https://twitter.com/mattblaze/status/1173990631540236288
Thinking about the FBI CI comms / Russia story some more (and chatting with some folks), I think most (but not all) of both the radio compromise and the PTT phone app compromise can be explained by systematic exploitation of known vulnerabilities. For the radio stuff, we found (and published in 2011) attacks against P25 encrypted communication that exploit the ways the protocol aggressively leaks metadata. See [https://www.mattblaze.org/papers/p25sec.pdf …](https://t.co/1Uj6DdNnlk) Our paper does not explain how to recover encrypted voice traffic, however. Key management in P25 is a mess, and I would be unsurprised if there were attacks against things like the key generation scheme used in, say, Motorola's key-loaders. But I don't know of any specific weaknesses here. For the phone app attacks, remember that smartphone handsets leak all sorts of unencrypted metadata - IMSI on the cellular network, but also wifi and bluetooth MAC addresses. Systematically collecting this is easy and would identify agents following you over time. Once identified, this metadata also provides useful information for targeting those handsets with more active attacks (at some risk of alerting them, but that's a typical tradeoff in intelligence). Basically, systematic application of well known techniques (well within reach of a university, let alone a state actor) is sufficient to explain the traffic analysis of both the FBI's radios and its smartphone PTT app. Encrypted voice recovery is left as an exercise to the TLA. BTW, a sub-scoop in the Yahoo story was the existence of the FBI PTT app, which I've never seen any public reference to. (It basically replaces the old Nextel system, which the FBI and other fed LE were heavy users of). Anyway, the key difference between the Russians and some nerd with a scanner here isn't so much budget or tech ability, but willingness and motivation to be extremely systematic in what's collected and analyzed. ---- ED. Note: back in late oughts I used this trick as super charged radar detector. the police in Beaverton / Hillsboro had a citywide wireless network setup with VPN, but you could see all the MAC's (BSSIDs) associated with the cruisers, the photo radar vans, the surveillance teams. if a cop joined their phone to the police network, you could then track that phone's MAC (BSSID) as known police device. you'd watch for VPN traffic (IPsec ESP or AH) to identify actual clients vs. just random connect by strangers. a directional antenna across from the police dept. sniffed 24/7/365... set a custom alert in Kismet by MAC, then you're good to go! detect them before you see them, even if the radar is off :P best regards,
