On December 26, 2012, The Cardinal featured an OP-ED entitled Police Radio Encryption: Not Secure, A Transparency Failure, A Public Safety Nightmare. Yesterday, a reader posted a comment criticizing the article with some very good points about why police radios should be encrypted. The Cardinal’s position is that general law enforcement radio dispatch should NOT be encrypted, but should be augmented by police onboard computer messages, cellphones, cellphone text messages, and encrypted tactical side channels. The entire comment is presented immediately below. Then specific points that The Cardinal believes deserve responses are excerpted with the accompanying response from The Cardinal.
COMMENT (Thursday, January 17, 2013 at 12:45 pm)
A couple of quick notes: First of all the white paper citing potential vulnerabilities of the encryption implementation of P25 radios with encryption turned on is a practically unusable tactic. Even a cursory examination of that paper will show you that the “vulnerabilities” are not really actual vulnerabilities.
As for the “transparency” aspect, the fact that news organizations could ever listen to police transmissions at all was an incidental occurrence that was based on the architecture of the radio system and the inherent nature of radio waves, not some God given right to reporters. Encryption was not used in the radio systems because it simply wasn’t available in a widely deployable, reliable format. The notion that some sinister cabal of cops is using the radio waves monitored by their supervisors, the dispatchers and other cops, not to mention which is being recorded for future use, to commit heinous atrocities, is absurd. I can’t point to a single case where some intrepid reporter unraveled a major scandal in a police department from monitoring routine radio traffic. I CAN, however, point to very specific instances of first responders being placed in grave danger due to the use of scanners or scanner apps on smart phones.
The notion addressed at the beginning of the article, that encryption is not secure, therefore it should be not used, is asinine. All police transmissions should be encrypted to prevent eavesdropping for the simple fact that just about any police call for service has the potential for violence to toward the officer. What may be dispatched as a “routine” disturbance reported by a passerby could be a violent armed robbery or burglary in progress. Many, many, many calls are reported as one type of incident, only to be discovered as something completely different once officers arrive. Police personnel don’t have the luxury of knowing what’s happening beforehand, there’s no reason that criminals should be forewarned that A) Officers are en route and B) How the officers are treating the call (i.e. a loud noise call instead of the robbery it actually is). Because there is no such thing as a “routine” car stop or call in law enforcement (and any cop who’s worked even a day on the beat can tell you that), likewise there is no such thing as a routine radio transmission.
— CRYPTO COP
REBUTTAL TO SPECIFIC STATEMENTS BY CRYPTO COP:
RADIO VULNERATILITIES
CRYPTO COP:
First of all the white paper citing potential vulnerabilities of the encryption implementation of P25 radios with encryption turned on is a practically unusable tactic. Even a cursory examination of that paper will show you that the “vulnerabilities” are not really actual vulnerabilities.
THE CARDINAL:
I think what you are trying to say is that the “actual vulnerabilities” are not something that the average prankster could attack. I think if you really read the article carefully you would understand that the P25 radios really do have actual vulnerabilities. Additionally, CRYPTO COP, you fail to mention that the white paper outlines vulnerabilities that have more to do with user, not high-tech hacking. As for the high tech hacker techniques, there are certainly capable hackers out there, who could program their “trouble” for application by less-sophisticated individuals. Here are the vulnerabilities noted by the white paper, which THE CARDINAL has classified as HIGH TECH or LOW TECH.
Vulnerability 1 (HIGH TECH): A high tech hacker can take advantage of the P25 protocols which “are vulnerable to highly efficient jamming attacks that exploit not only the narrowband modulation scheme, but also the structure of the transmitted messages. It is sufficient for an attacker to prevent the reception merely of those portions of a frame that are needed for the receiver to make sense of the rest of the frame. Unfortunately, the P25 frame encoding makes it PARTICULARLY EASY (emphasis added) and efficient for a jammer to attack these subfields in isolation.
Furthermore a jammer can use a synchronized pulse that lasts only about 1/100th of a second to jam the P25 system. Old style radio systems (narrowband FM voice systems) would require the jammer to leave their jamming signal on. The prolonged jamming required in older systems would make it easier for the FCC and other technical investigators to find the jammer’s signal.
