Page 1 of 4 1234 LastLast
Results 1 to 25 of 88

Thread: New TRBO security feature: No more passive monitoring

  1. #1
    Join Date
    Dec 21, 2011
    Posts
    4,545
    Thanks
    3,879
    Thanked 6,740 Times in 1,930 Posts
    Country: Canada

    Default New TRBO security feature: No more passive monitoring

    Included in the latest firmware (for 1.0 radios) is a new feature:

    https://www.p25.ca/threads/1868-Moto...d?goto=newpost

    1) Restricted Access to System (RAS): prevents the unauthorized subscriber users from using the repeaters in the radio system and listening to repeater outbound voice/data/CSBK transmission, through the use of RAS Key authentication and Radio ID Range Check. This feature is supported on all MOTOTRBO subscriber platforms, as well as on XPR8300. XPR8400, XPR8380 and MTR3000 repeaters.

    ----

    This essentially means those who choose to do so, can LOCK OUT unauthorized listeners from a repeater/system. This is not good. No more "I got the slot, color code and call group, and that's all I need".

    Not good for those of us using TRBO portables for monitoring certain systems


  2. The Following User Says Thank You to Mars For This Useful Post:

    blcomm (Nov 24, 2016)

  3. #2
    cyrus's Avatar
    cyrus is offline Trailer Park Superintendent
    Join Date
    Jan 05, 2012
    Location
    Moonbase Alpha
    Posts
    842
    Thanks
    253
    Thanked 332 Times in 158 Posts
    Country: Japan

    Default

    I'm curious how this will work.

    Is it encrypting the signal between the repeater and users on the system or is it a key sent along with the unencrypted signal that the receiving radio won't unmute without the corresponding key?

    If its just a key, then the receiving radio would need newer firmware in order to recognize the lack of a key and not unmute.

    If so, then this might be a good reason not to upgrade firmware.

    Hmmm.
    Cyrus

    Bubbles: I'd like to see that Red Blue Green c***sucker put one of those together, duct-tapin' it.

  4. The Following User Says Thank You to cyrus For This Useful Post:

    blcomm (Nov 24, 2016)

  5. #3
    Join Date
    Nov 25, 2012
    Location
    The Dark Side of the Moon
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Back when I was a NEXEDGE TRS Administrator, we had something like this (encryption, though - think ADP...) enabled on every radio, even ones that weren't on our trunked system (conventional and/or simplex users). Kept other vendors out, and is scanner safe (well, when someone makes a scanner that can decode it, anyways).

    This information was inherent in most/all of the NXDN brochures, and every customer who saw it, wanted it, or at least as close to cell-phone security as they could get. (NXDN also supports AES256 with the purchase of an add-on board from Kenwood direct, AND loads with Motorola KVLs)

  6. #4
    Join Date
    Dec 21, 2011
    Posts
    4,545
    Thanks
    3,879
    Thanked 6,740 Times in 1,930 Posts
    Country: Canada

    Default

    AFleetingGlimpse: Thanks for the Kenwood info. I've never played with their products before.

    As for this new RAS thing, I think it's very close to "P25 Radio Authentication", in which a AES-GCM key (128-bits) is loaded into the radio and is required to affiliate, transmit, etc. on a ASTRO25 (Moto) trunking system. I don't think this is a APCO-25-supported feature. I'm not at all familiar with the complete details of P25RA, but that's kind of how it was explained to me. XPR8300 should know more.

    RAS will lock out freeloaders/pirates, too.

    TRBO already has two levels of "encryption": Basic (256 different keys), and Enhanced. Enhanced is basically 40-bit RC4. (ADP). It has a 5-byte key-length.

    Supposedly, Moto is coming out with a new level of Enhanced encryption for the TRBO 2.0 radios (7550, etc.) which will utilize AES-128. This should be in a firmware update, in the very near future.

  7. #5
    cyrus's Avatar
    cyrus is offline Trailer Park Superintendent
    Join Date
    Jan 05, 2012
    Location
    Moonbase Alpha
    Posts
    842
    Thanks
    253
    Thanked 332 Times in 158 Posts
    Country: Japan

    Default

    Could be another "you must affiliate before receiving" type thing.

    Of course, that won't keep DSD listeners out.

    I have to wonder if this is a M proprietary addition to the ETSI standard which would keep other manufacturers radios off M systems?
    Cyrus

    Bubbles: I'd like to see that Red Blue Green c***sucker put one of those together, duct-tapin' it.

