Decrypting enhanced privacy ?

[Max]

So a person was able to figure out the key I was using on a MotoTrbo UHF simplex frequency.I don't know what program he used but it was done.
As far I know,no one has come up with a program for decrypting enhanced privacy keys or have they ?


Max

[tvsjr]

Enhanced privacy is 40-bit RC4 (same as ADP). There are some known well-known attacks that reduce the required operations for brute force to 2^32 in the worst case - but that's still 4 billion combinations. Do-able with some decent hardware. It's likely that certain government agencies can do better. But you can be fairly certain that no one's going to come out and admit to having an app to brute-force a key. That's a prescription for federal-pound-me-in-the-ass-prison.

The greater likelihood is:
1. You used an obvious key (like your 10-digit phone number)
2. Someone who has the key legitimately gave it out
3. If it works like A25/APX CPS, the key remains visible if you email someone the codeplug (but gets blanked if you read a radio) and they got it that way
4. Someone has figured out how to dump the key out of the radio

Options 1-3 are the most likely.

[Max]

Tvsjr
Thanks for the reply.I anticipated this type of answer because my question sounds impossible.
I can a sure you that none of your options apply.The person that showed up on my simplex channel that was enhanced privacy is some what of a friend that likes to prove his abilities,but will never admit to anything.
This person also showed me how programming someone else's radio ID in one of your Trbo radio's allows you to monitor that radio when it initiates a private call.
I can say I doubt he has the hardware to decode the key I was using.Guess I'll try and find out how he did it.


Max

[Max]

Is it true you can not DMRDECODE on Trbo simplex frequencies ?

Max

[marcosorourke]

Were they able to hear your encrypted traffic?

A non encrypted radio can transmit on your channel in the clear and you'll hear it, they just won't hear you unless you also transmit in the clear.

[Max]

When we were talking in enhanced privacy this person keyed up and it showed a closed padlock in the display ,would that still indicate he was transmitting on our channel in the clear ?

Max

[Forts]

Yes a closed padlock indicates he is transmitting with privacy enabled. I haven't heard anything about anyone cracking keys (not that it's likely to be advertised mind you!) There would be quite a few steps involved to brute force a key... capturing packets, finding the data in those packets that you need to work with etc etc. Definitely not something for your typical hobbyist to whip up thats for sure. And DMRDecode does not work with simplex transmissions.

[Max]

Thanks for all the replies.
Guess i'm gonna have to take a real good second look at this,based on everything you guys have said there must be something i'm missing.I agree with the odds of "the person" being able to crack the keys.
Thanks again


Max

[com501]

Please keep us posted on this. If your person was able to extract the privacy key from a radio, this is a major security breach that Motorola needs to fix, and if he was able to pull it off air somehow, ditto.

[Max]

Well,I found out what happened,and I'm kinda surprised.

When you're using a digital simplex frequency on a MotoTrbo radio the keys (Key ID,Key Alias and Key Value) have no EFFECT,meaning it doesn't matter what key you use,you can still TX and RX on that simplex channel.

A friend and I programmed a UHF frequency in both our radios.With the Enhanced Privacy ON,it did not matter which Privacy Alias we used,we could still TX and RX with each other,meaning we both used different Privacy Alias's when testing this.

I was under the impression that my conversations were private while using this method, it's no wonder my other friend is not talking to me, he obviously was able to hear certain conversations he shouldn't have. Unless I'm doing something wrong, this is really upsetting.

This explains the answer to my original question.

Was this common knowledge to everyone else?


MAX

[com501]

Hmmm....

Now you want me to try this. I'll get busy here and get back to you in a little bit.

[Max]

I would love someone else to try this.I'm pulling my hair out trying to think if i did anything wrong when programming.
I have been playing with Trbo's for a couple of years now and know my way around Motorola radios enough to know what i'm doing.(I hope)


Max

[com501]

OK, here are the results of my tests:

XPR7550 - UHF FW Version 2.30.01 Trbo CPS 10.0 Build 510
XPR6550 - UHF FW Version 1.12.02 Trbo CPS 10.0 Build 510

Programmed simplex channel with color code and privacy checked.

Security Tab

Enhanced

Key ID = Unique 3-digit - not default
Key Value = Unique 8-digits - upper and lower case, plus numerics

Both radios same key - communication succesful, padlock shows closed in display, audio decrypted.

Program ONE radio with a mismatch in either the Key ID field or the Key Value field and the opposing radio shows that the opposite radio is transmitting, shows its ID and a locked padlock, but no audio is decrypted.

The same applies for basic privacy with one exeception, the radio does NOT mute the audio, you get strange wispy digital noise like snakes talking but nothing intelligible. When keys match you get good audio and a locked padlock.

With one radio programmed with NO encryption the opposing radio if the key exits in the target radio, even if encryption is turned OFF, the radio will decode the transmission. THIS IS IMPORTANT. This behaves exactly like AES and DES encryption. If the operator has a VALID KEY, even if encryption is TURNED OFF for the channel the operator has selected for reception, the radio WILL decrypt the transmission.

With one radio programmed with NO encryption and with NO KEY loaded in the target radio, it WILL NOT unmute on enhanced privacy but flashes a padlock signal indicating it is receiving an encrypted signal. With BASIC privacy, gibberish is heard.

Sounds like you may have something not programmed correctly.

[Max]

First I just want to thank com501 for his help.

This is what I have discovered.

If you have a few different keys listed on the Privacy menu but use the "Privacy Alias" drop down menu on any of your digital simplex frequency menu's to change the "Privacy Alias" ,it will not work.

Meaning it has no effect.We tried changing to different Privacy Alias's from the drop down menu on both radio and it still communicate successfully, padlock shows closed in display.

I assumed this would have worked since there was a drop down menu.

Com501 talked about changing the Key ID field or the Key Value field which has to be done in the Privacy Menu,this got me thinking and I left what ever Privacy Alias was on the frequency menu

and just changed it from the privacy menu it would then work correctly.

Hope this makes sense.

Max

[com501]

Max,

As long as BOTH keys exist in BOTH radios, no matter what you have selected for a key, the radio will find the correct key and decrypt the speech. It will TRANSMIT the key you have selected, but will decrypt ANY key that is valid in your radio.

This is so that if you have a supervisor with MANY keys, and several employees with only one key apiece (all different) they cannot talk to each other, but the SUPERVISOR can hear all keys, and select which one to talk to (based on which channel is programmed with what key in the drop down.)

If you REMOVE all the keys in a target radio EXCEPT the only key you want, it WILL NOT decrypt any other keys. IF a radio transmits to YOU in the clear, and your radio is programmed for privacy, you WILL hear the clear text radio. If the person transmitting in the clear DOES NOT have the correct key in his radio (selected on a channel or not) he will NOT be able to decrypt your transmissions. If he DOES have the correct key, even if no privacy is selected on the channel he is on, if YOU transmit in private mode, the other party WILL be able to hear you with the correct key.

[Max]

Com501

I just wanted to thank you for all your input and help with my post.

It's a privilege to be a Batlabs member and it's members like you that make Batlabs the best forum for learning.

I love my Motorola's.

Once again,thank you for the learning curve.

Max