Jailbreak Turns Cheap Walkie-Talkie Into DMR Police Scanner

An anonymous reader writes: Last Shmoocon, famous reverse engineer Travis Goodspeed presented his jailbreak of the Chinese MD380 digital handheld radio. The hack has since been published at GitHub with all needed source code to turn a cheap digital radio into the first hardware scanner for DMR digital mobile radio: a firmware patch for promiscuous mode that puts all talk groups through the speaker including private calling. In the U.S. the competing APCO-25 is a suite of standards for digital radio communications for federal users, but a lot of state/county and local public safety organizations including city police dispatch channels are using the Mototrbo MotorolaDMR digital standard.

Cool, but not the first

[rfengr]

Very cool, but not the first hardware scanner: http://www.aorusa.com/receiver...

Re:Cool, but not the first

[Holi]

Or get an RTL dongle and use DSD. You can even do trunked radio, though it is easier with 2 RTL dongles.

Re:Cool, but not the first

[rfengr]

Yep, been doing that for a while with GNU Radio, gr-dsd with USRP. I may get an Airspy just so I can use Unitrunker on Windows (without using the RTL dongles). Still really isn't a good digital scanning solution for SDR, although I wrote one for NBFM and AM: https://github.com/madengr/ham...

Why is Police band unencrypted?

[gmack]

If you can monitor things you shouldn't, the problem is with the insecure communications system not with the hacked walkie talkie.

Re:Why is Police band unencrypted?

[Holi]

"If you can monitor things you shouldn't" who says you shouldn't? Many people have and do get scanners for that very reason. Nothing wrong or illegal about it.

Re:Why is Police band unencrypted?

[rfengr]

It's not. Many P25 talkgroups are encrypted, specifically the police tactical ones. Sometimes they just use a cell phone.

Re:Why is Police band unencrypted?

Ahahahahahh here we are in 2016, and someone is concerned about the morality of monitoring public government channels.

Re:Why is Police band unencrypted?

[gstoddart]

If you can monitor things you shouldn't

It's broadcast over public radio waves in the clear ... where does "shouldn't" come into play?

If our cell phones have no expectation of privacy, WTF should the police expect any for?

It's not like it hasn't been perfectly legal to have police scanners for decades. This is just more of the same thing.

Re:Why is Police band unencrypted?

Do we really need to know every car that the police pull over?

Yes, I don't think the police should be able to pull people over secretly. Do you not understand why public oversight of the police is so important?

Re:Why is Police band unencrypted?

[Obfuscant]

Don't you think that keeping the conversation about movements and roadblocks secret might help in catching the suspects?

While many police agencies use this as an excuse for encrypting their radio traffic, it is very very rare for armed robbers to use police scanners to aid their escape.

I've had a police-capable radio in my car for many years, and I can count on the fingers of no hands the number of times it has allowed me to know ahead of time where the state police have set up radar on the interstate, for example. I have been able to hear about traffic problems before I get stuck in the middle of them, however. Just a couple of weeks ago, I was able to learn what the source of a series of explosions near my house was without having to call 911, and even more recently, that one of our town's major roads was shut down because of an event.

Do we really need to know every car that the police pull over?

Another common excuse used by the police to hide their radio traffic.

Most agencies these days have digital data systems for communicating private stuff, so there is no need to encrypt voice traffic. Not encrypting avoids the issues of key management and the inability of neighboring agencies to assist directly just beause they are not "keyed" properly.

Re:Why is Police band unencrypted?

[Coren22]

The funny thing about that ruling you reference is that cell phone communications are encrypted by default. The Stingray devices have to trick the cell phones into connecting to them because passive monitoring doesn't work for capture of the information, they actually have to tell the cell phone to turn off encryption to even work.

Re:Why is Police band unencrypted?

[ScentCone]

Where do you live that the police are elected?

Every police department, in every jurisdiction (municipal, county, state, federal) reports to officials in the executive branches of government. The executive branch IS the law enforcement branch, and the executive branch is run by regularly elected people. If a county executive, a mayor, or a governor (or even the president) is doing such a bad job in telling their subordinate LEOs which policies to use in directing their actions, then that's an issue to bring up when those executives are next up for election (or, if it's bad enough, for impeachment).

No, police aren't elected (except for, in many places, sheriffs), but their bosses are - and the police, especially at the management/policy level, work for those elected bosses.

How is it that you don't actually know this?

Re:Why is Police band unencrypted?

[Obfuscant]

Where do you live that the police are elected?

The chief of police in this city is hired by the elected city council. The county Sheriff is directly elected by the public.

Re:Why is Police band unencrypted?

This may shock you, but many people are not Libertarian children, and actually support their own elected government. Don't mistake loud Internet reactionaries for people in general.

Libertarians know this. Our founding fathers knew this. Tyranny of the majority is exactly why we have so many limits on our government. It's why the population must be allowed to monitor what government officials do. I know most people wouldn't mind having a secret police force and it scares me greatly.

Re:Why is Police band unencrypted?

[Obfuscant]

This statement shows poor thought processes. Calling 911 to get information about an event is a missus of 911.

