SIGINT and Traffic Analysis for the Rest of Us presented at DEF CON 20

by Sandy Clark, Matt Blaze,

Summary : Last year, we discovered practical protocol
weaknesses in P25, a secure two-way radio
system used by, among others, the federal
government to manage surveillance and other
sensitive law enforcement and intelligence
operations. Although some of the problems are
quite serious (efficient jamming, cryptographic
failures, vulnerability to active tracking of idle
radios, etc), many of these vulnerabilities
require an active attacker who is able and
willing to risk transmitting. So we also examined
passive attacks, where all the attacker needs
to do is listen, exploiting usability and key
management errors when they occur. And we
built a multi-city networked P25 interception
infrastructure to see how badly the P25 security
protocols do in practice (spoiler: badly).
This talk will describe the P25 protocols and how
they failed, but will focus on the architecture
and implementation of our interception network.
We used off-the-shelf receivers with some
custom software deployed around various US
cities, capturing virtually every sensitive, but
unintentionally clear transmission (and associated
metadata) sent by federal agents in those cities.
And by systematically analyzing the captured
data, we often found that the whole was much
more revealing than the sum of the parts. Come
learn how to set up your own listening-post.