Upload
daryl-jones
View
231
Download
0
Embed Size (px)
Citation preview
8/3/2019 P25 Security Mitigation Guide-08102011
http://slidepdf.com/reader/full/p25-security-mitigation-guide-08102011 1/6
P25 Secur ity Mit iga tion Guide
/
P25 Security Mitigation Guide
Matt Blaze, Sandy Clark, Travis Goodspeed, Perry
Metzger, Zachary Wasserman, Kevin Xu
University of Pennsylvania
10 August 2011
P25 Security
Ina recent research paper [pdf], w e analyzed the security features of the A PC O Pro ject
25 (P25) digital tw o-w ay radio system P 25 radios are w idely deployed in the U nited
S tates and elsew here by state, local and federal agencies, first responders, and other
p ub lic safety o rg an iz atio ns. T he P 25 se cu rity featu res, in w hich v oic e traffic can b e
en crypted w ith a secre t key to frustrate un authorized eavesdropping, are used to protect
s en si tiv e c om rmm ic atio ns in s ur ve illa nc e a nd o th er ta ctic al law e nf or cemen t, military an d
n atio na l s ec ur ity o pe ra tio ns . B ec au se ra dio s ig na ls a re in he re ntly e as y to detect and
in tercep t, en cry ptio n is th e p rim ary m ech an ism u sed to secu re sen sitiv e P 25 traffic.
O ur an aly sis fo un d sig nifican t -- an d ex plo itab le -- secu rity d eficien cies in th e P 25standard and in the products that im plem ent it. T hese w eaknesses, w hich apply even
w hen en cry ptio n is p ro perly co nfig ured , leak d ata ab ou t th e id en tity o f tran sm ittin g
ra dio s, e na ble a ctiv e tra ck in g a nd d ire ctio n fin din g o f id le (n on -tra nsmittin g) u se rs , a llow
h i g h 1 y e ffic ie nt (low - e ne rg y) m alic io us jamm in g a nd d en ia l o f s erv ic e, a nd p erm it iI1 ie ctio n
o f u na uth en tic ate d tra ffic in to s ec ure d c ha nn els . U n fo rtu na te ly , m a ny o f th es e
v uln erab ilities resu lt fro m b asic d esig n flaw s in th e P 25 p ro to co ls an d p ro du cts, an d, until
the standard is changed and products are upgraded , cannot be effectively defended
against by end users or P25 system adm inistrators. W hile w e are unaw are of incidents of
crim in als carry in g o ut th e activ e attack s w e d isco vered , th e h ard ware reso urces req uired
to c on du ct th em a re re la tiv ely m o de st. As te ch no lo gy a dv an ce s, th es e a tta ck s will
d em an d in creasin gly few er reso urces an d less so ph isticatio n to carry o ut.
H ow ever, in addition to active attacks against P 25, w e also disco vered a serious
p ractical p ro blem th at can b e ex plo ited easily today ag ain st field ed P 25 sy stem s: a
significant fraction of sensitive traffic that users believe is encrypted is actually
b eing sent inth e c le ar. Inth e m etro po litan areas w e sam pled , w e in tercep ted litera lly
.crypto.com/p251 1/ 6
8/3/2019 P25 Security Mitigation Guide-08102011
http://slidepdf.com/reader/full/p25-security-mitigation-guide-08102011 2/6
P25 Secur ity Mit iga tion Guide
th ou sa nd s o f'u nin te nd ed c le ar tra nsm is sio ns e ac h d ay , o fte n r ev ea lin g highly sensitive
ta cti ca l, o p er at io n al, a nd in v es tig a tiv e d a ta . Ine ve ry ta ctic al s ys tem w e monito re d,
e nc ry ptio n w as a va ila ble an d e na ble d in th e ra dio s' c on fig uratio ns (a nd , in dee d, w as u se d
c orre ctly fo r th e m ajo rity o f tra ffic ). Y et a mo ng th e en cryp te d tra ffic w ere n um e ro us
s en sitiv e tr an sm is sio ns s en t in th e c le ar , w ith ou t th eir u se rs ' a pp are nt k now le dg e. V irtu ally
e ve ry ag en cy u sin g P 25 sec urity fea tu re s a pp ears to su ffe r from fre qu en t u nin te nd ed c le ar
tr an sm is sio n, in clu din g f ed er al law e nf or cem en t a nd s ec urity a ge nc ie s th at c on du ct
o p er at io n s a g ain st s oph is tic ate d a dv e rs ar ie s.
