Jump to content

AES Encrypted Voice Traffic


Recommended Posts

Not quite as into the dark side as most of the tribe, but here is my tale of woe: I was an avid ham and police scanner enthusiast  . The Police Depart's have just about all gone over to the new 700 mhz AES encrypted  truncated voice transmission. 

   Anyone have any input on if it's possible to capture the transmission and try to pull some data out of the stream to reconstruct the voice pattern ? 

Link to comment
Share on other sites

Practically, no it's not possible to crack the system keys on truncated radio.

The simplest way, would simply be to get hands on a radio you know is operating within the radio group / organisation you want to monitor, or bribe someone who know what it is. Finding it with bruteforce will cost a lot of time and special / custom software. And even in situation one, most radios is locked / protected from reading and changing the encryption keys & channel info, so no luck there. 

Depending on what radio system it is, some radios also employ key / authentication services, so unkown devices will never be approved on the system, and lost systems will get locked out from the radio network, so no lock there either.

I know it sounds fun, but i should mention it's illegal in most countries to monitor police / fire department radios when they are encrypted or try to crack the encryption.

Some info on truncated radio security mechanisms.


I would imagine it's impossible to recreate the transmission without the encryption / scrambler key, the same radio model, running on the same frequencies, and with the correct keys programmed into the scrambler /encryption module.

Sorry, didn't wanted to spoil your day, but from what i've found out, it's simply to costly and to much work, to bother with it ?


Link to comment
Share on other sites

Kent: Thanks for the feedback, it would seem that end to end encryption would be a major bear to get a handle on. What I was speculating on was the possibility of analyzing the wave form in that frequency with SDR then taking that output into something (Audacity)? that would show the waveform, IF THERE IS ANY after it's been scrambled. Now I know this is wishful thinking on my part, MAYBE DELUSIONAL, but I'm not that sure what encryption  does to a sound file.

       It's not a major problem in my part of the state, S. Jersey, but up North it's SOP. This is a growing trend across  the country, it has a lot of those who would monitor the traffic bummed out, and not doing it much anymore.....John

Link to comment
Share on other sites

Hmm, there would have to be a waveform of some sort. As i see it, it would be something like

talkvoice ----> mic ---> Encryption PCB --->transmitter -------->AIR <------- Reciever ----> Decryption PCB --> speaker ---> Ear ?

As far as I understand it, in some cases, the encryption function is just a base tone, some modulator function, and the transmission of the generated signal. It should / could be possible to reconstruct the signal from the base, and figure out what kind of modulation it is, apply it to the transmitted signal, and recover the clear voice signal.


Here is some encryption pcb's for Motorola truncated radios. They use, as far as i can tell, "just" some kind of filtration and modulation as encryption.
I would imagine, as least theorethically, the encrypted voice from these can be recovered through trial and error, and massive computing power maybe ?

If I understand the description of these correctly, they simply just run the base voice through some kind of known modulation filter, remove the sum, and transmit the difference in frequencies. If that's understood correctly, maybe it could be recovered by finding the base frequency, applying filters, until you have clear audio again.

Just my thoughts on this. If I'm correct or not, I cant say ?

Link to comment
Share on other sites


Unfortunately those inversion scramblers are a little more simplistic than today's state-of-the-art. Modern public safety radios are digital, so the signal path is more like:

voice -->a/d converter -->AES encryption -->frequency modulation of data (transmitter) -->demodulation of data (receiver) -->AES decryption --> d/a converter -->sound.

At the core of this is a data stream getting AES encryption so I suppose that part is as crackable as any other AES, but I think there is a long way to go to get there. 


Have a look at GNU Radio. There are a few AES plugins for it, ex https://github.com/sbmueller/gr-openssl




Link to comment
Share on other sites

I'm looking at this from two seperate viewpoints: Is the Information: Voice transmission a separate entity, or a hybrid due the Encryption process ? If you can recover the initial content from the Encryption, what due you have ? There is a civil liberties issue for me dealing with transparency  and accountability. Not sure if this part is relevant to this forum though .

Link to comment
Share on other sites

Well, like any camping trip to uncharted terrain, need to buy the right gear. Ordered a SDR Dongle that picks up P25 digital signals. Been doing a little research and found out that people are decoding  satellite video signals with SDR. Is this a heads up that there might be a work around for this ? Sems that you can even get the rig to work with a RaspPI, so it doesn't look like hardware issue. 

    Locating a signal strong enough looks like the first barrier, right across the the river to PA or up North, which might be an antenna challenge....On to DEFCON 2019 ?

Link to comment
Share on other sites

  • 1 month later...

Hows it going. Best bet is looking for your control channel. This will get you your talk groups. Then youll need a second dongle for intercepting voice traffic




Link to comment
Share on other sites

  • 2 years later...
  • 4 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...