  8. #6
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    701
    Thanks
    138
    Thanked 231 Times in 116 Posts
    Country: Canada

    Default

    Interesting... the wording in the CPS help file is a little different:

    The Restricted Access to System (RAS) feature provides the capability of preventing invalid subscriber users from using the repeater to transmit in a system. This includes all the voice, data and signaling transmissions of repeater mode in any system configurations (i.e. Conventional Single Site, IP Site Connect, Capacity Plus, and Linked Capacity Plus). Besides a password-like protection using RAS ID, the Radio ID Range Check provides additional protection for system access. It allows the CPS user to configure whether a subscriber radio can use the system's repeaters as specified in the subscriber ID ranges.
    Notice it doesn't mention anything about listening to repeater outputs. And for the RAS key itself:

    The first level of protection is via a password-like protection using RAS ID. This allows the user to add Key Alias and Key Value (i.e. RAS ID) on subscribers. Up to a maximum of 16 RAS IDs can be added. The RAS ID is 6-24 unicode characters including 0-9, A-Z, a-z, hyphen’-‘, underscore’_’, dollar ‘$’ and pound ‘#’.
    It will be interesting to see if this password is transmitted as part of a CSBK command or if the stream is 'encrypted' with the RAS key. On a positive note, this is an add-on feature to be purchased, it doesn't come enabled by default in the repeater.

  9. The Following User Says Thank You to Forts For This Useful Post:

    blcomm (Nov 24, 2016)

  10. #7
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    701
    Thanks
    138
    Thanked 231 Times in 116 Posts
    Country: Canada

    Default

    It's also interesting that they jumped from firmware 1.09.10 to 1.11.02. The fact that it mentions 'listening to outbound CSBK transmissions' almost makes me think the info between the radio and repeater is encrypted with the RAS key, which would block programs like DMRDecode and DSD (I would think).

  11. #8
    syntrx No Longer Registered

    Default

    Or it could be something like ESK on EDACS, which doesn't actually protect the signalling but just instructs the radio not to follow the system.

  12. #9
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    701
    Thanks
    138
    Thanked 231 Times in 116 Posts
    Country: Canada

    Default

    Yeah, that could be. I can't see many existing systems upgrading to this unless they are having issues with hijackers on the system. Plus if you are already using privacy you don't need to worry about anyone listening in. It will be interesting to see how aggresively the radio shops sell this feature to new clients though.

  13. #10
    syntrx No Longer Registered

    Default

    Quote Originally Posted by Forts View Post
    Yeah, that could be. I can't see many existing systems upgrading to this unless they are having issues with hijackers on the system. Plus if you are already using privacy you don't need to worry about anyone listening in. It will be interesting to see how aggresively the radio shops sell this feature to new clients though.
    You can bet Motorola shops with a competing Hytera dealer nearby will be all over it

  14. #11
    Join Date
    May 14, 2012
    Posts
    326
    Thanks
    78
    Thanked 199 Times in 93 Posts
    Country: Canada

    Default

    If this would block things like DSD and "cloned" radios from working on the system...there'd really be no point in using encryption on top. I suspect it is something simple that would tell a radio unless the system says "yes", it cannot play on the system. Problem now is that a system that's only using 1 time slot, there's absolutely nothing stopping others from hijacking the other timeslot. There's a couple of lids in Toronto that used to hang out on FRS that do exactly that.

  15. #12
    Join Date
    Dec 29, 2012
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Forts View Post
    It's also interesting that they jumped from firmware 1.09.10 to 1.11.02. The fact that it mentions 'listening to outbound CSBK transmissions' almost makes me think the info between the radio and repeater is encrypted with the RAS key, which would block programs like DMRDecode and DSD (I would think).
    RAS does not prohibit passive listening!

  16. #13
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    910
    Thanks
    255
    Thanked 634 Times in 240 Posts
    Country: Australia

    Default

    Quote Originally Posted by Mars View Post
    As for this new RAS thing, I think it's very close to "P25 Radio Authentication", in which a AES-GCM key (128-bits) is loaded into the radio and is required to affiliate, transmit, etc. on a ASTRO25 (Moto) trunking system. I don't think this is a APCO-25-supported feature. I'm not at all familiar with the complete details of P25RA, but that's kind of how it was explained to me.
    Hi Mars,

    P25RA is compliant to the P25 TIA.102 standards. Document TIA.102.AACE is the one that describes it

    Suffice to say, an security analysis of this protocol has been done and its very tight indeed. No known holes that we can see. The TIA committee has clearly had a good think about what they were doing when designing it

    Interestingly it was released in July 2003 - it had been around for yonks before a product actually came to market..

    Cheers,
    Matt

  17. #14
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    910
    Thanks
    255
    Thanked 634 Times in 240 Posts
    Country: Australia

    Default

    I'd be willing to bet this is the case.

    Quote Originally Posted by syntrx View Post
    Or it could be something like ESK on EDACS, which doesn't actually protect the signalling but just instructs the radio not to follow the system.

  18. #15
    Join Date
    Feb 04, 2012
    Posts
    1,874
    Thanks
    180
    Thanked 668 Times in 303 Posts

    Default

    All the data I have recieved so far about it is that it appears to be a header package added to the PDU. The checks are to allow access to the repeater network so far there is nothing to indicate that the actual voice or digital voice packets are in anyway modified.

