P25
Encyclopedia
Project 25 is a suite of standards for digital
radio
communications for use by federal, state/province and local public safety agencies in North America
to enable them to communicate with other agencies and mutual aid response teams in emergencies. In this regard, P25 fills the same role as the Europe
an Terrestrial Trunked Radio
(TETRA) protocol, although not interoperable with it.
to digital
since the 1990s because of the limitations of analog transmission, and also because of the technological advances and expanded capabilities of digital radio
.
Varying user protocols and different public safety
radio spectrum
, made it difficult for Public Safety to achieve interoperability and widespread acceptance among the public safety agencies. However, the lessons learned during the disasters that the United States faced in the past decade, have forced agencies to assess their requirements during a disaster when the basic infrastructure is in a state of failure. To meet the growing demands of public safety digital radio communications, the United States Federal Communications Commission
(FCC) at the directive of the United States Congress
initiated an inquiry in 1988, to receive recommendations from users and manufacturers to improve the communication systems in existence. Based on the recommendations, in October of 1989 APCO Project 25 came into existence in a coalition with the Association of Public-Safety Communications Officials-International
(APCO), the National Association of State Telecommunications Directors (NASTD), the National Telecommunications and Information Administration
(NTIA), the National Communications System
(NCS), the National Security Agency
(NSA) and the Department of Defense
(DoD), to find solutions that best serve the needs of public safety management. In addition, a steering committee consisting of representatives from the above mentioned agencies along with FPIC (Department of Homeland Security Federal Partnership for Interoperable Communication]), Coast Guard
and the Department of Commerce
's National Institute of Standards and Technology
(NIST), Office of Law Enforcement Standards was established to decide the priorities and scope of technical development of P25.
s are interoperable. The goal of P25 is to enable public safety responders to communicate with each other and, thus, achieve enhanced coordination, timely response, and efficient and effective use of communications equipment.
P25 was established to address the need for common digital public safety radio communications standards for First Responders and Homeland Security/Emergency Response professionals. The Telecommunications Industry Association
's TR-8 engineering committee facilitates such work through its role as an ANSI-accredited standards development organization
(SDO) and has published the P25 suite of standards as the TIA-102 series of documents, which now include forty-nine separate parts on Land Mobile Radio and TDMA implementations of the technology for public safety .
P25 equipment has also been selected for a railroad system, including rolling stock, personnel, and transportation vehicles.
P25-compliant systems are being increasingly adopted and deployed. Radios can communicate in analog
mode with legacy radios, and in either digital
or analog mode with other P25 radios. Additionally, the deployment of P25-compliant systems will allow for a high degree of equipment interoperability and compatibility.
P25 standards use the Improved Multi-Band Excitation (IMBE) vocoders which were designed by DVSI to encode/decode the analog audio signals.
P25 may be used in "talk around" mode without any intervening equipment between two radios, in conventional mode where two radios communicate through a repeater or base station without trunking or in a trunked mode where traffic is automatically assigned to one or more voice channels by a Repeater
or Base Station.
The protocol supports the use of Data Encryption Standard
(DES) encryption (56 bit), 2-key Triple-DES encryption, 3-key Triple-DES encryption, Advanced Encryption Standard
(AES) encryption at up to 256 bits keylength, RC4
(40 bits, sold by Motorola as Advanced Digital Privacy), or no encryption.
The protocol also supports the ACCORDION 1.3, BATON
, Firefly
, MAYFLY and SAVILLE
Type 1
ciphers.
Phase 1 radio systems operate in 12.5 kHz analog, digital or mixed mode. Phase 1 radios use Continuous 4 level FM
(C4FM) modulation for digital transmissions at 4800 baud
and 2 bit
s per symbol, yielding 9600 bits per second total channel throughput. Receivers designed for the C4FM standard can also demodulate the "Compatible quadrature phase shift keying" (CQPSK) standard, as the parameters of the CQPSK signal were chosen to yield the same signal deviation
at symbol time as C4FM while using only 6.25 kHz of bandwidth.