This u nin te nd ed cle ar se nsitiv e tra ffic c an b e m o nito re d e asily b y an yo ne in ra dio ra ng e,
i nc lu d in g s ur ve il la n ce t ar ge ts a nd o th er a dve rs ar ie s, u si ng on ly r ea di ly a v ail ab le ,
i ne xp e ns iv e , u nmodif ie d o ff - th e- s he lf e qu ipment, in c lu d in g many o f t he la te st g e ne ra ti on
o f "sca nn er" ra dio s aim ed at th e h ob by m a rk et. U nin ten de d c le arte xt th ere fo re re pre se nts
a se rio us p ra ctic al th re at to c ommun ic atio ns sec urity fo r a ge ncie s th at rely o n P 25
encrypt ion
P25 Encryption Usability Deficiencies
As n oted in o ur p aper, w e fo un d tw o d istinct cau ses fo r u nin ten ded sensitiv e cleartex t infe dera l P 25 sy ste ms, e ac h ac co un tin g fo r a bo ut h alf th e c le ar tra nsm issio ns w e
intercepted:
• Ineffective feedback to the user about whether encryption is enabled.
S ub sc rib er ra dio s a re g en era lly c on fig ure d to e nab le e ncry ptio n o f th eir
t ransmiss ions via a tw o-p ositio n sw itch (lo ca te d o n th e co ntro l h ea d o fm o bile
rad io s o r n ear th e ch an nel selecto r o f p ortab le rad io s). T he sw itch co ntrols o nly
th e e nc ry ptio n o f o utb ou nd tra nsm iss io ns ; c le ar tra nsm iss io ns c an s till b e re ce iv ed
w hen th e rad io is in en cryp ted m od e, an d en cryp ted tran sm issio ns can still be
received w hen the radio is in clear m ode (as long as the correct keys are
available). This mea ns th at ifa rad io is inad vertently p laced in th e clear m od e, it
will still a pp ear to w ork n orm a lly, in tero pera tin g w ith e ncry pte d ra dio s in its
n etw o rk e ve n w h ile a ctu ally tr an sm ittin g in th e c le ar .
• Unavailable or expired key material. Man y sy ste ms ex pire o r ''re -k ey '' th eir
e nc ry ptio n k ey s a t f re qu en t in te rv als , in th e b elie f th at this make s e nc ry pte d tr af fic
mo re se cu re a ga in st a tta ck . (In fact, this is a myth; m odem ciphers such as the
A ES algo ritln n u sed in fed eral P 25 system s are d esig ned to rem ain secu re ev en ifa single key is used to pro tect m any years w orth of traffic , and , as w e discuss
b elo w, th e p ro blem o f k ey co mp ro mise in law en fo rcem ent en viro nm en ts is
n eg lig ible .) B ut th e effect o ffreq uen t rek eyin g is th at o ne o r m ore users in a g ro up
can b e left w ith ou t cu rren t k ey m aterial W h en this h ap pen s, th e en tire g ro up m ust
sw itch to clear m od e in o rd er to co mm unicate .
F ortu na tely , a lth ou gh th e d efa ult c on fig ura tio n o f m o st P 25 rad io s e xac erb ates th ese
p ro blem s, P 25 sy ste m adm in istra to rs c an co nfig ure ra dio s a nd a dju st k ey in g p ra ctice s to
m itig ate th ese p ro ble ms a nd red uc e th e in cid en ce o f'u nin te nd ed c lea r tra nsm issio n o f
.crypto.com/p251 2/6
8/3/2019 P25 Security Mitigation Guide-08102011
http://slidepdf.com/reader/full/p25-security-mitigation-guide-08102011 3/6
P25 Secur ity Mit iga tion Guide
s ens it ive t ra ff ic i n t he ir s ys tems .
