AES Encrypted Voice Traffic

[lawprojectfoundation]

Not quite as into the dark side as most of the tribe, but here is my tale of woe: I was an avid ham and police scanner enthusiast  . The Police Depart's have just about all gone over to the new 700 mhz AES encrypted  truncated voice transmission. 

   Anyone have any input on if it's possible to capture the transmission and try to pull some data out of the stream to reconstruct the voice pattern ? 

[NoExecute]

Practically, no it's not possible to crack the system keys on truncated radio.

The simplest way, would simply be to get hands on a radio you know is operating within the radio group / organisation you want to monitor, or bribe someone who know what it is. Finding it with bruteforce will cost a lot of time and special / custom software. And even in situation one, most radios is locked / protected from reading and changing the encryption keys & channel info, so no luck there. 

Depending on what radio system it is, some radios also employ key / authentication services, so unkown devices will never be approved on the system, and lost systems will get locked out from the radio network, so no lock there either.

I know it sounds fun, but i should mention it's illegal in most countries to monitor police / fire department radios when they are encrypted or try to crack the encryption.

Some info on truncated radio security mechanisms.

https://www.rrmediagroup.com/Features/FeaturesDetails/FID/812

I would imagine it's impossible to recreate the transmission without the encryption / scrambler key, the same radio model, running on the same frequencies, and with the correct keys programmed into the scrambler /encryption module.

Sorry, didn't wanted to spoil your day, but from what i've found out, it's simply to costly and to much work, to bother with it ?

/Kent

[lawprojectfoundation]

Kent: Thanks for the feedback, it would seem that end to end encryption would be a major bear to get a handle on. What I was speculating on was the possibility of analyzing the wave form in that frequency with SDR then taking that output into something (Audacity)? that would show the waveform, IF THERE IS ANY after it's been scrambled. Now I know this is wishful thinking on my part, MAYBE DELUSIONAL, but I'm not that sure what encryption  does to a sound file.

       It's not a major problem in my part of the state, S. Jersey, but up North it's SOP. This is a growing trend across  the country, it has a lot of those who would monitor the traffic bummed out, and not doing it much anymore.....John

[NoExecute]

Hmm, there would have to be a waveform of some sort. As i see it, it would be something like

talkvoice ----> mic ---> Encryption PCB --->transmitter -------->AIR <------- Reciever ----> Decryption PCB --> speaker ---> Ear ?

As far as I understand it, in some cases, the encryption function is just a base tone, some modulator function, and the transmission of the generated signal. It should / could be possible to reconstruct the signal from the base, and figure out what kind of modulation it is, apply it to the transmitted signal, and recover the clear voice signal.

https://www.midians.com/specs/voice-scramblers-motorola-mototrbo-radios/vs-1000-mt1

Here is some encryption pcb's for Motorola truncated radios. They use, as far as i can tell, "just" some kind of filtration and modulation as encryption.
I would imagine, as least theorethically, the encrypted voice from these can be recovered through trial and error, and massive computing power maybe ?

If I understand the description of these correctly, they simply just run the base voice through some kind of known modulation filter, remove the sum, and transmit the difference in frequencies. If that's understood correctly, maybe it could be recovered by finding the base frequency, applying filters, until you have clear audio again.

Just my thoughts on this. If I'm correct or not, I cant say ?

[noncenz]

 

Unfortunately those inversion scramblers are a little more simplistic than today's state-of-the-art. Modern public safety radios are digital, so the signal path is more like:

voice -->a/d converter -->AES encryption -->frequency modulation of data (transmitter) -->demodulation of data (receiver) -->AES decryption --> d/a converter -->sound.

At the core of this is a data stream getting AES encryption so I suppose that part is as crackable as any other AES, but I think there is a long way to go to get there. 

 

Have a look at GNU Radio. There are a few AES plugins for it, ex https://github.com/sbmueller/gr-openssl

 

 

 

[lawprojectfoundation]

What if your NOT cracking the Encryption ? Is there a distinction ? It's still going over the air, subject to capture .....

[noncenz]

Yes the encrypted digital signal is still going over the air so you should be able to capture it, even save it to disk I'd think.....

[lawprojectfoundation]

Hey Folks: A lot of great feedback. I'll look into the GNU radio angle. SDR sounds like a better alternative than a P25 Scanner if you can get one...

WHY do this ? Because I can....?

[lawprojectfoundation]

I'm looking at this from two seperate viewpoints: Is the Information: Voice transmission a separate entity, or a hybrid due the Encryption process ? If you can recover the initial content from the Encryption, what due you have ? There is a civil liberties issue for me dealing with transparency  and accountability. Not sure if this part is relevant to this forum though .

[Bigbiz]

https://www.dsdplus.com/

 

Would do the trick

Hard part would be getting it to work.

[lawprojectfoundation]

Thanks for the additional feedback. I downloaded the files, and I'll see just what happens.

     This is basically one of those projects that you never really know just what you might discover after trying all the different approaches. 

      This could just be a result that you never expected to get. 

[lawprojectfoundation]

Well, like any camping trip to uncharted terrain, need to buy the right gear. Ordered a SDR Dongle that picks up P25 digital signals. Been doing a little research and found out that people are decoding  satellite video signals with SDR. Is this a heads up that there might be a work around for this ? Sems that you can even get the rig to work with a RaspPI, so it doesn't look like hardware issue. 

    Locating a signal strong enough looks like the first barrier, right across the the river to PA or up North, which might be an antenna challenge....On to DEFCON 2019 ?

[Bigbiz]

Hows it going. Best bet is looking for your control channel. This will get you your talk groups. Then youll need a second dongle for intercepting voice traffic

 

 

 

[Scanner man]

Is it possible to transmit on the encrypted frequency and cause the encryption to be removed and the rest of the transmission to be sent in the clear at least temporarily? 

[IDNeon]

I'm pretty sure encrypted police radios will be deemed illegal soon enough. Police are not protected by national security acts that are the only thing that allows public property to be hidden from the public.