Vendors are currently shipping Phase 1 P25-compliant systems. These systems involve standardized service and facility specifications, ensuring that any manufacturers' compliant subscriber radio has access to the services described in such specifications. Abilities include backward compatibility
and interoperability with other systems, across system boundaries, and regardless of system infrastructure. In addition, the P25 suite of standards provides an open interface to the radio frequency (RF) subsystem to facilitate interlinking of different vendors' systems.
To improve spectrum utilization, Phase 2 has been developed using a 2-slot TDMA
scheme. Phase 2 uses the AMBE+2
vocoder to reduce the needed bitrate so that one voice channel will only require 6000 bits per second (including error correction and signalling).
Significant attention is also paid to interoperability with legacy equipment, interfacing between repeaters and other subsystems, roaming capacity and spectral efficiency/channel reuse. In addition, Phase 2 work involves console interfacing between repeaters and other subsystems.
The NAC is a feature similar to CTCSS or DCS for analog radios. That is, radios can be programmed to only pass audio when receiving the correct NAC. NACs are programmed as a three digit hexadecimal code that is transmitted along with the digital signal being transmitted.
Since the NAC is three digit hexadecimal number (12 bits), there are 4096 possible NACs for programming, far more than all analog methods combined.
Three of the possible NACs have special functions:
(TETRA) was deployed in 60 countries however and it is the preferred choice in Europe, China and other countries. This is largely based on the fact that TETRA systems are many times cheaper than P25 systems ($900 vs $6000 for a radio). This leads to the situation that almost all P25 networks are based in Northern America where it has the advantage that a P25 system has the same coverage and frequency bandwidth as the earlier analogue systems that were in use so that channels can be easily upgraded one by one. Both P25 and TETRA can offer varying degrees of functionality, depending on available radio spectrum, terrain and project budget.
While interoperability is a major goal of P25, many P25 features present interoperability challenges. In theory, all P25 compliant equipment is interoperable. In practice, interoperable communications isn't achievable without effective governance, standardized operating procedures, effective training and exercises, and inter-jurisdictional coordination. The difficulties inherent in developing P25 networks using features such as digital voice, encryption, or trunking sometimes result in feature-backlash and organizational retreat to minimal "feature-free" P25 implementations which fulfill the letter of any APCO-25 migration requirement without realizing the benefits thereof. Additionally, while not a technical issue per se, frictions often result from the unwieldy bureaucratic inter-agency processes that tend to develop to coordinate interoperability decisions.
overheard conversations that included descriptions of undercover agents and confidential informants
, plans for forthcoming arrests and information on the technology used in surveillance operations." The researchers found that the messages sent over the radios are sent in segments, and blocking just a portion of these segments can result in the entire message being jammed. "Their research also shows that the radios can be effectively jammed (single radio, short range) using a highly modified pink electronic child’s toy and that the standard used by the radios 'provides a convenient means for an attacker' to continuously track the location of a radio’s user. With other systems, jammers have to expend a lot of power to block communications, but the P25 radios allow jamming at relatively low power, enabling the researchers to prevent reception using a $30 toy pager designed for pre-teens."
The report was presented at the 20th Usenix
Security Symposium in San Francisco in August 2011. The report noted a number of security flaws in the Project 25 system, some specific to the way it has been implemented and some inherent in the security design.
They found switch markings for secure and clear modes difficult to distinguish (∅ vs. o). This is exacerbated by the fact that P25 radios when set to secure mode continue to operate without issuing a warning if another party switches to clear mode. In addition, the report authors said many P25 systems change keys too often, increasing the risk that an individual radio on a net may not be properly keyed, forcing all users on the net to transmit in the clear to maintain communications with that radio.
s, which can tolerate bit errors, and prevents the use of a standard technique, message authentication code
s (MACs), to protect message integrity from stream cipher attack
s. The varying levels of error correction are implemented by breaking P25 message frames into subframes. This allows an attacker to jam entire messages by transmitting only during certain short subframes that are critical to reception of the entire frame. As a result an attacker can effectively jam Project 25 signals with average power levels much lower that the power levels used for communication. Such attacks can be targeted at encrypted transmissions only, forcing users to transmit in the clear.
