This will mostly be a repost of comments I made on another thread, but I think people should be aware that the more times someone comes on here asking how to program a radio to monitor such & so a system - the sooner these things will come to pass.
Let's just say you are a big company making public safety radio systems. You see all the passing around of system keys, radios sold on ebay, hacks to monitor systems without the system administrator's permission, trunk trackers sold pre-loaded with talkgroup names, etc. How do you react??
You start by changing the RSS so it won't re-enable a disabled radio (already a fact). Next you look at inexpensive software encryption (Coming soon). Then you look for more ideas to protect vital public safety systems. Now let's take this to the next level:
System keys - no copyright? - OK we'll fix that - make it bigger - put in a copyright to make Elroy happy - then we'll encrypt the key. Oh, hey - now that we have 32 bit processors and 8 MB memory in radios what else can we do? Let's put that key in the radio! While we're at it why not tweedle the OSW format and send the key over the air? Now unless the radio has the right key - no workie! Bye-bye trunk trackers! Say - we can even send out new encrypted keys whenever we feel like it with OTAR!
Oh, but what about unauthorized users programming their own radios?? Well, let's see - how about we come up with a hardware key for the programming software? Not just a dongle like an FTR key - maybe a card & a reader. Now you have to sign the license agreement (and be authorized by the system administrator) to get a card with keys to operate the programming software at all and a separate key loaded on the card for each system's radios. You want to sell the programming software on ebay? Heck - give it away! What do we care? It's worthless without the hardware key!
Now just because you have a card that lets you run the program software for customer X, you still won't be able to program radios on system Y. Not only that, since the radio has the key as well - you won't even be able to READ the radio without the right key!
You might say - hey xmo - don't give anybody ideas! Let's just say these aren't MY ideas.
Now we will hear from all those who say - Freedom of Information Act violation! Won't hold up in court! Yeah, right. Remember September, 11???
Did you see what the RIAA tried to get for copy protection as part of the terrorism act? That got sniffed out and shot down, but if public safety wants privacy, they WILL get it. Look at what the cellphone companies did with ECPA, making it illegal to listen to cell calls. By itself that didn't stop anybody, but CDMA has. You know ANYBODY that makes a CDMA scanner?? Didn't think so. Technology coupled with new 'law' solved that problem. Technology and possibly more laws 'to protect us' will give privacy to public safety too.
Thanks Osama.
Monitoring Public Safety Systems - Enjoy It While You Can!
Moderator: Queue Moderator
And we were already discussing the fact that M is driving up prices on hardware...go figure! How many cash starving public safety agencies are going to jump at the bit on this idea? If they don't want monitored, then there's always encryption, otherwise it's not everybody elses problem. Actually, if this stuff even made it off of the drawing board, how many agencies do you think would switch to Kenwood or Ericsson or the like?
Personally, with M's ability to produce a top of the line product nowdays (NOT!!!!), I would have a good laugh if they actually got this kind of stuff working. Everything that Motorola produces has holes and usually big holes at that. Not to mention when they piss of an employee by laying them off, the technology gets leaked out. I imagine that's how the labtools escaped the lab. I can't blame anybody else other than Motorola.
OK, create a stupid swipe card to operate RSS. ALL card technology can be copied with maybe the exception of the newer Smartcards. The specifictations on ALL card technologies are public domain and there are certain standards on how each MUST operate. It would only be a matter of time...just take a look at the DSS industry--the smartcards used on DSS machines have been cracked and copied and distributed.
Just prolonging the inevitable!
My $0.0012484 worth.
Personally, with M's ability to produce a top of the line product nowdays (NOT!!!!), I would have a good laugh if they actually got this kind of stuff working. Everything that Motorola produces has holes and usually big holes at that. Not to mention when they piss of an employee by laying them off, the technology gets leaked out. I imagine that's how the labtools escaped the lab. I can't blame anybody else other than Motorola.
OK, create a stupid swipe card to operate RSS. ALL card technology can be copied with maybe the exception of the newer Smartcards. The specifictations on ALL card technologies are public domain and there are certain standards on how each MUST operate. It would only be a matter of time...just take a look at the DSS industry--the smartcards used on DSS machines have been cracked and copied and distributed.
Just prolonging the inevitable!
My $0.0012484 worth.
-
Salem The Cat
- Posts: 74
- Joined: Mon Sep 03, 2001 4:00 pm
Most of the layoffs were in production and
manufacturing. The engineering groups and
R&D staffs weren't affected to any great
degree.
