Security Things

Looking at the packet structure, the UPenn authors claim that jamming a single bit will cause the packet top be unreadable, but in reality, there are multiple bits, any of which jammed would cause a packet to be unreadable: 72 bit IV (64 effective), 8 bit algorithm ID, 16 KeyID all jammable. if a single bit in an of these are lost, the packet cannot be decrypted.
“A well known weakness of stream ciphers is that attackers who know the plaintext content of any encrypted portion of transmission may make arbitrary changes to that content at will simply by flipping appropriate bits in the data stream. For this reason, it is generally recommended that stream ciphers always be used in conjunction with MACs, but the same design decision (error tolerance) that forced the use of stream ciphers in P25 also prevents the use of MACs.”
There is a solution. An even worse weakness is repeating the usage of an IV with a single key. A simple solution to this issue is for a radio, when broadcasting to a certain AlgoID-KeyID pair, to select a random IV value for the first packet and then increment this value by one for each following transmission. In this way, receiving radios can track the last known sent IV. Any IVs lower then the last transmitted can be rejected. This prevents an attacker from replaying information. If the attacker modifies the IV for a replayed packet, the IV will not be able to decrypt the packet, and it will be rejected.
EEC weakness – claimed a weakness allowing easier selective jamming.
User Interface Weaknesses will not be addressed.
Clear Traffic accepted – This is not a problem. At times, it is more important to communicate then it is to be secure. This is operationally correct.
Cumbersome keying. – operational issue.
Traffic analysis
These are not tactical radios. While being able to do frequency, sending receiver identification can lead to exposure of critical information in tactical (military) networks, this becomes much less of a concern in non-tactical nets.

“Transmitting radio sources are is generally susceptible to geolocation through direction finding and triangulation techniques.”
This is true for all broadcast signals. The reality is, direction finding wideband signals is not less difficult then it is for narrow band. If there is energy, it can be found, beam formed and form multiple locations, a probable location of the emitter can be found. This level of sophistication and coordination is not normally found in criminal activity but that of nation state.

Denial of service attacks
Again, this class of attacks are more easily found for well known signals like Cell, Wifi, and GPS jammers. Thus, the freq is nor more vulnerable to jamming then any other readily known signal.
The authors analysis of the methods of jamming analog signals are … naive and incorrect. Unfortunately, I cannot say much more then that about the subject matter.

“As a practical matter, the analog jamming arms race is actually tipped slightly in favor of the defender, since the attacker generally also has to worry about being discovered (and then eliminated) with radio direction finding and other countermeasures. More power makes the jammer more effective, but also easier to locate.”
The same holds true for digital jamming, even in ultra short burst rates. Beam forming techniques can readily discern multiple /simultaneous signals and can plot these over time. Even short burst signals can be found and discerned using time differential of arrival techniques.

“Spread spectrum systems [3], and especially direct sequence spread spectrum systems, can be made robust against jamming, either by the use of a secret spreading code or by more clever techniques described in [6, 1].”
This naive claim made me laugh; no signal is robust against jamming. If there is energy, it can be found. If it can be found, it can be interrupted.
“Without special information, a jamming transmitter must increase the noise floor not just on a single frequency channel, but rather across the entire band in use, at sufficient power to prevent reception. ”
Without special information, even on narrow band signals, a jammer must broadcast over a continuous interval to increase the noise floor. This applies for any signal and not just P25.

Comments Section 3 Security Analysis
This is where the authors of the paper begin to throw around terms which really start to give me concern.
Section two describes some of the encryption protocols and methods used in the P25 system. The beginning of section three starts out with the following claim.
“In the previous section, we described a highly ad hoc, constrained architecture that, we note, departs in significant ways from conservative security design, does not provide clean separation of layers, and lacks a clearly stated set of requirements against which it can be tested.”
1. “highly ad hoc” is never qualified, defined, described or justified.
2. “constrained architecture” again, this is not qualified how it is constrained. Nor is it explained how this is bad.
3. “we note, departs in significant ways from conservative security design” No place thus far have they noted the design departs in *any* way, let alone “significant.”
4. Again, a claim with no backing that the protocol does not provide a “clean separation of layers.”
5. Finally the claim “lacks a clearly stated set of requirements against which it can be tested”, which contradicts prior wording “The P25 protocols are quite complex, and the reader is urged to consult the standards themselves for The voice message begins with a Header, and then continues with Logical Link a complete description of the various data formats, options, and message flows.” If they are set in a standard, which has a “complete description,” it would follow there are requirements which can be used as testable features.