Because Project 25 radios are designed to work in existing two-way radio frequency channels, they cannot use spread spectrum
modulation, which is inherently jam-resistant. An optimal spread spectrum system can require a effective jammer to use 1000 times as much power (30 db more) as the individual communicators. According to the report, a P25 jammer could effectively operate at 1/25th the power (14 db less) than the communicating radios. The authors developed a proof-of-concept jammer using a Texas Instruments CC1110 single chip radio, found in an inexpensive toy.
to identify users. Because Project 25 radios respond to bad data packets addressed to them with a retransmission request, an attacker can deliberately send bad packets forcing a specific radio to transmit even if the user is attempting to maintain radio silence
. Such tracking by authorized users is considered a feature of P25, referred to as "presence."
The reports authors concluded by saying "It is reasonable to wonder why this protocol, which was developed over many years and is used for sensitive and critical applications, is so difficult to use and so vulnerable to attack." The authors separately issued a set of recommendations for P25 users to mitigate some of the problems found. These include disabling the secure/clear switch, using Network Access Codes to segregate clear and encrypted traffic and extending key life.
Digital radio
Digital radio has several meanings:1. Today the most common meaning is digital radio broadcasting technologies, such as the digital audio broadcasting system, also known as Eureka 147. In these systems, the analog audio signal is digitized into zeros and ones, compressed using formats such as...
radio
Professional Mobile Radio
Professional mobile radio are field radio communications systems which use portable, mobile, base station, and dispatch console radios...
communications for use by federal, state/province and local public safety agencies in North America
North America
North America is a continent wholly within the Northern Hemisphere and almost wholly within the Western Hemisphere. It is also considered a northern subcontinent of the Americas...
to enable them to communicate with other agencies and mutual aid response teams in emergencies. In this regard, P25 fills the same role as the Europe
Europe
Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...
an Terrestrial Trunked Radio
Terrestrial Trunked Radio
Terrestrial Trunked Radio is a professional mobile radio and two-way transceiver specification...
(TETRA) protocol, although not interoperable with it.
History
Public safety radios have been upgraded from analogAnalog signal
An analog or analogue signal is any continuous signal for which the time varying feature of the signal is a representation of some other time varying quantity, i.e., analogous to another time varying signal. It differs from a digital signal in terms of small fluctuations in the signal which are...
to digital
Digital
A digital system is a data technology that uses discrete values. By contrast, non-digital systems use a continuous range of values to represent information...
since the 1990s because of the limitations of analog transmission, and also because of the technological advances and expanded capabilities of digital radio
Digital radio
Digital radio has several meanings:1. Today the most common meaning is digital radio broadcasting technologies, such as the digital audio broadcasting system, also known as Eureka 147. In these systems, the analog audio signal is digitized into zeros and ones, compressed using formats such as...
.
Varying user protocols and different public safety
Public Safety
Public safety involves the prevention of and protection from events that could endanger the safety of the general public from significant danger, injury/harm, or damage, such as crimes or disasters .-See also:* By nation...
radio spectrum
Radio spectrum
Radio spectrum refers to the part of the electromagnetic spectrum corresponding to radio frequencies – that is, frequencies lower than around 300 GHz ....
, made it difficult for Public Safety to achieve interoperability and widespread acceptance among the public safety agencies. However, the lessons learned during the disasters that the United States faced in the past decade, have forced agencies to assess their requirements during a disaster when the basic infrastructure is in a state of failure. To meet the growing demands of public safety digital radio communications, the United States Federal Communications Commission
Federal Communications Commission
The Federal Communications Commission is an independent agency of the United States government, created, Congressional statute , and with the majority of its commissioners appointed by the current President. The FCC works towards six goals in the areas of broadband, competition, the spectrum, the...