As for dissemination of internal software,
they have mechanisms in place to insure an
audit trail, hence accountability of who is
in posession of what. Custom tools exist to
determine the origin of any code that may
"escape" from the lab. The employee who could
have leaked it, would be fired, and almost
certainly prosecuted (certainly on a civil
basis). It's a very effective deterrent to
employee shenanigans. This is for all newly
developed code (not legacy "labtools"). The
old generation code will be unusable in the
not too distant future. (the exclusion of
being able to restore an inhibited radio via
RSS is an example of the evolution taking
place).
The entire issue here is not one of people
monitoring systems, rather one of outside,
unauthorized users, having access to system
resources. If you can program a radio on MY
system, when I'm supposedly the only one who
can permit or deny radios on a multimillion
dollar infrastructure - I'm going to be damn
pissed, that my chain of command has been
circumvented by this backdoor philandering.
This is akin to someone posting the plans to
your home at the local supermarket and then
providing a URL to download key imprints to
access your door locks. It's an issue of who
owns the rights to the resources in question,
not one of intent.
manufacturing. The engineering groups and
R&D staffs weren't affected to any great
degree.
As for dissemination of internal software,
they have mechanisms in place to insure an
audit trail, hence accountability of who is
in posession of what. Custom tools exist to
determine the origin of any code that may
"escape" from the lab. The employee who could
have leaked it, would be fired, and almost
certainly prosecuted (certainly on a civil
basis). It's a very effective deterrent to
employee shenanigans. This is for all newly
developed code (not legacy "labtools"). The
old generation code will be unusable in the
not too distant future. (the exclusion of
being able to restore an inhibited radio via
RSS is an example of the evolution taking
place).
The entire issue here is not one of people
monitoring systems, rather one of outside,
unauthorized users, having access to system
resources. If you can program a radio on MY
system, when I'm supposedly the only one who
can permit or deny radios on a multimillion
dollar infrastructure - I'm going to be damn
pissed, that my chain of command has been
circumvented by this backdoor philandering.
This is akin to someone posting the plans to
your home at the local supermarket and then
providing a URL to download key imprints to
access your door locks. It's an issue of who
owns the rights to the resources in question,
not one of intent.
Jim,
Don't count on it - there are 100's of thousands of Direct TV widgets out there - a ready market for the shady quick buck crowd. There are only a few radio guys, radio shops, etc. - most with better sense than to risk their job on hacking a Motorola (or for that matter EDACS) system.
Case in point - an FTR hard key will let you program all sorts of stuff with the legacy RSS - is there even one reported case of somebody busting that???? How about all those flag bits in Spectra that turn on features? Anybody come forth with a list of them?
Hacking something complicated takes time - who will spend that time for a minimal return? Just so you can say you did it (but don't say it too loud or you might get a long stay in Kansas)???
Most of the hacks discussed on Batlabs are pretty safe - changing band limits for example. Motorola might not like it, but it's a personal use thing - where is the injury to the company? What's the difference if you take a Spectra out of band or use it as a wheel chock? It's not worth their time to worry about it.
Upgrade radios to sell to customers for a profit - that will get their attention!
Don't count on it - there are 100's of thousands of Direct TV widgets out there - a ready market for the shady quick buck crowd. There are only a few radio guys, radio shops, etc. - most with better sense than to risk their job on hacking a Motorola (or for that matter EDACS) system.
Case in point - an FTR hard key will let you program all sorts of stuff with the legacy RSS - is there even one reported case of somebody busting that???? How about all those flag bits in Spectra that turn on features? Anybody come forth with a list of them?
Hacking something complicated takes time - who will spend that time for a minimal return? Just so you can say you did it (but don't say it too loud or you might get a long stay in Kansas)???
Most of the hacks discussed on Batlabs are pretty safe - changing band limits for example. Motorola might not like it, but it's a personal use thing - where is the injury to the company? What's the difference if you take a Spectra out of band or use it as a wheel chock? It's not worth their time to worry about it.
Upgrade radios to sell to customers for a profit - that will get their attention!
I must add that "they" being Motorola or GE or whomever, can develop ANYTHING they desire,want, can, etc...BUT remember this,,,,
WHen a county goes to bid for a 32 million $ system, let that be a dig. astro system, edacs, or whatever....The county's pennypickers WILL decide that they dont need the 32 bit encryption, but settle with the software encryption, blah,blah,blah...
My county for example, got an EDACS system and it SUCKS bigtime, not nearly enough sites, poor re-grouping ability training to the system administrators, the EMO does not even know how to do it, and County FD Disp. does not want to be bothered.
I know that some points made herein are faults on the county's part, such as not making sure that they know how the system should operate, and what options should be used and when but WHAT THE H*LL happened to the co. (motorola/ ge or whomever) telling or at least reccomending that they go with a certain set of specs that keeps the options open in the end.