And this statement shows a lack of reading comprehension. I didn't say I would call 911 to get information. I would call 911 to report a series of explosions -- except I found out what they were and that I didn't need to call by listening to unencrypted police radio traffic.

If you don't need immediate help don't call 911.

I think reporting explosions of unknown origin is a valid use of 911. You don't seem to think so. The large number of people who did call to report them disagree. The manager of the PSAP also disagrees with you. Nobody said that nobody should have reported them, they said that the fire department should have been proactive in informing the public they were going to happen. YYMV.

Not what I am talking about. The issue is suspects getting away because they can avoid police by knowing where the police are.

Yes, it is what you are talking about. If I, in a calm, quiet environment cannot determine where just one state police car is waiting with radar, why would you expect a robber, in the heat of pursuit, would be able to monitor and decipher the police communications better? But it's moot -- they don't do it anyway. Maybe because they understand that it isn't as valuable a source of data as you seem to think it is?

If it happens once a year it isa justification for encrypting year round.

Well, that's one opinion. Being able to monitor the activities of the police is a better justification for not encrypting at all.

Which means that there are some agencies who do not use digital systems and need encrypted communications.

No, it means that there are some agencies that use digital data terminals instead of transmitting everything via unencrypted voice signals. In other words, there is a solution to the "privacy" problem that doesn't require encryption of voice traffic. And "do not use digital systems" is irrelevant. Analog, digital, voice is voice.

True but that issue has been worked out long ago.

Textbook solutions are great, in theory, but do not always make it into practice, in practice. The issue of key management is much more complex than the issue of which subaudible tone or NAC (digital "tone") is used on a channel, and the latter is sometimes wrong. For example, a neighboring county changed a CTCSS tone on one of their channels and didn't tell anyone -- and it was only discovered when a local agency went to render mutual aid and couldn't communicate.

they just switch to an unencrypted channel.

So in the middle of an emergency event where you've called in outside assistance, everyone has to change channels, assuming that it becomes obvious that someone who cannot communicate with you cannot communicate with you.

The few times this happens does not make encryption useless.

Straw man. I didn't say it was useless.

The "Read More" link...

A nice simple way for the new owners to demonstrate their good intentions:

Please can we have the "Read more..." link back for all stories and not just on the polls ?

Thanks.

Déjà Vu

[U2xhc2hkb3QgU3Vja3M]

Anyone else read that as "Jailbreak Turns Cheap Walkie-Talkie Into DRM Police Scanner"?

Re:Déjà Vu

[Quirkz]

No, but I had to read "Last Shmoocon famous reverse engineer" about eight times to parse it. That's a very unlikely set of five words to begin a sentence.

Re:Interoperability be damned

You do realize, of course, that Motorola has the only system that works well with a lot of users in urban canyons, but that 700 MHz doesn't work for shit in large open spaces where the locals can't afford half a dozen repeaters. In much of Colorado, the high ground makes it even worse, as it's an amazingly shitty place to put repeaters (no power, 150 kt winds, and no road access), so they tend towards VHF systems in the mountain counties. There are actual reasons different municipalities chose different systems, and it's not that they're being bribed by the vendors. Oh, and the radios I have used had something like "inter-agency A" and "inter-agency B" programmed in. Not too hard for your average cop (who doesn't do much inter-agency anyway) to figure out.

DMR is not a Motorola standard

"Mototrbo Motorola DMR digital standard"

Is a complete misnomer. DMR is not a Motorola standard, it's a European standard (ETSI) and effectively a digital radio replacement for the MPT1327 standard (a British standard from the Ministry of Post and Telecommunications). Having said that many radio manufacturers would have had input to the standard, including Motorola. The one I worked for did.

DMR/P25 are similar, in that if you don't want people to listen in on what you're broadcasting, encrypt it! As far I can remember, AES256 was the best encyrption option availble to P25... I can't remember the details for DMR, or even if it supported it.

DMR standard had/has some weirdness: for instance the vocoder wasn't specified. Everyone seems to have defaulted to the AMBE half rate vocoder from DVSI, the same as what is being used for P25 phase 2.

You can do this today with a $10 dongle

[hey!]

and open source software like Gnu Radio. No need to spend $150 bucks and then void your warranty.

The thing GNU Radio is just just a bunch of software routines. People have cobbled things together that will allow you to listen to AM, FM, and SSB, but the UI is crude and it's not something an average person would find usable. On top of that the digital voice decoding is a separate piece of software which (except on Windows) you have to compile from source and figure out how to bolt that on.

It'd be nice if more people were putting their hacking energies into SDR, because then maybe someone would come up with a nice, slick plug-and-play solution anyone could download from a distro repository. It's happened in other somewhat technical areas, like GIS (e.g., Quantum GIS) or computer algebra.

Re:Interoperability be damned

[Lumpy]

Yet old 50mhz police band works better than ANYTHING that can be bought today in the urban canyons as well as the spread out for thousands of miles states.

all this digital shit is only there to make a profit selling new gear. the old analog stuff works great and still does.