Configuring P25 Systems for More Reliable
Security
T he user in terfaces of m ost P25 radios are highly c on fig ur ab le b y a n a ge nc y's r ad io
tec hn ician s, th ro ug h th e u se o f "cu stom er p ro gra mm in g" so ftw are p ro vid ed b y th e
m anu fu ctu rer. W e fo un d it to be p ossib le to co nfigu re existing P 25 radio s to have m uchm ore re lia ble se cu rity b eh av io r, w ith b etter feed ba ck to th e u ser a nd m o re in tu itiv e
o pe ratio n, th an th e d efa ult c on fig uratio n p ro vid es. W e rec orm n en d th at en cry pte d ra dio s
u sed in tac tic al la w en fo rc erren t o peratio ns b e co nfig ured ac co rd in g to th e g uid elin es in
this section.
W e use the M otorola A str025 radios (e.g ., the X TL-5000 m obile radio and the X TS-
5 00 0 p orta ble ) fo r term in olo gy a nd illu stra tio n. M ost o th er v en do rs' P 25 rad io s h av e
s im i la r c on fig u ra tio n c ap ab iliti es , b u t th ey may u se d if fe re nt te rm i no lo gy f rom Mo to ro la 's
fu r th e c on fig urab le featu re s; co nta ct yo ur rad io v en do r fo r sp ec ific in fu rm atio n o n h ow
to a cc omp li sh a p ar tic ula r c on fi gu ra tio n .
1. Disable the "Secure" Switch
T he behavio r o f the "secu re" sw itch is a sou rce o f con fusio n am on g ev en trained u sers.
A sid e from its obscure labeling (a zero fur clear m ode and a zero w ith a slash for
encryp ted m od e), it is often ou t of v iew , can chan ge p ositio n iftouched, and does not
p ro vid e d ire ct fee db ack tied to th e o bje ctiv e o f c ommun ica tin g.
Instead, w e recomm en d that en cryption b e a p erm anen tly en ab led o r d isabled fim ction of
the selected ch an nel T hat is, ifan ag en cy has a freq uen cy called Tacl in w h ic h b oth
e nc ryp te d an d c lea r c ommun ica tio n tak e p lace , ra dio s sh ou ld b e c on fig ure d w ith two
Tac1 ch an nels, o ne w ith en cry ptio n alw ay s e na ble d a nd th e o th er w ith en cryp tio n a lw ays
d isabled . T he tw o ch an nel nam es (as displayed o n th e rad io screen ) sh ou ld reflect this,
e.g., Tac1 Secure and Tac1 Clear.
O n the M otoro la A str025 rad io s, the secu re/clear sw itch can be d isabled in the 'R adio
C o nfig ura tio n" m e nu u nd er " sw itc he s" ; se t th e sw itc h's f un ctio n to ''b la nk ''. C h an ne ls c an
th en b e "stra pp ed " fu r "cle ar" o r "sec ure " m od e in th e ''P erso nality '' m en u fu r th e ch an nel
2. Prevent Mixed Encrypted/Clear Communication with Separate
NACs
C urrent P2 5 rad ios d o no t tie th e d ecryp tio n behavio r o f their receiv er to th e en cryp tio n
behav io r o f their tran sm itter. T hat is, as 10ng a s a receiving radio has th e correct k ey
lo ad ed , it will d ecry pt an d p la y all in com in g e nc ryp ted tra nsm issio ns it re ceiv es o n th e
c ur re nt c ha nn el, e ve n ifit is itse lf set to tra nsm it in clea r m od e. S im ila rly , e ven ifa radio is
set to transm it in en crypted m ode, it will s till r ec eiv e c le ar tra nsm is sio ns o n th e c urr en t
.crypto.com/p251 3/6
8/3/2019 P25 Security Mitigation Guide-08102011
http://slidepdf.com/reader/full/p25-security-mitigation-guide-08102011 4/6
P25 Secur ity Mit iga tion Guide
channel This b eh avio r run s co un ter to m an y u sers ' ex pectatio ns, an d m ean s th at ifa u serin an en cryp ted netw ork h as his o r h er e nc ry ptio n sw itc h in th e w ro ng p ositio n,
c om rmmi ca ti on s til l o c cu rs a s ifit w ere en cryp ted . T he erro r is th us u nlik ely to b e
d etected . (S om e rad ios can b e co nfig ured with a c le arte xt ''b ee p'' w arn in g, b ut w e fo un d
it to b e in ef fe ctiv e a t a ctu ally a le rtin g u se rs ).