Properly synchronized, a P25 jamming system can operate at a very low duty cycle that not only saves energy at the jammer and makes its equipment smaller and less expensive, but also makes the existence of the attack difficult to diagnose and detect, and, if detected, require the use of specialized equipment to locate it. (Note that the length of the jamming transmission is only about 10ms long … Such a jamming system need only be relatively inexpensive, requires only a modest power supply, and is trivial to deploy in a portable configuration that carries little risk to the attacker … We note that there is no analogous low-duty cycle jamming attack possible against the narrowband FM voice systems that P25 replaces.
— Technical Whitepaper: Why (Special Agent) Johnny (Still) Can’t Encrypt:
A Security Analysis of the APCO Project 25 Two-Way Radio System
In other words a hostile jammer or group could create a number of these low priced, low-powered, battery-powered devices somewhere near a 9-1-1 dispatch center (in an unused third-party vehicle, a dumpster, taped to a tree branch, buried an inch under sod in a park, etc.). Eventually the device would be found or its battery would go dead, and the offenders could then deploy another inexpensive device.
… an attacker could choose to deploy multiple battery operated jamming devices in a metropolitan area, placing them in public locations to make tracing of the devices harder, or even surreptitiously attaching them to the vehicles of third parties such as taxis or delivery trucks to cause confusion, and to make the jammers harder to locate. Such devices may be made arbitrarily programmable, changing which of a group of devices is active at any one time or even taking commands over the air.
— Technical Whitepaper: Why (Special Agent) Johnny (Still) Can’t Encrypt:
A Security Analysis of the APCO Project 25 Two-Way Radio System
Vulnerability 2 (HIGH TECH): According to the technical paper, a sophisticated hacker can track each radio’s Unit Link ID and perform radio traffic analysis and active location tracking. P25 radios provide “a convenient means for an attacker to induce otherwise silent radios to transmit, permitting active continuous tracking of a radio’s user. In other words, older radio systems could only be tracked while a police officer was talking on the radio. With P25, a hacker can create their own “iPhone Locator-like” active location tracking of each police radio. A hacker can effectively turn P25 “radios into location tracking beacons.” According to the authors of the white paper, issues related to Unit ID’s can be fixed without a major redesign of the P25 system, but again, P25 users can do little to defend themselves here except to wait for the vendors to address these errors and deficiencies.
Vulnerability 3 (LOW TECH): Here’s a scenario that involves talking in the clear while a radio user thinks he or she is talking encrypted. P25’s “cleartext acceptance policy” invites a practical scenario for cleartext to be sent without detection for extended periods. If some encrypted users accidentally set their radios for clear mode (by accidentally hitting the off position on the encryption switch), the other users will still hear them. And as long as the (mistakenly) clear users have the correct keys, they will still hear their cohorts’ encrypted transmissions, even while their own radios continue transmitting in the clear. The paper reports that with some radios it is easy to accidentally turn off the encryption mode while changing radio channels. The authors of the white paper recommend that the public safety radios be configured without the use of the “secure” switch. Instead, encryption should be configured (“strapped”) to be always on (or always off) for each channel. Then certain channels would always be encrypted and certain channels would always be in the clear. Displayed channel names should be chosen to reflect whether encryption is stropped on or off, e.g., channel ”TAC1” might be renamed instead to “TAC1 Secure” or “TAC1 Clear.”
On the XTS portable radios, a flashing LED indicates the reception of encrypted traffic. However, the same LED serves multiple purposes. It glows steady to indicate transmit mode, ”slow” flashes to indicate received cleartext traffic, a busy channel, or low battery, and ”fast” flashes to indicate received encrypted traffic. We found it to be very difficult to distinguish reliably between received encrypted traffic and received unencrypted traffic. Also, the LED and the “secure” display icon are likely out of the operator’s field of view when an earphone or speaker/microphone is used or if the radio is held up to the user’s ear while listening (or mouth when talking).
