“Transmitting radio sources are is generally susceptible to geolocation through direction finding and triangulation techniques.”
This is true for all broadcast signals. The reality is, direction finding wideband signals is not less difficult then it is for narrow band. If there is energy, it can be found, beam formed and form multiple locations, a probable location of the emitter can be found. This level of sophistication and coordination is not normally found in criminal activity but that of nation state.

Denial of service attacks
Again, this class of attacks are more easily found for well known signals like Cell, Wifi, and GPS jammers. Thus, the freq is nor more vulnerable to jamming then any other readily known signal.
The authors analysis of the methods of jamming analog signals are … naive and incorrect. Unfortunately, I cannot say much more then that about the subject matter.

“As a practical matter, the analog jamming arms race is actually tipped slightly in favor of the defender, since the attacker generally also has to worry about being discovered (and then eliminated) with radio direction finding and other countermeasures. More power makes the jammer more effective, but also easier to locate.”
The same holds true for digital jamming, even in ultra short burst rates. Beam forming techniques can readily discern multiple /simultaneous signals and can plot these over time. Even short burst signals can be found and discerned using time differential of arrival techniques.

“Spread spectrum systems [3], and especially direct sequence spread spectrum systems, can be made robust against jamming, either by the use of a secret spreading code or by more clever techniques described in [6, 1].”
This naive claim made me laugh; no signal is robust against jamming. If there is energy, it can be found. If it can be found, it can be interrupted.
“Without special information, a jamming transmitter must increase the noise floor not just on a single frequency channel, but rather across the entire band in use, at sufficient power to prevent reception. ”
Without special information, even on narrow band signals, a jammer must broadcast over a continuous interval to increase the noise floor. This applies for any signal and not just P25.

“This ad hoc design by itself represents a security concern, and could be considered a basic architectural weakness. In fact, the design introduces significant certificational weaknesses in the cryptographic protection provided.”
Again the authors make more claims as to ad hoc and claims “certificational” issues with the cryptographic protection without clearly stating what these are.

“Given the overall complexity of the P25 protocol suite, and especially given the reliance of upper layers such as the OTAR subsystem on the behavior of lower layers, such deficiencies make the security of the overall system much harder for a defender to analyze.”
Now the authors claim that upper layers relying on lower layers for security makes a system harder to analyze. Layered security approaches in communication have been used for many years. IPSec is a classic example of a layer three protection protocol used by higher layers for many years. I find it interesting the authors claim IPSec makes the security of a system harder to analyze.
“The P25 implementation and user interfaces, too, suffer from an ad hoc design…”
I am reminded of a quote from the move “The Princes Bride”, “You keep using that word. I do not think it means what you think it means.” The Cambridge American Dictionary lists the definition of ad hoc as “for a particular purpose or need, esp. for an immediate need.” So, since most user interfaces are built for a particular need, they all could be considered ad hoc. Likewise could be said abotu the protocol since it was built for the P25 specification needs. The authors fail to explain how this is bad.

“At the root of many of the most important practical vulnerabilities in P25 systems are a number of fundamentally weak cryptographic, security protocol, and coding design choices.”
So, lets look for where they make these two (or three, depending on how you parse the commas), separate points “weak cryptographic”, “weak cryptographic, security protocol” and “coding design choices”. (although coding design choices are not the fault of the protocol)

“Because no MACs are employed on voice and most other traffic, even in encrypted mode, it is trivial for an adversary to masquerade as a legitimate user, to inject false voice traffic, and to replay captured traffic, even when all radios in a system have encryption configured and enabled.”
It is difficult to discern what type of MAC the authors are referring to. If they mean no Media Access Control address, then depending on if the protocol broadcasts the MAC clear text as it does in many waveforms (see 802.11), it is also trivial to masquerade. If the authors are referring to a Message Authentication Code (as they did prior) and if the attacker does not have the encryption key, I would be very curious how they claim it is “trivial” to conduct a masquerading attack. (please note the use of and between the claims of masquerade and replay denotes both are “trivial.”) Without the proper key, there is no way they can (to my limited knowledge), produce a decryptable packet for false injection / masquerading. Once the false packet is received, decryption will be unsuccessful and any such injection will be thwarted.
Now, as to the author’s claim of a replay attack; this is the more interesting claim and one they *should* have investigated. It should also be noted that reply attacks do not “inject false traffic”, merely stale traffic which is not false.

“Even when encryption is used, much of the basic metadata that identifies the systems, talk groups, sender and receiver user IDs, and message types of transmissions are sent in the clear and are directly available to a passive eavesdropper for traffic analysis and to facilitate other attacks.”
This is of concern but sensitivity of such transmission security (TranSec) issues may not be of concern given these radios are not designed to carry/process classified information.

