Aug 11, 2011 08:17 GMT  ·  By

Researchers from the University of Pennsylvania warn that certain radios and other communication devices currently used by law enforcement agencies can be attacked using a variety of methods.

This the conclusion of a two-year-long study into the security of wireless communication protocols developed as APCO Project 25, more commonly referred to as P25.

These protocols are at the heart of many two-way communication systems used by the FBI and local law enforcement agencies.

"We found a number of protocol, implementation, and user interface weaknesses that routinely leak information to a passive eavesdropper or that permit highly efficient and difficult to detect active attacks," the researchers write.

Their findings are laid out in a paper entitled "Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System" [pdf] which they plan to present at the 20th Usenix Security Symposium this week.

The research team deployed off-the-shelf $1,000 radio receivers in two undisclosed metropolitan areas and analyzed P25 communications. They found that most such traffic is actually unencrypted despite users believing otherwise.

"We monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and the Department of Homeland Security," the researchers reveal in their paper.

The information they were able to capture during the surveillance included names and locations of individuals targeted in ongoing criminal investigations, names and identifying features of confidential informants, descriptions of undercover agents, locations of surveillance vehicles, and plans for forthcoming arrests or raids.

The encryption failures were caused by individual error, when one user thought he was on an encrypted channel but wasn't, group error, when more users believed the same in error, or keying failure, when some users didn't have the encryption keys and everyone agreed to communicate in the clear in order to include them.

The researchers describe several man-in-the-middle attacks where an adversary can inject voice traffic into communications even if encryption is configured properly. They also describe a easy-to-perform denial of service attack to jam communications.