A ccep tan ce o f receiv ed clear traffic in encryp ted m od e an d receiv ed encryp ted traffic in
clear m od e is a b asic featu re o f th e P 25 arch itectu re; it can no t b e d isab led th ro ug h m ost
ra dio s' co nfig uratio n so ftw are . H ow ev er, it is p ossib le to u se P 25 's Network AccessCode (NAC) m ech an ism to seg reg ate en crypted and clear traffic and ach iev e close to
the sam e the sam e result, (N AC s are the P25 equivalent of the sub-audib le C TC SS
tones used in analog FM system s.) P25 signals alw ays include a 12-bit N AC code; P25
receiv ers can be co nfigu red to m ute receiv ed tran sm issio ns th at d o n ot carry th e co rrect
code .
T o p rev en t e nc ry pted u sers from rec eiv in g cle ar tra ffic (an d v ic e-v ersa ), sim p ly c on fig ure
different N A Cs on the clear and encrypted versions of each channel T hat is, T acl
Clear might use a N AC code of"A Ol ", w hile the Tac1 Secure version of the channel
could use N A C code "A 02 ". Even though both channels use the sam e frequency, users
set to th e en cryp ted versio n o f th e ch an nel will n ot h ear th e tran sm issio ns o f tho se o n th e
c le ar v er sio n, n or will u se rs o n th e cle ar ch an nel h ea r th e e ncry pte d tra nsm issio ns, e ve n ifth ey h av e th e co rrect k eys.
This c on fig ur atio n p re ve nts th e ( common ) s ce na rio w h ere a s in gle u se r a cc id en ta lly
re pe ate dly tra nsm its in th e c lea r a s p art o f an o th erw ise en cry pte d g ro up . C on nn un ica tio n
sim ply cann ot o ccu r u ntil an u sers are set to eith er en crypted o r clear m od e. (N ote th at
this c on fig ura tio n p re ve nts o nly a cc id en t, n ot m a lic e. A n a tta ck er c an s till t ra nsm it c le ar
traffic with th e "e nc ry pte d"NAC to in je ct fa lse m essa ge s).
T he d isad van tag e o f seg reg atin g clear an d encryp ted traffic o n sep arate N A C s is th at, in
an em erg en cy, it m ay b e m ore d ifficu lt fo r an u nk eyed user to co nn nu nicate with
en cryp ted rad io s. B ut th e b eh av io r o f rad io s co nfig ured in this wa y is u ltim a te ly mu ch
m o re in tu itiv e, m ak in g th e "e nc ry pte d" o r " cle ar" m o de a m o re relia ble in dic ato r o f th e
state o f th e receiv er as w en as of th e tran sm itter.
O n conventional M otorola A str025 radios, the transm it and receive N AC codes are set
in th e "Z on e C han nel A ssign ment" m en u A ny rep eaters m ust also b e con fig ured to
accept both N AC s (or to operate in transparent m ode). N ote that the m uhiple N AC
approach will n ot w ork in tru nk ed P 25 system s; th ese system s can seg regate en cryp ted
a nd c le ar tra ffic b y p la cin g th em in d if fe re nt ''ta lk g ro up s" .
3. Use Long-Term, Non-Volatile Keys
M any federal system s use the P25 "O TA R" protocol to m anage and distribute keys. For
a v arie ty o f re as on s, this p ro to co l is u nre lia ble in p ra ctic e. T he resu lt is th at u se rs
freq uen tly d o no t h av e cu rren t k eys, an d are u nab le to su ccessfu 1ly rek ey. W h en u sers
.crypto.com/p251 4/6
8/3/2019 P25 Security Mitigation Guide-08102011
http://slidepdf.com/reader/full/p25-security-mitigation-guide-08102011 5/6
P25 Secur ity Mit iga tion Guide
w ith ou t k ey m aterial m ust co mrmm icate w ith a g ro up , th e o nly op tio n is fo r th e entire
o pe ratio n to sw itc h to th e cle ar. T hat is, a ttem p tin g to c en tra lly m an ag e k ey s vi a OTAR
h as th e effect o ffu rcin g m an y sensitiv e o peratio ns to u se clear m od e.
