DEFCON 20: SIGINT and traffic analysis for the rest of us

At last Summer’s DEFCON 20 conference Sandy Clark and Matt Blaze from the University of Pennsylvania discussed their research into the security of the P25 (APCO Project 25) digital radio protocol. Here they explain the basics of the P25 protocol and examine some of the problems and flaws they uncovered in its security. They highlight passive attacks, where all the attacker needs to do is listen, exploiting usability and key management errors when they occur. They also explain their multi-city networked P25 interception infrastructure which they used to investigate the P25 security protocols in practice.

Join the Conversation


  1. FYI, at first-glance this Project 25 (P25 or APCO-25) scheme is FDMA-TDMA, with various symbol rates and various authentication and state-keeping codes. At my post-time, some of what I’ve seen about hand-held radios that comply with this scheme indicate that there is really no range advantage with this scheme in terms of coverage range (unlike false claims by some of the radio vendors). But it does allow crowded channel connections to be established between sender/receiver where this would be a problem with analog radios (even those that separate connections via analog differentiated transmit on talk audible tones or non-continuous/continuous sub-audible tones). Keep in-mind though, you can’t get something for nothing. With this FDMA-TDMA scheme, as the available channels get more crowed, the required signal to noise for a connection increases. Like any simple digital-radio mode, when you get to the fringe of communication range the link just drops-out and will not reconnect for some time (depending on the error-correction/coding overhead plus time needed to re-authenticate). Then there are state-maintain issues with loss of connection vs. re-establishment of connection due to whether the radios buffer information or not. With this FDMA-TDMA scheme there is also the issue of processing delay. Unlike an analog radio, there is Human perceptible delay due to processing in the radio. So for example two hand-held radios operating next to each other where to operators can see each other will have a delay that is rather strange to experience. I remember seeing some hand-held radios using this FDMA-TDMA scheme that operate in analog FM for voice but are also capable of digital at the same time. There are also repeaters that can support both analog and the FDMA-TDMA modes simultaneously on 12.5KHz channel spacing (6.5KHz too?). That allows migration to the digital mode only for legacy systems which are FM only or dual mode, which may be preferred by the network operator for voice (graceful loss of signal in voice). IIRC there are a few varients of this scheme of similar standards like TETRA, NXDN, D-Star (Ham radio). Check Wikipedia. I think in the U.S., there is allowance for this scheme/mode on the Family Radio System (FRS)? I see some cheap hand-held radios that can use this FDMA-TDMA mode – and many vendors claim increased range and security. Increased range – I doubt it.Increased security, yes but at a cost.

    This is a complex topic and I’m working from memory. Actually I’m blathering… Sorry folks :-)

Leave a comment

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.