(FCC) at the directive of the United States Congress
United States Congress
The United States Congress is the bicameral legislature of the federal government of the United States, consisting of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C....
initiated an inquiry in 1988, to receive recommendations from users and manufacturers to improve the communication systems in existence. Based on the recommendations, in October of 1989 APCO Project 25 came into existence in a coalition with the Association of Public-Safety Communications Officials-International
Association of Public-Safety Communications Officials-International
The Association of Public-Safety Communications Officials-International was founded in 1935 and is the world's largest organization dedicated to public safety telecommunications.APCO has developed several standards that bear its name...
(APCO), the National Association of State Telecommunications Directors (NASTD), the National Telecommunications and Information Administration
National Telecommunications and Information Administration
The National Telecommunications and Information Administration is an agency of the United States Department of Commerce that serves as the President's principal adviser on telecommunications policies pertaining to the United States' economic and technological advancement and to regulation of the...
(NTIA), the National Communications System
National Communications System
The National Communications System is an office within the United States Department of Homeland Security charged with enabling national security and emergency preparedness communications using the national telecommunications system.-Background and history:The genesis of the NCS began in 1962...
(NCS), the National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
(NSA) and the Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
(DoD), to find solutions that best serve the needs of public safety management. In addition, a steering committee consisting of representatives from the above mentioned agencies along with FPIC (Department of Homeland Security Federal Partnership for Interoperable Communication]), Coast Guard
United States Coast Guard
The United States Coast Guard is a branch of the United States Armed Forces and one of the seven U.S. uniformed services. The Coast Guard is a maritime, military, multi-mission service unique among the military branches for having a maritime law enforcement mission and a federal regulatory agency...
and the Department of Commerce
United States Department of Commerce
The United States Department of Commerce is the Cabinet department of the United States government concerned with promoting economic growth. It was originally created as the United States Department of Commerce and Labor on February 14, 1903...
's National Institute of Standards and Technology
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
(NIST), Office of Law Enforcement Standards was established to decide the priorities and scope of technical development of P25.
Introduction
Interoperable emergency communication is integral to initial response, public health, safety of communities, national security and economic stability. Of all the problems experienced during disaster events, one of the most serious problems is communication due to lack of appropriate and efficient means to collect, process and transmit important and timely information. In some cases, radio communication systems are incompatible and inoperable not just within a jurisdiction but within departments or agencies within the same community. Non-operability occurs due to use of outdated equipment, limited availability of radio frequencies, isolated or independent planning, lack of coordination and cooperation between agencies, community priorities competing for resources, funding and ownership and control of communications systems. [www.ncjrs.gov/pdffiles1/nij/204348.pdf]. Recognizing and understanding this need, Project 25 (P25) was initiated collaboratively by public safety agencies and manufacturers to address the issue with emergency communication systems. P25 is collaborative project to ensure that two-way radioTwo-way radio
A two-way radio is a radio that can both transmit and receive , unlike a broadcast receiver which only receives content. The term refers to a personal radio transceiver that allows the operator to have a two-way conversation with other similar radios operating on the same radio frequency...
s are interoperable. The goal of P25 is to enable public safety responders to communicate with each other and, thus, achieve enhanced coordination, timely response, and efficient and effective use of communications equipment.
P25 was established to address the need for common digital public safety radio communications standards for First Responders and Homeland Security/Emergency Response professionals. The Telecommunications Industry Association
Telecommunications Industry Association
The Telecommunications Industry Association is accredited by the American National Standards Institute to develop voluntary, consensus-based industry standards for a wide variety of ICT products, and currently represents nearly 400 companies...
's TR-8 engineering committee facilitates such work through its role as an ANSI-accredited standards development organization
Standards organization
A standards organization, standards body, standards developing organization , or standards setting organization is any organization whose primary activities are developing, coordinating, promulgating, revising, amending, reissuing, interpreting, or otherwise producing technical standards that are...