E xa ce rb atin g th e s itu atio n is th e p ra ctic e o f u sin g s ho rt-liv ed , v ola tile k ey s th at a re
c ha ng ed fr eq ue ntly (mon th ly o r e ve n w e ek ly ). This p ra ctic e h as it s o r ig i n i n military
o peratio ns, w here k eyed rad io s are o ccasio nally cap tu red b y en em y fu rces. (O nce th e
netw ork re- keys, captured radios becom e useless). B ut captured radios are not a
sig nific an t th re at in th e law en fu rc em en t ta ctic al e nv iro nm en t. H ere , th e p ra ctic e o f re -
k ey in g re su lts in less se cu rity , n ot m o re , esp ecia lly g iv en th e u nre lia bility o fP 25 O TAR
systems.
R ath er th an s ho rt-liv ed k ey s re fre sh ed vi a OTAR, w e stron gly reco mm en d th at ag en cies
sim p ly lo ad a sm all se t o f se mi- p erm an en t k ey s in to a ll ra dio s u se d fo r se nsitiv e
co mrmm icatio n T hese k eys sh ou ld b e ch an ged (an d rad io s re- k eyed ) o nly in th e (rare)
event that a radio is d iscovered to be lost or sto len (Even in the unlikely case that a radio
is sto len an d n ot d etected, a system w ith lon g-liv ed k eys is still m ore secu re w ith a sm all
n um b er o f c om p rom ise d rad io s than a sy stem u sin g a n u nre liab le k ey in g sc hem e th at
freq ue ntly fu rc es u sers to o pera te in th e cle ar).
N o te th at ra dio s c on fig ur ed f ur ''v ola tile '' k ey in g c an lo se th eir k ey ma te ria l if th eir b atte ry
is d isc on nec ted a nd u nd er c erta in o th er c on ditio ns. W h en this h ap pen s, rad io s can o nly
o perate in th e clear u ntil th ey are re-k eyed. T o p rev en t accid en tal k ey erasure, w e
reco mm en d th at M oto ro la A str02 5 rad io s b e co nfigu red fur ' 'Infinite K ey R ete ntio n" in
th e "S ecu rity" m en u o f th e p ro gramm in g softw are. W e also su gg est th at p ro vision s b e
m ad e fu r d ep lo yin g k eylo ad in g d ev ices in th e field to q uick ly re- k ey rad io s ifk eys are
acc idental ly de let ed .
Summary
F o r fu rth er in fu rm a tio n, se e o ur p ap er [p df].
T he co nfig uratio n chan ges h ere are in ten ded to ad dress o nly o ne (alb eit p erh ap s th e m ost
imm ed iate an d serio us) o f the P 25 secu rity v ulnerabilities th at w e d isco vered -- th at o f
u nin te ntio na l tra nsm is sio n o f se ns itiv e c le arte xt. H ow ev er , w e emph as iz e th at c on fig ur in g
radios as w e recommend does not prevent o ther attacks w e discovered (such as low -
e ne rg y ja mm in g o r a ctiv e tra ck in g). U ntil th ese p ro ble ms a re a dd re sse d in th e sta nd ard
an d n ew p ro du cts im plem en ted , w e u rg e ag en cies th at u se P 25 fu r sen sitiv e traffic , in
ad ditio n to con fig urin g rad io s as w e reco nnn en d h ere, to n ot reg ard P 25 co mrmm icatio n
a s r el ia b ly s ec ur e a g ain st modes tl y s oph is ti ca te d a dve rs ar ie s.
W e h av e m ad e the fed eral tactical an d p ub lic safety rad io com rmm ity aw are o f th e
attack s w e d isco vered an d o f th e pro blem o f un in ten ded cleartext, b ut it is p ossib le th at
so me sen sitive P 25 u sers are n ot yet aw are o f th e risk s an d m itig atio ns th at are p ossib le .
While w e ca nn ot p ro vid e e xte nsiv e co nsu ltin g se rv ice s, w e are h ap py to d isc uss sp ec ific
issu es a nd m itig atio n stra te gie s w ith a ge nc ie s w ho se c om rmm ic atio n m ay b e a t risk .
.crypto.com/p251 5/6
8/3/2019 P25 Security Mitigation Guide-08102011
http://slidepdf.com/reader/full/p25-security-mitigation-guide-08102011 6/6
P25 Secur ity Mit iga tion Guide
Contact the University of Pennsylvania P25 Security Research Group vi a email, blaze
(atsign) cis.upenn.edu.
Partial support for this work was provided by a grant from the National Science
Foundation, CNS-0905434. All views are those of the authors.
The current version of this guide is available on th e web at http://www.cooto.com.p25/.
.crypto.com/p251 6/6