Jump to content

Archived

This topic is now archived and is closed to further replies.

lawprojectfoundation

AES Encrypted Voice Traffic

Recommended Posts

Not quite as into the dark side as most of the tribe, but here is my tale of woe: I was an avid ham and police scanner enthusiast  . The Police Depart's have just about all gone over to the new 700 mhz AES encrypted  truncated voice transmission. 

   Anyone have any input on if it's possible to capture the transmission and try to pull some data out of the stream to reconstruct the voice pattern ? 

Share this post


Link to post
Share on other sites

Practically, no it's not possible to crack the system keys on truncated radio.

The simplest way, would simply be to get hands on a radio you know is operating within the radio group / organisation you want to monitor, or bribe someone who know what it is. Finding it with bruteforce will cost a lot of time and special / custom software. And even in situation one, most radios is locked / protected from reading and changing the encryption keys & channel info, so no luck there. 

Depending on what radio system it is, some radios also employ key / authentication services, so unkown devices will never be approved on the system, and lost systems will get locked out from the radio network, so no lock there either.

I know it sounds fun, but i should mention it's illegal in most countries to monitor police / fire department radios when they are encrypted or try to crack the encryption.

Some info on truncated radio security mechanisms.

https://www.rrmediagroup.com/Features/FeaturesDetails/FID/812

I would imagine it's impossible to recreate the transmission without the encryption / scrambler key, the same radio model, running on the same frequencies, and with the correct keys programmed into the scrambler /encryption module.

Sorry, didn't wanted to spoil your day, but from what i've found out, it's simply to costly and to much work, to bother with it ?

/Kent

Share this post


Link to post
Share on other sites

Kent: Thanks for the feedback, it would seem that end to end encryption would be a major bear to get a handle on. What I was speculating on was the possibility of analyzing the wave form in that frequency with SDR then taking that output into something (Audacity)? that would show the waveform, IF THERE IS ANY after it's been scrambled. Now I know this is wishful thinking on my part, MAYBE DELUSIONAL, but I'm not that sure what encryption  does to a sound file.

       It's not a major problem in my part of the state, S. Jersey, but up North it's SOP. This is a growing trend across  the country, it has a lot of those who would monitor the traffic bummed out, and not doing it much anymore.....John

Share this post


Link to post
Share on other sites

Hmm, there would have to be a waveform of some sort. As i see it, it would be something like

talkvoice ----> mic ---> Encryption PCB --->transmitter -------->AIR <------- Reciever ----> Decryption PCB --> speaker ---> Ear ?

As far as I understand it, in some cases, the encryption function is just a base tone, some modulator function, and the transmission of the generated signal. It should / could be possible to reconstruct the signal from the base, and figure out what kind of modulation it is, apply it to the transmitted signal, and recover the clear voice signal.

https://www.midians.com/specs/voice-scramblers-motorola-mototrbo-radios/vs-1000-mt1

Here is some encryption pcb's for Motorola truncated radios. They use, as far as i can tell, "just" some kind of filtration and modulation as encryption.
I would imagine, as least theorethically, the encrypted voice from these can be recovered through trial and error, and massive computing power maybe ?

If I understand the description of these correctly, they simply just run the base voice through some kind of known modulation filter, remove the sum, and transmit the difference in frequencies. If that's understood correctly, maybe it could be recovered by finding the base frequency, applying filters, until you have clear audio again.

Just my thoughts on this. If I'm correct or not, I cant say ?

Share this post


Link to post
Share on other sites

 

Unfortunately those inversion scramblers are a little more simplistic than today's state-of-the-art. Modern public safety radios are digital, so the signal path is more like:

voice -->a/d converter -->AES encryption -->frequency modulation of data (transmitter) -->demodulation of data (receiver) -->AES decryption --> d/a converter -->sound.

At the core of this is a data stream getting AES encryption so I suppose that part is as crackable as any other AES, but I think there is a long way to go to get there. 

 

Have a look at GNU Radio. There are a few AES plugins for it, ex https://github.com/sbmueller/gr-openssl

 

 

 

Share this post


Link to post
Share on other sites

Yes the encrypted digital signal is still going over the air so you should be able to capture it, even save it to disk I'd think.....

Share this post


Link to post
Share on other sites

I'm looking at this from two seperate viewpoints: Is the Information: Voice transmission a separate entity, or a hybrid due the Encryption process ? If you can recover the initial content from the Encryption, what due you have ? There is a civil liberties issue for me dealing with transparency  and accountability. Not sure if this part is relevant to this forum though .

Share this post


Link to post
Share on other sites

https://www.dsdplus.com/

 

Would do the trick

Hard part would be getting it to work.

Share this post


Link to post
Share on other sites

Thanks for the additional feedback. I downloaded the files, and I'll see just what happens.

     This is basically one of those projects that you never really know just what you might discover after trying all the different approaches. 

      This could just be a result that you never expected to get. 

Share this post


Link to post
Share on other sites

Well, like any camping trip to uncharted terrain, need to buy the right gear. Ordered a SDR Dongle that picks up P25 digital signals. Been doing a little research and found out that people are decoding  satellite video signals with SDR. Is this a heads up that there might be a work around for this ? Sems that you can even get the rig to work with a RaspPI, so it doesn't look like hardware issue. 

    Locating a signal strong enough looks like the first barrier, right across the the river to PA or up North, which might be an antenna challenge....On to DEFCON 2019 ?

Share this post


Link to post
Share on other sites

Hows it going. Best bet is looking for your control channel. This will get you your talk groups. Then youll need a second dongle for intercepting voice traffic

 

 

 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...