(SDO) and has published the P25 suite of standards as the TIA-102 series of documents, which now include forty-nine separate parts on Land Mobile Radio and TDMA implementations of the technology for public safety .
P25 equipment has also been selected for a railroad system, including rolling stock, personnel, and transportation vehicles.
P25-compliant systems are being increasingly adopted and deployed. Radios can communicate in analog
Analog signal
An analog or analogue signal is any continuous signal for which the time varying feature of the signal is a representation of some other time varying quantity, i.e., analogous to another time varying signal. It differs from a digital signal in terms of small fluctuations in the signal which are...
mode with legacy radios, and in either digital
Digital signal
A digital signal is a physical signal that is a representation of a sequence of discrete values , for example of an arbitrary bit stream, or of a digitized analog signal...
or analog mode with other P25 radios. Additionally, the deployment of P25-compliant systems will allow for a high degree of equipment interoperability and compatibility.
P25 standards use the Improved Multi-Band Excitation (IMBE) vocoders which were designed by DVSI to encode/decode the analog audio signals.
P25 may be used in "talk around" mode without any intervening equipment between two radios, in conventional mode where two radios communicate through a repeater or base station without trunking or in a trunked mode where traffic is automatically assigned to one or more voice channels by a Repeater
Repeater
A repeater is an electronic device that receives asignal and retransmits it at a higher level and/or higher power, or onto the other side of an obstruction, so that the signal can cover longer distances.-Description:...
or Base Station.
The protocol supports the use of Data Encryption Standard
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
(DES) encryption (56 bit), 2-key Triple-DES encryption, 3-key Triple-DES encryption, Advanced Encryption Standard
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
(AES) encryption at up to 256 bits keylength, RC4
RC4
In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...
(40 bits, sold by Motorola as Advanced Digital Privacy), or no encryption.
The protocol also supports the ACCORDION 1.3, BATON
BATON
BATON is a Type 1 block cipher in use since at least 1995 by the United States government to secure classified information.While the BATON algorithm itself is secret, the public PKCS#11 standard includes some general information about how it is used. It has a 320-bit key and uses a 128-bit block...
, Firefly
Firefly (protocol)
Firefly is a U.S. National Security Agency public-key key exchange protocol, used in EKMS, the STU-III secure telephone, and several other U.S. cryptographic systems.-References:* RFC 2522* , USAREUR Pamphlet 380-40...
, MAYFLY and SAVILLE
SAVILLE
SAVILLE is an NSA Type 1 encryption algorithm. It is used broadly, often for voice encryption, and implemented in a large number of encryption devices....
Type 1
Type 1 encryption
In cryptography, a Type 1 product is a device or system certified by the National Security Agency for use in cryptographically securing classified U.S...
ciphers.
P25 open interfaces
P25's Suite of Standards specify eight open interfaces between the various components of a land mobile radio system. These interfaces are:- Common Air Interface (CAI) - standard specifies the type and content of signals transmitted by compliant radios. One radio using CAI should be able to communicate with any other CAI radio, regardless of manufacturer
- Subscriber Data Peripheral Interface - standard specifies the port through which mobiles and portables can connect to laptops or data networks
- Fixed Station Interface - standard specifies a set of mandatory messages supporting digital voice, data, encryption and telephone interconnect necessary for communication between a Fixed Station and P25 RF Subsystem
- Console Subsystem Interface - standard specifies the basic messaging to interface a console subsystem to a P25 RF Subsystem
- Network Management Interface - standard specifies a single network management scheme which will allow all network elements of the RF subsystem to be managed
- Data Network Interface - standard specifies the RF Subsystem's connections to computers, data networks, or external data sources
- Telephone Interconnect Interface - standard specifies the interface to Public Switched Telephone Network (PSTN) supporting both analog and ISDN telephone interfaces.