— Technical Whitepaper: Why (Special Agent) Johnny (Still) Can’t Encrypt:
A Security Analysis of the APCO Project 25 Two-Way Radio System
Vulnerabilty 4 (LOW TECH): There are times when new radios need to be keyed for encryption or radios get out of sync resulting in some users having updated encryption keys and others having outdated encrypted keys. Encryption is implemented with an electronic device known as “external keyloader hardware” or automatic over-the-air keyloading intervals (which might occur daily). Motorola touts the over-the-air keyloading as a superior method, but the OTA method can get out of sync. Users with the latest encryption key hear the radio voice communications, but users that haven’t been updated yet (because they were in some basement when OTA re-keying occurred, for example), can’t hear the radio communications. So what do radios users do? They turn off the encryption, and communicate with their radios in the clear. You can imagine a police administrator running around with the added task of having a face-to-face meeting with a police officer to key in their new encryption key, or having a police officer leave their beat to come in to the police station to get it done.
In systems that use automatic over-the-air keying at regular intervals, this can be especially problematic. If common keys get “out of sync” after some users have updated keys before others have, all users must revert to clear mode for the group to be able to communicate … a common scenario in practice. In other words police officers would all turn off their encryption keys to get their jobs done, and worry about syncing up their encryption later.
TRANSPARENCY AND THE “FOURTH BRANCH OF GOVERNMENT” — THE MEDIA
CRYPTO COP
“As for the “transparency” aspect, the fact that news organizations could ever listen to police transmissions at all was an incidental occurrence that was based on the architecture of the radio system and the inherent nature of radio waves, not some God given right to reporters. Encryption was not used in the radio systems because it simply wasn’t available in a widely deployable, reliable format.”
THE CARDINAL
One really can’t blame police officers for viewing the press or the public in the manner in which you have expressed yourself. Media often acts irresponsibly by spinning certain topics, and the public with video cameras in a majority cell phones can be ready to turn into cop-hating citizen journalists on any street corner. How many times do we hear in the background of a YouTube video? “Oh this is going to be on YouTube tonight!” There are plenty of citizens that are eager to capture police behaving badly, or to attempt to induce them by antagonizing them, or spinning the edits of their videos to make the police look bad. Sometimes, but rarely, they catch legitimate police brutality. A course coordinated with adjusting to new technology, must respect the First Amendment, and as difficult as it might be, police must be dedicated to upholding the First Amendment and the Freedom of the Press. Frankly, in many geographic locations, the police and the media have a long way to go to develop mutual understanding of each other, and to coordinate public safety information that the public had a right to know, and the necessity to comprehend. For every criminal that can take advantage of public safety communications, there are many more people that can comprehend and gain awareness about their community in a positive manner — sometimes providing helpful information back to the police.
As mentioned in the original Arlingtoncardinal.com encryption article, “in the successful democracy of the American political system, the fourth branch of government refers to a group that influences the three branches of government defined in the American Constitution (legislative, judicial, and executive).”
Your sarcastic remark, “God given right to reporters” is perhaps a legitimate reaction to bad actors in the journalism departments of television stations, newspapers, and news blog sites; but it shows a troublesome disregard for the higher principles of Democracy and the function of the media to effect checks and balances between citizen rights and government power. Furthermore, citizens entrust police officers to uphold the law, and use proper force to protect and to serve; and those citizens generally show restraint, by not taking the law into their own hands. It is understandable that with all the derelicts police officers are required to work with day after day, that the police might view the public as some adversary that needs to be controlled. But a police officer needs to remember that there are a lot of people that they do not see, that are staying out of trouble, and want to keep it that way. There are many citizens that believe that it IS our God-given right to make sure that public safety radio channels stay open in the clear as a check and balance that provides assurance that force is properly used, and that safety issues are detected and mitigated properly. Without that trust between police and the public, society in general is likely to have many bigger problems down the road.
CRYPTO COP:
“The notion that some sinister cabal of cops is using the radio waves monitored by their supervisors, the dispatchers and other cops, not to mention which is being recorded for future use, to commit heinous atrocities, is absurd. I can’t point to a single case where some intrepid reporter unraveled a major scandal in a police department from monitoring routine radio traffic. I CAN, however, point to very specific instances of first responders being placed in grave danger due to the use of scanners or scanner apps on smart phones.”