My point, My county PD system is voted UHF Motorola sabers and spectras with little or NO DES use, but the county's DPW, Sherrifs, OEM and numerous others are using a piss poor system. Whos fault is it?? In the end, the fault lies on the heads of the radio execs and salespeople.
Sorry to yap.
WHen a county goes to bid for a 32 million $ system, let that be a dig. astro system, edacs, or whatever....The county's pennypickers WILL decide that they dont need the 32 bit encryption, but settle with the software encryption, blah,blah,blah...
My county for example, got an EDACS system and it SUCKS bigtime, not nearly enough sites, poor re-grouping ability training to the system administrators, the EMO does not even know how to do it, and County FD Disp. does not want to be bothered.
I know that some points made herein are faults on the county's part, such as not making sure that they know how the system should operate, and what options should be used and when but WHAT THE H*LL happened to the co. (motorola/ ge or whomever) telling or at least reccomending that they go with a certain set of specs that keeps the options open in the end.
My point, My county PD system is voted UHF Motorola sabers and spectras with little or NO DES use, but the county's DPW, Sherrifs, OEM and numerous others are using a piss poor system. Whos fault is it?? In the end, the fault lies on the heads of the radio execs and salespeople.
Sorry to yap.
-
raymond345
- Posts: 268
- Joined: Sat Sep 22, 2001 4:00 pm
CHEFA2001, you couldn't be more right on. How many of these systems (regardless of vendor) go in with the same sad story: not enough sites, not enough coverage, not enough training? It's usually the fire guys (who need in-building coverage) that get the short end of the stick. (But some salesman got his numbers!)
Where's the problem? - It's in the RFP process. Too many politicians - not enough users. Many times a consultant is hired to write the RFP - too many of them have inadequate knowledge and their primary skill is in finding out what it was that some politician wanted to hear (usually relating to doing the project on the cheap) and then making that pronouncement (for a healthy fee!)
There was another thread about problems with a $5 million system in Washington DC. The fire chief said there aren't enough towers. Big surprise! We spent that much in our little county and it works well.
Why? The users (mostly fire guys) were the ones that pushed the system through. They went to other systems around the country and not only asked "how do you like it?" but also "what would you do different if you could do it over?" And they asked users, not politicians - none of them will ever admit to spending taxpayer money foolishly.
Then these users wrote the RFP and got a bond issue passed to pay for the thing. Only after all that was a consultant hired to assist in the bid evaluation.
Where's the problem? - It's in the RFP process. Too many politicians - not enough users. Many times a consultant is hired to write the RFP - too many of them have inadequate knowledge and their primary skill is in finding out what it was that some politician wanted to hear (usually relating to doing the project on the cheap) and then making that pronouncement (for a healthy fee!)
There was another thread about problems with a $5 million system in Washington DC. The fire chief said there aren't enough towers. Big surprise! We spent that much in our little county and it works well.
Why? The users (mostly fire guys) were the ones that pushed the system through. They went to other systems around the country and not only asked "how do you like it?" but also "what would you do different if you could do it over?" And they asked users, not politicians - none of them will ever admit to spending taxpayer money foolishly.
Then these users wrote the RFP and got a bond issue passed to pay for the thing. Only after all that was a consultant hired to assist in the bid evaluation.
-
Elroy Jetson
- Posts: 1158
- Joined: Mon Sep 03, 2001 4:00 pm
Just a single comment:
Regarding the bit mapping of Spectras, etc, there is a hardcore group of super knowledgeable radio hackers that can pull stunts on radios you wouldn't believe.
They don't post here. They're very secretive. Understandably. In fact, they don't even interact much with each other.
Motorola builds a more secure mouse, and some hacker will find a way to bugger it. Every time, in time.
Build it and somebody will reverse engineer it. Believe it.
Elroy
Regarding the bit mapping of Spectras, etc, there is a hardcore group of super knowledgeable radio hackers that can pull stunts on radios you wouldn't believe.
They don't post here. They're very secretive. Understandably. In fact, they don't even interact much with each other.
Motorola builds a more secure mouse, and some hacker will find a way to bugger it. Every time, in time.
Build it and somebody will reverse engineer it. Believe it.
Elroy
-
MT2000 man
- Posts: 1307
- Joined: Tue Sep 04, 2001 4:00 pm
- What radios do you own?: XTS5000R, Astro Saber III, I
Back to XMO's original post.... How complicated can protection / encryption get before it is too difficult to manage from the end users perspective? Today, people have a hard time programming their VCR's.