- Inter RF Subsystem Interface (ISSIP25 ISSIThe Project 25 Inter RF Subsystem Interface is a non-proprietary interface that enables RF subsystems built by different manufacturers to be connected together into wide area networks. The wide area network connections using the ISSI provide an extended coverage area for subscriber units that...
) - standard specifies the interface between RF subsystems which will allow them to be connected into wide area networks
P25 phases
P25-compliant technology is being deployed in several phases:- Phase 1
Phase 1 radio systems operate in 12.5 kHz analog, digital or mixed mode. Phase 1 radios use Continuous 4 level FM
FM broadcasting
FM broadcasting is a broadcasting technology pioneered by Edwin Howard Armstrong which uses frequency modulation to provide high-fidelity sound over broadcast radio. The term "FM band" describes the "frequency band in which FM is used for broadcasting"...
(C4FM) modulation for digital transmissions at 4800 baud
Baud
In telecommunications and electronics, baud is synonymous to symbols per second or pulses per second. It is the unit of symbol rate, also known as baud rate or modulation rate; the number of distinct symbol changes made to the transmission medium per second in a digitally modulated signal or a...
and 2 bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s per symbol, yielding 9600 bits per second total channel throughput. Receivers designed for the C4FM standard can also demodulate the "Compatible quadrature phase shift keying" (CQPSK) standard, as the parameters of the CQPSK signal were chosen to yield the same signal deviation
Deviation
Deviation may refer to:* Deviation , the difference between the value of an observation and the mean of the population in mathematics and statistics** Standard deviation, which is based on the square of the difference...
at symbol time as C4FM while using only 6.25 kHz of bandwidth.
Vendors are currently shipping Phase 1 P25-compliant systems. These systems involve standardized service and facility specifications, ensuring that any manufacturers' compliant subscriber radio has access to the services described in such specifications. Abilities include backward compatibility
Backward compatibility
In the context of telecommunications and computing, a device or technology is said to be backward or downward compatible if it can work with input generated by an older device...
and interoperability with other systems, across system boundaries, and regardless of system infrastructure. In addition, the P25 suite of standards provides an open interface to the radio frequency (RF) subsystem to facilitate interlinking of different vendors' systems.
- Phase 2
To improve spectrum utilization, Phase 2 has been developed using a 2-slot TDMA
Time division multiple access
Time division multiple access is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using its own time slot. This...
scheme. Phase 2 uses the AMBE+2
Advanced Multi-Band Excitation
Advanced Multi-Band Excitation is a proprietary speech coding standard developed by Digital Voice Systems, Inc.- Overview :AMBE is a codebook-based vocoder that operates at bitrates of between 2 and 9.6 kbit/s, and at a sampling rate of 8 kHz in 20-ms frames...
vocoder to reduce the needed bitrate so that one voice channel will only require 6000 bits per second (including error correction and signalling).
Significant attention is also paid to interoperability with legacy equipment, interfacing between repeaters and other subsystems, roaming capacity and spectral efficiency/channel reuse. In addition, Phase 2 work involves console interfacing between repeaters and other subsystems.
Conventional implementation
P25 systems do not support Continuous Tone-Coded Squelch System (CTCSS) tone or Digital-Coded Squelch (DCS) codes for access control. Instead they use what is called a Network Access Code (NAC). This is a 12 bit code that prefixes every packet of data sent (including voice packets).The NAC is a feature similar to CTCSS or DCS for analog radios. That is, radios can be programmed to only pass audio when receiving the correct NAC. NACs are programmed as a three digit hexadecimal code that is transmitted along with the digital signal being transmitted.
Since the NAC is three digit hexadecimal number (12 bits), there are 4096 possible NACs for programming, far more than all analog methods combined.
Three of the possible NACs have special functions:
- 0x293 ($293) - the default NAC
- 0xf7e ($F7E) - a receiver set for this NAC will pass audio on any decoded signal received
- 0xf7f ($F7F) - a repeater receiver set for this NAC will allow all incoming decoded signals and the repeater transmitter will retransmit the received NAC.
