata fields during transmissions4.In encrypted mode, Unit Link ID numbers can be optionally protected in voice frames (but not for dataframes). However, as noted in the previous section, this feature is apparently not implemented in manyvendors’ equipment, even when encryption is used to protect content. And for packet data messages (forexample, when the OTAR protocol is used for key management), the protocol specifies that Unit Link IDsare always transmitted in the clear in the data frame’s header block even when the packet data itself isencrypted.If only voice frames are sent on a given encrypted link, Unit Link ID numbers may not be visible in theclear if the radios correctly implement the “protected” flag in the LCW (which, we note, is often not implemented).However, even without knowing the link IDs, valuable information may be easily obtained. Forexample, an entirely passive eavesdropper could use direction finding to discover whether the movementsof members of a surveillance team correlate wellwith his own movements in public places.An active adversary has even richer traffic analysis options.