There are some really great and valid points and recommendations made in this presentation, but it starts out as kind of a takedown of P25 standards only to say on slide 26 that there is a lot of user error at play. Everyone knew about the clear info like unit IDs long before this study though. How do you think radio reference gets TG IDs for encrypted TGs? They sort of imply that keying failures and the reliability of the OTAR mechanism is poor, but that really requires more discussion because the statements are mixed with user error level failures found in their analysis. Lost radios are an issue. The radios can hold so many keys that even when a rotation occurs, you can talk on the old key for a while. Rotations and fleet success rates are well known by administrators prior to key rotation messages going out over the air. Deploying keyloaders to the field could be a great idea if limited to tactical keys and no other system level keys because rotating TEKs due to a lost radio is easy compared to rotating all system level crypto keys due to a lost keyloader. In spite of my comments, this analysis is still really good. Think about it though. A standard developed in the era of 2G is alive and kicking today in 2022 and although some of these vulnerabilities will ultimately be exploited in a bad way, P25 stood the test of time.

The Chinese engineers already are manufacturing the civilian version of this system that will sell for about $80 on Amazon. If you kept your old ATT TDMA cell phones, you will be all set to listen in on Phase 25 communications.

Are radios buffer overflowable ? :)

So it's not super secure as I've found, at least not the Phase I system (P25) here in Waterbury, CT in that I can listen in on any channel I want. I find it interesting that it's all 'encrypted' yet the encryption standards are apparently broken or just so well-known and understood that basic software with an SDR can on its own at least decode. The trick is to have a plugin if you're using say SDRsharp so you can have a single receiver locked in on one channel, a control channel basically, then to let the voice channels be picked up as it hops around within like a 1.5 Mhz range or so of where you're locked in.. otherwise you need 2 receivers but they're only 20 bucks each. Id imagine if someone had a full duplex rig they could pretty easily talk over their entire city's (if not a larger area) trunked system illegally.

Anyone know why I've had trouble with my RTL-SDR single radio unit (USB) using all kiinds of software including two Virtual Audio Cables..DSDPlus and DSD (either one), UniTrunker to process the frequency or frequencies, or SDR# to tune and such in WFM or NFM mode, (800-900 Mhz here in Waterbury CT) anyway.. I can't get voice to come over decrypted. Do I need another "dongle" (RTL-SDR) to recieve the voice frequency, or is it really doable as long as they're within say 2 Mhz or so? Sorry for the badly phrased question. I'm new at this stuff and interested in maybe in the future working for a copmany or the FCC, whatever government agencies set up and service P25 and other trunking. What kind of college major would one want to attain to work within these areas?

very good and interesting talk!

Interesting topic. Good talk!

great video explains alot in detail!

Besides the authentication and possible jamming or inhibit attacks, if you use AES-256 you're secure but all security rests in keeping that key secret. DES-OFB will still offer moderate security and is good for protecting general non life critical information. ADP is best left for encrypting DPW or the road commission TGs, lol. Anyway, any security probing on a system still would require knowledgeable technical personnel with certain skills/tools to extract the needed information from the OTA P25 protocol stack. These tools or knowledge are not readily available/accessible and the guys who did this presentation obviously have more knowledge than 99.9% of people who scan these systems.

CDMA modulation is superior in many ways.

The GT iM-Me retailed for $70......if you paid $15, it must have been at a thrift store...

Muito bom

its an american program, they wouldnt of released it if they didnt already have a way of decrypting the information. Also the thing about this talk is that hes over analysing it, if you already have a pretty good or certain idea of what the end or initiating broadcast users are saying then its not as hard a problem to start on a homebrew decryption system. Also another fact is that its all transmitted on an easily recieved, recorded and popular radio band. The main thing is that if one buys a $50 radio on ebay programs in the captured frequency and plugs in a blank mic you can key up your ebay radio and completly block the reciever if they are within signal of your reciever. Think of digital tv and how a short burst of lightning or a noisy electrical switch in your house can cut the transmissions. You dont need to know about subframes or other shit, you just key in enough white noise and bam, jammed. But the end of the day, i think people are forgetting that there are a lot of other vulnerabilities for an end point or start point attack, rather than trying this man in the middle garbage.