THE CARDINAL
CRYPTO COP brings up a very good point about first responders being in danger when the public has scanners and smart phone apps to listen to police communications. There are pluses and minuses to encryption and clear radio traffic. As pointed out in the Arlingtoncardinal.com encryption article, “Why do some police departments encourage listening to their communications?” Are those departments disregarding the risks posed by apps and scanners? Probably those open police departments think that scanners and apps don’t pose that much of a risk. So CRYPTO COP is adding a lot of drama here. Also mentioned in the THE CARDINAL article: Smart police departments will use telephones, mobile computer messaging, or dedicated encrypted tactical channels to communicate sting operation messages or raid operation messages. How unsafe is it to dispatch a gang raid on an all-points radio even if it is encrypted when one of the police recipients just happens to be standing near a gang banger, and the gang banger overhears the communication. The point is, police should not be dispatching raids and sting information on a multi-point law dispatch channel. The communication should be very limited on a small audience encrypted channel, text message or phone call. Beat officers should be notified to stay away from the exact area via text message or phone call, or told to switch to an encrypted channel to receive an important message, so they don’t spoil the raid, for example.
As for an intrepid reporter unraveling some major scandal, there is no expectation that a reporter would hear a police officer saying over the radio, “keep two cocaine bricks for evidence, and take the rest home.” However, there is the slippery slope of white lies, and general corruption that could be detected by a summary of circumstances gathered from monitoring police radio frequencies. Also, with police dispatches encrypted, there is just too much that would go undetected, or would be delayed, or deliberately hidden. Without active participation of media and the public monitoring police frequencies, the door is open for police corruption or bad behavior — there are too many temptations, and too many opportunities for bad politics to influence the equation into corrupt behavior. Sunshine is the best disinfectant. Open radio channels serve as a safety check, which outweighs the negatives of criminals taking advantage of hearing police dispatches. With aggressive understanding of all the channels police have available to them (including telephones and computer messaging), police could even actively confuse criminals, catch them off guard, and execute more controlled arrests by manipulating what criminals hear.
BUSTED TRANSCRIPT
The following transcript has not been confirmed to be the same transmission as the alleged transmission involving police officer Dion Anthony, but a radio transmission that sounds like a sexual encounter is on record at about 8:41 p.m. Monday, March 12, 2012. Subsequently, Memphis Police Officer Dion Anthony was alleged to have had sex in his squad car while on duty … and there was a recording since every radio communication is recorded. The recording became part of an internal investigation by the police department. The recording was also available to the public on RadioReference.com — a website that stores public safety communications for a short time. Anyone listening to a scanner in the Memphis area at the time would have heard the communication. How many police departments would hide this if they had encrypted radios — assuming the public did not overhear the transmission?[HEAVY BREATHING AND FEMALE MOAN WITH RHYTHMIC BACKGROUND NOISE ]
Male voice: “Is that the biggist d*#@ you ever had in your life?”
[NO ANSWER]
Male voice: ‘mmmmmm” [SYNCHED WITH RHYTHMIC BACKGROUND NOISE].
Male voice: “You know what they say (female’s name), you are for’n to learn, right?”
Male voice: “Isn’t this the best you ever had?
[FEMALE MUMBLED AFFIRMATIVE]
Male voice: “I could a bet on it … I could a bet on it.”
CRYPTO COP
“… there’s no reason that criminals should be forewarned that A) Officers are en route and B) How the officers are treating the call”
THE CARDINAL
There are definite instances when criminals hearing police communication could help prevent property loss or stop crime, if police are smart enough to use the communications against the offenders. First, police could use the radio to stop a crime. Police know they’re not going to catch every car burglar in every case. Suppose police suspect a crime ring of teen burglars is using an Apple iPhone app to listen for police dispatches. After a few nights of crimes, the police methodically work a plan. A call comes in from a neighbor at 1:10 a.m. that five teens are checking door handles — looking for unlocked vehicles. One police response could be to dispatch the call on a clear channel, and cause the youths to scatter and stop their crime. Police know they will catch them another day. At least the property loss would be stopped. If they decide to resume their criminal activity after seeing no immediate response by police. The police dispatcher, still in touch with the caller, could update police with the location of the youths by computer message. Then the police could slide quietly into the neighborhood and make the arrest. They could even use their intercepted radio communications to cause the offenders to flee in an expected pattern out in the open, so the police aren’t chasing them through backyards in an uncontrolled response. The whole idea is that with open communications, police are in control and can therefore manipulate criminals with what they allow them to hear, and what they don’t allow them to hear.
The Cardinal is always right!!! :)