Adoption
Adoption of these standards has been slowed by budget problems in the US; however, funding for communications upgrades from the Department of Homeland Security usually requires migrating to APCO-25. It is also being used in other countries world wide including Australia, New Zealand, Brazil, Canada, India, Singapore and Russia. As of mid-2004 there were 660 networks with P25 deployed in 54 countries. At the same time in 2005 the European Terrestrial Trunked RadioTerrestrial Trunked Radio
Terrestrial Trunked Radio is a professional mobile radio and two-way transceiver specification...
(TETRA) was deployed in 60 countries however and it is the preferred choice in Europe, China and other countries. This is largely based on the fact that TETRA systems are many times cheaper than P25 systems ($900 vs $6000 for a radio). This leads to the situation that almost all P25 networks are based in Northern America where it has the advantage that a P25 system has the same coverage and frequency bandwidth as the earlier analogue systems that were in use so that channels can be easily upgraded one by one. Both P25 and TETRA can offer varying degrees of functionality, depending on available radio spectrum, terrain and project budget.
While interoperability is a major goal of P25, many P25 features present interoperability challenges. In theory, all P25 compliant equipment is interoperable. In practice, interoperable communications isn't achievable without effective governance, standardized operating procedures, effective training and exercises, and inter-jurisdictional coordination. The difficulties inherent in developing P25 networks using features such as digital voice, encryption, or trunking sometimes result in feature-backlash and organizational retreat to minimal "feature-free" P25 implementations which fulfill the letter of any APCO-25 migration requirement without realizing the benefits thereof. Additionally, while not a technical issue per se, frictions often result from the unwieldy bureaucratic inter-agency processes that tend to develop to coordinate interoperability decisions.
Security flaws
In 2011, the Wall Street Journal published an article describing research into security flaws of the system, including a user interface that makes it difficult for users to recognize when transcievers are operating in secure mode. According to the article, "(R)esearchers from the University of PennsylvaniaUniversity of Pennsylvania
The University of Pennsylvania is a private, Ivy League university located in Philadelphia, Pennsylvania, United States. Penn is the fourth-oldest institution of higher education in the United States,Penn is the fourth-oldest using the founding dates claimed by each institution...
overheard conversations that included descriptions of undercover agents and confidential informants
Informant
An informant is a person who provides privileged information about a person or organization to an agency. The term is usually used within the law enforcement world, where they are officially known as confidential or criminal informants , and can often refer pejoratively to the supply of information...
, plans for forthcoming arrests and information on the technology used in surveillance operations." The researchers found that the messages sent over the radios are sent in segments, and blocking just a portion of these segments can result in the entire message being jammed. "Their research also shows that the radios can be effectively jammed (single radio, short range) using a highly modified pink electronic child’s toy and that the standard used by the radios 'provides a convenient means for an attacker' to continuously track the location of a radio’s user. With other systems, jammers have to expend a lot of power to block communications, but the P25 radios allow jamming at relatively low power, enabling the researchers to prevent reception using a $30 toy pager designed for pre-teens."
The report was presented at the 20th Usenix
USENIX
-External links:* *...
Security Symposium in San Francisco in August 2011. The report noted a number of security flaws in the Project 25 system, some specific to the way it has been implemented and some inherent in the security design.
Encryption lapses
The report did not find any breaks in the P25 encryption, however they observed large amounts of sensitive traffic being sent in the clear due to implementations problems.They found switch markings for secure and clear modes difficult to distinguish (∅ vs. o). This is exacerbated by the fact that P25 radios when set to secure mode continue to operate without issuing a warning if another party switches to clear mode. In addition, the report authors said many P25 systems change keys too often, increasing the risk that an individual radio on a net may not be properly keyed, forcing all users on the net to transmit in the clear to maintain communications with that radio.
