Editing Project 25 (section)

=== University of Pennsylvania research ===

In 2011, the ''[[Wall Street Journal]]'' published an article describing research into security flaws of the system, including a user interface that makes it difficult for users to recognize when transceivers are operating in secure mode.<ref name="WSJ Security Flaws">{{cite web |url=https://blogs.wsj.com/digits/2011/08/10/security-flaws-in-feds-radios-make-for-easy-eavesdropping/ |title=Security Flaws in Feds' Radios Make for Easy Eavesdropping |publisher=Wall Street Journal |first= Jennifer |last=Valentino-DeVries |date=2011-08-10 |access-date=2011-08-10}}</ref> According to the article, "(R)esearchers from the [[University of Pennsylvania]] overheard conversations that included descriptions of [[undercover agents]] and [[Informant|confidential informants]], plans for forthcoming arrests and information on the technology used in surveillance operations." The researchers found that the messages sent over the radios are sent in segments, and blocking just a portion of these segments can result in the entire message being jammed. "Their research also shows that the radios can be effectively jammed (single radio, short range) using a highly modified pink electronic child's toy and that the standard used by the radios 'provides a convenient means for an attacker' to continuously track the location of a radio's user. With other systems, jammers have to expend a lot of power to block communications, but the P25 radios allow jamming at relatively low power, enabling the researchers to prevent reception using a $30 toy pager designed for pre-teens."

The report was presented at the 20th [[USENIX]] Security Symposium in [[San Francisco]] in August 2011.<ref name="autogenerated1">[https://online.wsj.com/public/resources/documents/p25sec08102011.pdf "Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio system,"] S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, M. Blaze, Proceedings of the 20th [[Usenix]] Security Symposium, 2011</ref> The report noted a number of security flaws in the Project 25 system, some specific to the way it has been implemented and some inherent in the security design.

====Encryption lapses====
The report did not find any breaks in the P25 encryption; however, they observed large amounts of sensitive traffic being sent in the clear due to implementations problems. They found switch markings for secure and clear modes difficult to distinguish (∅ vs. o). This is exacerbated by the fact that P25 radios when set to secure mode continue to operate without issuing a warning if another party switches to clear mode. In addition, the report authors said many P25 systems change keys too often, increasing the risk that an individual radio on a net may not be properly keyed, forcing all users on the net to transmit in the clear to maintain communications with that radio.

====Jamming vulnerability====
One design choice was to use lower levels of error correction for portions of the encoded voice data that are deemed less critical for intelligibility.  As a result, bit errors may be expected in typical transmissions, and while harmless for voice communication, the presence of such errors force the use of [[stream cipher]]s, which can tolerate bit errors, and prevents the use of a standard technique, [[message authentication code]]s (MACs), to protect message integrity from [[stream cipher attack]]s.  The varying levels of error correction are implemented by breaking P25 message frames into subframes. This allows an attacker to jam entire messages by transmitting only during certain short subframes that are critical to reception of the entire frame. As a result, an attacker can effectively jam Project 25 signals with average power levels much lower than the power levels used for communication. Such attacks can be targeted at encrypted transmissions only, forcing users to transmit in the clear.

Because Project 25 radios are designed to work in existing two-way radio frequency channels, they cannot use [[spread spectrum]] modulation, which is inherently jam-resistant. An optimal spread spectrum system can require an effective jammer to use 1,000 times as much power (30&nbsp;dB more) as the individual communicators. According to the report, a P25 jammer could effectively operate at 1/25th the power (14&nbsp;dB less) than the communicating radios. The authors developed a proof-of-concept jammer using a Texas Instruments CC1110 single chip radio, found in an inexpensive toy.<ref name="autogenerated1"/>

====Traffic analysis and active tracking====
Certain metadata fields in the Project 25 protocol are not encrypted, allowing an attacker to perform [[traffic analysis]] to identify users. Because Project 25 radios respond to bad data packets addressed to them with a retransmission request, an attacker can deliberately send bad packets forcing a specific radio to transmit even if the user is attempting to maintain [[radio silence]].  Such tracking by authorized users is considered a feature of P25, referred to as "presence".<ref>{{Cite web |url=http://www.nationalinterop.com/solutions_p25.html |title=Design Issues for P25 Digital{{!}} National Interop<!-- Bot generated title --> |access-date=2011-08-15 |archive-url=https://web.archive.org/web/20110714160000/http://www.nationalinterop.com/solutions_p25.html |archive-date=2011-07-14 |url-status=dead }}</ref>

The report's authors concluded by saying "It is reasonable to wonder why this protocol, which was developed over many years and is used for sensitive and critical applications, is so difficult to use and so vulnerable to attack." The authors separately issued a set of recommendations for P25 users to mitigate some of the problems found.<ref>[http://www.net-security.org/article.php?id=1617 P25 security mitigation guide], M. Blaze, et al.</ref> These include disabling the secure/clear switch, using Network Access Codes to segregate clear and encrypted traffic, and compensating for the unreliability of P25 over-the-air rekeying by extending key life.