“This ad hoc design by itself represents a security concern, and could be considered a basic architectural weakness. In fact, the design introduces significant certificational weaknesses in the cryptographic protection provided.”
Again the authors make more claims as to ad hoc and claims “certificational” issues with the cryptographic protection without clearly stating what these are.

“Given the overall complexity of the P25 protocol suite, and especially given the reliance of upper layers such as the OTAR subsystem on the behavior of lower layers, such deficiencies make the security of the overall system much harder for a defender to analyze.”
Now the authors claim that upper layers relying on lower layers for security makes a system harder to analyze. Layered security approaches in communication have been used for many years. IPSec is a classic example of a layer three protection protocol used by higher layers for many years. I find it interesting the authors claim IPSec makes the security of a system harder to analyze.
“The P25 implementation and user interfaces, too, suffer from an ad hoc design…”
I am reminded of a quote from the move “The Princes Bride”, “You keep using that word. I do not think it means what you think it means.” The Cambridge American Dictionary lists the definition of ad hoc as “for a particular purpose or need, esp. for an immediate need.” So, since most user interfaces are built for a particular need, they all could be considered ad hoc. Likewise could be said abotu the protocol since it was built for the P25 specification needs. The authors fail to explain how this is bad.

“At the root of many of the most important practical vulnerabilities in P25 systems are a number of fundamentally weak cryptographic, security protocol, and coding design choices.”
So, lets look for where they make these two (or three, depending on how you parse the commas), separate points “weak cryptographic”, “weak cryptographic, security protocol” and “coding design choices”. (although coding design choices are not the fault of the protocol)

“Because no MACs are employed on voice and most other traffic, even in encrypted mode, it is trivial for an adversary to masquerade as a legitimate user, to inject false voice traffic, and to replay captured traffic, even when all radios in a system have encryption configured and enabled.”
It is difficult to discern what type of MAC the authors are referring to. If they mean no Media Access Control address, then depending on if the protocol broadcasts the MAC clear text as it does in many waveforms (see 802.11), it is also trivial to masquerade. If the authors are referring to a Message Authentication Code (as they did prior) and if the attacker does not have the encryption key, I would be very curious how they claim it is “trivial” to conduct a masquerading attack. (please note the use of and between the claims of masquerade and replay denotes both are “trivial.”) Without the proper key, there is no way they can (to my limited knowledge), produce a decryptable packet for false injection / masquerading. Once the false packet is received, decryption will be unsuccessful and any such injection will be thwarted.
Now, as to the author’s claim of a replay attack; this is the more interesting claim and one they *should* have investigated. It should also be noted that reply attacks do not “inject false traffic”, merely stale traffic which is not false.

“Even when encryption is used, much of the basic metadata that identifies the systems, talk groups, sender and receiver user IDs, and message types of transmissions are sent in the clear and are directly available to a passive eavesdropper for traffic analysis and to facilitate other attacks.”
This is of concern but sensitivity of such transmission security (TranSec) issues may not be of concern given these radios are not designed to carry/process classified information.

From this article titled: Rootkit infection requires Windows reinstall, says Microsoft
MS is just now acknowledging this?

Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector.

A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration

Digging into the information, the article is a bit dramatic (drama sells). It requires the user to restore the OS, not reinstall. It is mainly to rewrite/fix the master boot record. This being said…
For the last several years, the only way to make sure all traces of an infection are gone is a reinstall. I’ve had to tell several friends and relatives I have given up delousing computers; just reinstall the OS. Infections for some time have gotten to the point that the only way to make sure is to nuke it from orbit.

It was only a matter of time as it has been hinted at for a while now. The Pentagon is going to officially announce that cyber attacks may be considered an act of war and the retaliation is justified. According to a Wall Street Journal article:

One idea gaining momentum at the Pentagon is the notion of “equivalence.” If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation.

I am surprised it has taken this long.

Apparently a tool has been posted which claims “iOS 4 hardware encryption cracked.” It can take the tool up to 40 minutes to crack the password from a ROM dump, allowing it to decrypt all the device information.

Why is it a surprise that a four character password can be brute forced in under an hour?

Google built into Android an authentication mechanism to allow devices to “securely” communicate and sync with the various Google services. Yet, moronically, they forgot to protect the communication itself and as a result, the security credentials were passed clear text. That’s right, they did not use a simple and highly standard SSL to protect the authentication protocol information.
Just goes to show, very few people have a good understanding of security.