Jamming vulnerability
One design choice was to use lower levels of error correction for portions of the encoded voice data that is deemed less critical for intelligibility. As a result bit errors may be expected in typical transmissions, and while harmless for voice communication, the presence of such errors force the use of stream cipherStream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...
s, which can tolerate bit errors, and prevents the use of a standard technique, message authentication code
Message authentication code
In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...
s (MACs), to protect message integrity from stream cipher attack
Stream cipher attack
Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation , can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed:*keys must never be used twice...
s. The varying levels of error correction are implemented by breaking P25 message frames into subframes. This allows an attacker to jam entire messages by transmitting only during certain short subframes that are critical to reception of the entire frame. As a result an attacker can effectively jam Project 25 signals with average power levels much lower that the power levels used for communication. Such attacks can be targeted at encrypted transmissions only, forcing users to transmit in the clear.
Because Project 25 radios are designed to work in existing two-way radio frequency channels, they cannot use spread spectrum
Spread spectrum
Spread-spectrum techniques are methods by which a signal generated in a particular bandwidth is deliberately spread in the frequency domain, resulting in a signal with a wider bandwidth...
modulation, which is inherently jam-resistant. An optimal spread spectrum system can require a effective jammer to use 1000 times as much power (30 db more) as the individual communicators. According to the report, a P25 jammer could effectively operate at 1/25th the power (14 db less) than the communicating radios. The authors developed a proof-of-concept jammer using a Texas Instruments CC1110 single chip radio, found in an inexpensive toy.
Traffic analysis and active tracking
Certain meta data fields in the Project 25 protocol are not encrypted, allowing an attacker to perform traffic analysisTraffic analysis
Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and...
to identify users. Because Project 25 radios respond to bad data packets addressed to them with a retransmission request, an attacker can deliberately send bad packets forcing a specific radio to transmit even if the user is attempting to maintain radio silence
Radio silence
In telecommunications, radio silence is a status in which all fixed or mobile radio stations in an area are asked to stop transmitting for safety or security reasons.The term "radio station" may include anything capable of transmitting a radio signal....
. Such tracking by authorized users is considered a feature of P25, referred to as "presence."
The reports authors concluded by saying "It is reasonable to wonder why this protocol, which was developed over many years and is used for sensitive and critical applications, is so difficult to use and so vulnerable to attack." The authors separately issued a set of recommendations for P25 users to mitigate some of the problems found. These include disabling the secure/clear switch, using Network Access Codes to segregate clear and encrypted traffic and extending key life.
See also
- APCO-16APCO-16Project 16 or APCO Project 16 was a standard development effort started in the 1970s by the Association of Public-Safety Communications Officials-International , a trade association of mostly police and fire service providers...
, another standard that was not as widely accepted, dealing with trunking formats - NXDNNXDNNXDN is a Common Air Interface technical protocol for mobile communications. It was developed jointly by Icom Incorporated and Kenwood Corporation. was formed in order to promote the NXDN protocol in North and South America...
, a two-way digital radio standard with similar characteristics
External links
- http://www.project25.org/ Project 25 Technology Interest Group (PTIG) home page
- P25 Overview TIA Standards Development Activities for Public Safety
- http://www.apco911.org/frequency/project25.php APCO International Project 25 page
- http://www.p25.com/resources/P25TrainingGuide.pdf Daniels' P25 Radio System Training Guide
- http://urgentcomm.com/mag/radio_oil_water/ Some ways of avoiding P25 interoperability challenges
- http://www.valid8.com/sip_issi_conformance_test_pro.html P25 Compliance Test Tools for ISSI
- http://www.etherstack.com/networks.htm#1 P25 Protocol Stack Software
- http://www.dvsinc.com/prj25.htm DVSI P25 Vocoder Software and Hardware
- Sandy Clark et al., Security Weaknesses in the Apco Project 25 Two-Way Radio System University of Pennsylvania, 2010, retrieved 2011 Aug 12