“We describe an active traffic analysis attack that permits on-demand determination of the location of all of the users of a radio network, even when they are not actively using their radios.”
How is “not using radios” defined. Are the radios off?

“We also describe very low- energy selective jamming attacks that exploit a variety of protocol weakness, with the effect that encrypted users can be forced (knowingly or unknowingly) to revert to unencrypted mode.”
Again, lets be careful with this claim. As I stated before, the “very low- energy selective jamming” can only occur under very limited operational scenarios. Also, of great interest is the claim “encrypted users can be forced (unknowingly) to revert to unencrypted mode.” This is the critical claim which needs to be examined closely.

“These attacks may also be used to entirely disable trunked mode communications for an entire radio network with strikingly low energy.” How is “strikingly low energy” defined; more sensationalistic terms?

“can prevent encrypted traffic from being received and can force the users to disable encryption” Again, a claim of forcing, as is against will, or as stated prior, without the users knowledge, disable encryption. Multiple times this claim has been made, lets see if it stands up.

I had one person ask me how to prevent their SCADA devices from getting hacked. The answer is very simple, air gap it. Take the entire production network and disconnect it from the internet and the rest of the company’s network. Furthermore, no USB drives can be brought into the network and any update information is verified by multiple people. Super glue USB drives to make them inoperable and prevent outside computers from being hooked into the system. This way, an infection can not get into the system in the first place. These production lines have their own isolated power and even physical access control but they connect the system into the internet?

Some limited data may need to be brought out of the production environment but it should be set up as the exception, on set times, from specific and limited computers specific ports with limits on the amounts of data flowing in either direction. No, the IT guys will not be able to VNC into the system at 3am from home and they will not like this.
Is it worth the cost of your production system going down for several weeks when (not if) you get hacked?

Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector.

A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration

Digging into the information, the article is a bit dramatic (drama sells). It requires the user to restore the OS, not reinstall. It is mainly to rewrite/fix the master boot record. This being said…
For the last several years, the only way to make sure all traces of an infection are gone is a reinstall. I’ve had to tell several friends and relatives I have given up delousing computers; just reinstall the OS. Infections for some time have gotten to the point that the only way to make sure is to nuke it from orbit.

One idea gaining momentum at the Pentagon is the notion of “equivalence.” If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation.

I am surprised it has taken this long.

Why is it a surprise that a four character password can be brute forced in under an hour?

Now I don’t know what all this shit is worth or who would pay for it, but I’m bettin’ someone will. Hell, if I can’t move the prescription data at the very least I can find a buyer for the personal data (name,age,address,social security #, driver’s license #).

1. Why were the backups left online?
2. Why was the data left unencrypted so anyone on the system could get to it?

But most importantly, this should serve as a remind why trusting online medical records is a VERY bad idea.

It is said that complexity is the chief enemy of security… Modern operating systems and computer networks are chock-a-block with bloat, but they also bristle with invasive security programs vying to pre-empt each other. The resulting complexity of those interactions does not scale with the n^2 of Metcalfe’s Law (the number of potential 2-way interactions), but the 2^n of Reed’s Law (the number of potential multi-way interactions). This is the heart of complexity’s enmity against security: security’s task list is all multi-way interactions, all the time. (emphasis mine) We make it worse by adding too many security products that are mere symptomatic relief for the problem du jour.
We can’t prove security products work, but we can prove that complexity matters, and that we are ourselves contributing to complexity by deploying too many security products.

I am a huge fan of simplicity and the monolithic kernel is anything but…

Ford’s technology works over a dedicated short-range WiFi system on a secure channel allocated by the FCC. … Scenarios where this could benefit safety or traffic? Predicting collision courses with unseen vehicles, seeing sudden stops before they’re visible, and spotting traffic pattern changes on a busy highway.

I love that line “a secure channel allocated by the FCC.” *sigh*
Another benefit being touted is the ability to warn drivers of traffic congestion so they can take a different route. Sounds nice?

What happens when someone hacks their car so the chip gets an incorrect data feed from the GPS showing a different position, say traveling in the other lane. All other cars now passing by will get a collision warning. If the warning is tied into vehicle control, it could cause those cars to erroneously hit the breaks.
Want a better commute to work? Again, feed information into the system so it thinks there is heavy traffic. The car will report bad traffic on the roads and others will avoid it.
This has failure written all over it.

Weinmann’s attack would allow him to take advantage of iPhones lured into his rogue base station to “enable and disable auto-answer on the iPhone” he said, or with an attack payload to record the audio on the iPhone, store it in RAM and then transmit the data that was sniffed.

Looks like the cat is out of the bag. This is but one of the reasons cell phones are not allowed in secure areas and should be turned off when discussing “sensitive” information.