Some forms of encryption have worked relatively well.. for instance AMPS cell phone ESN authentication... the key resides in the switch. Until you discover an older enhancer (EAC2000) that won't work with authentication... so the feature is turned off on the donor cell only ... until some unsuspecting analyst turns it back on during an audit... then customers complain they can't make calls... etc.
Regarding software keys, a lot of time is lost looking for them in the service shop! Especially when dealing with a unique piece of equipment and software that is no good to anyone else. Or how about having numerous copies of equipment (GRAYSON receivers for instance), each with the same software, but working with only one receiver Serial Number.
How many PD rotate their encryption keys? They seem to have the key loaders and the ability? Except for a few special agencies, do you guys feel that most are vigilant in this regard? And if a spare radio isn't updated when suddenly pressed into service... PITA.
Or buy radios in different phases, who updates all your old smartcard keys to universally work with the radio fleet?
So XMO, I'm with you as long as the extra protection for systems can be easily managed... by design! If it isn't practical to support (especially in an emergency for config changes) then the feature will remain off or not purchased!
Great discussion XMO! Very insightful!
<font size=-1>[ This Message was edited by: RFdude on 2001-12-31 00:10 ]</font>
Some forms of encryption have worked relatively well.. for instance AMPS cell phone ESN authentication... the key resides in the switch. Until you discover an older enhancer (EAC2000) that won't work with authentication... so the feature is turned off on the donor cell only ... until some unsuspecting analyst turns it back on during an audit... then customers complain they can't make calls... etc.
Regarding software keys, a lot of time is lost looking for them in the service shop! Especially when dealing with a unique piece of equipment and software that is no good to anyone else. Or how about having numerous copies of equipment (GRAYSON receivers for instance), each with the same software, but working with only one receiver Serial Number.
How many PD rotate their encryption keys? They seem to have the key loaders and the ability? Except for a few special agencies, do you guys feel that most are vigilant in this regard? And if a spare radio isn't updated when suddenly pressed into service... PITA.
Or buy radios in different phases, who updates all your old smartcard keys to universally work with the radio fleet?
So XMO, I'm with you as long as the extra protection for systems can be easily managed... by design! If it isn't practical to support (especially in an emergency for config changes) then the feature will remain off or not purchased!
Great discussion XMO! Very insightful!
<font size=-1>[ This Message was edited by: RFdude on 2001-12-31 00:10 ]</font>
If someone REALLY wants to monitor, they will find a way. My older scanners will recieve the cellular bands fine with a simple mod. The new digital phones are not able to be recieved due to the signal (DUH) but, if someone wants to, they can go to a tower site and physicly tap into the landline. Where I live the landline box is mounted outside of the fenced in areas. If public service uses landlines, the same could be done. If I really wanted to, I could break into the Michigan State Police's APCO-25 tower sites and hard-wire a FRS radio into the repeater and listen. My point, if there is a will there is a way. I DO NOT SUGGEST OR IMPLY THAT ANYONE SHOULD DO THIS. THESE ACTIONS ARE COMPLETLY ILLEGAL!
-
CyberSlicer
- Batboard $upporter
- Posts: 86
- Joined: Tue Sep 04, 2001 4:00 pm
EC-7, It may be just a bit more difficult than tapping the "landline" at the cellsite. Those lines are T1s and consist of 24 timeslots capable of carrying up to 3 separate conversations each on CDMA. Unless one had the equipment to decode this raw data, he would be SOL. Even on a T-Berd it sounds like hash.
Don
Don
If you ask the Chinese gov't about Bill Gates, they will point out they don't trust Windows and any potential "trap doors" in it.. they are now going LINUX and developing their own software that they feel they can trust. But there is big money in computer stuff... as well as cracking satellite dishes, etc... no money listening to public safety or cell phones...
BTW... as the previous posters pointed out, why go to the cell sites to listen in...and be limited to the site's range and what happens to go through it. Legal wire taps are done at the switch. Any calls the mark makes are automatically "three-way" calls that include big brother's tape machines. 'Covert' taps aren't even done at the switch anymore... who needs to involve the carrier, when there is SS7! The tap can be done off-premises without the carrier nowing. Hats off to big brother.
BTW... as the previous posters pointed out, why go to the cell sites to listen in...and be limited to the site's range and what happens to go through it. Legal wire taps are done at the switch. Any calls the mark makes are automatically "three-way" calls that include big brother's tape machines. 'Covert' taps aren't even done at the switch anymore... who needs to involve the carrier, when there is SS7! The tap can be done off-premises without the carrier nowing. Hats off to big brother.