    I have requested additional info on the actual packet format etc. A copy of AACE would make nice reading hint hint.

  19. #16
    Join Date
    Dec 21, 2011
    Posts
    4,545
    Thanks
    3,879
    Thanked 6,740 Times in 1,930 Posts
    Country: Canada

    Default

    But what about monitoring with an unauthorized TRBO radio? Could the squelch rules be changed? (They already took away the equivalent of digital CSQ)

  20. #17
    Join Date
    Feb 04, 2012
    Posts
    1,874
    Thanks
    180
    Thanked 668 Times in 303 Posts

    Default

    From what I have heard from my local TRBO dealer and Moto once the upgrade is installed the radio looks for the package in the OBW. The system when upgraded also looks for the package in the ISW.

    What is said or rather not said ; I suspect that a non upgraded radio would continue to be able to recieve the system fine. The only issue would be if the OSW is changed in such a mannor as to make a old radio not recognise the system header/PDU. Untill A system is enabled and monitored using the RAC its up in the air. My feeling is there is no such change as it would reguire a complete fleeet reprogram rather than a migration as the system is switched over.

  21. #18
    Join Date
    Nov 05, 2012
    Posts
    332
    Thanks
    279
    Thanked 236 Times in 146 Posts
    Country: United States

    Default

    I definitely see the additional packet header update as more likely than something that would require reprogramming an entire fleet of radios. M could be not understanding as to the challenges of managing a TRBO system but from what I've observed, they like to advertise "migration" rather than a "simultaneous switchover". On lots of their product lines they like to push the forward/backward compatible whole theme deal. The question is whether the hardware and software behind the tech back this up. Just my speculative analysis.

  22. #19
    Join Date
    Dec 12, 2012
    Location
    CA
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Well Motorola Trbo has 3 different systems, trbo conventional,capacity plus and connect plus digital trunking.Connect plus has that future already,where capacity plus is hybrid digital trunking limited to 254 TG-s.I do not see how the will able to prevent someone from listening on regular conventional digital mode, I know you can use enhanced encryption and many of different TG-s.Also DMR is open project and so whatever big M is doing is actually illegal.

  23. #20
    Join Date
    Feb 04, 2012
    Posts
    1,874
    Thanks
    180
    Thanked 668 Times in 303 Posts

    Default

    Quote Originally Posted by t95mwp View Post
    so whatever big M is doing is actually illegal.
    I dissagree. Their systems are designed to support thier products, There is no requirement anywhere to say that they cannot add or modify the contents of the signalling/control words to suit thier wants/needs or products exclusivly. The only requirement is that the overall TRBO format meet the TIA standards. and as mentioned in post 13 this addition is compliant.

  24. #21
    Join Date
    Dec 30, 2012
    Location
    8.8.8.8
    Posts
    130
    Thanks
    1,158
    Thanked 122 Times in 69 Posts
    Country: United States

    Default

    This sounds like what I have been told is built into NXDN. For conventional NXDN with the correct parameters a radio can passively listen. But with trunking when the radio recognizes the system as a "system" it will not monitor even if scanning the frequencies conventionally.

    For what it's worth.

  25. #22
    Join Date
    Aug 06, 2012
    Location
    Ontario, Canada
    Posts
    701
    Thanks
    138
    Thanked 231 Times in 116 Posts
    Country: Canada

    Default

    Yes it does sound similar.... Which is why I was surprised that Connect Plus trunking could be scanned 'conventionally'...

  26. #23
    syntrx No Longer Registered

    Default

    Quote Originally Posted by Notarola View Post
    I dissagree. Their systems are designed to support thier products, There is no requirement anywhere to say that they cannot add or modify the contents of the signalling/control words to suit thier wants/needs or products exclusivly. The only requirement is that the overall TRBO format meet the TIA standards. and as mentioned in post 13 this addition is compliant.
    Post 13 was about P25 rather than MOTOTRBO, but the same deal.

    Motorola only needs to adhere to the basic ETSI DMR specifications to be able to call their systems DMR, and to be able to license standards-essential patents owned by other companies under FRAND terms. Beyond that, they and the other manufacturers are free to extend the platform with their own features as much as they like. Nothing illegal about it.

    They've even patented their LRRP and TMS protocol implementations (which are not part of the DMR specification) specifically to prevent other companies building radios compatible with those features, and legally they're free to so so.

  27. #24
    cyrus's Avatar
    cyrus is offline Trailer Park Superintendent
    Join Date
    Jan 05, 2012
    Location
    Moonbase Alpha
    Posts
    842
    Thanks
    253
    Thanked 332 Times in 158 Posts
    Country: Japan

    Default New TRBO security feature: No more passive monitoring

    I'm sure the radio cops aren't going to come and bust down Motorola's door for doing something "illegal".

    Adding proprietary extensions to a standard is just a company's way of enhancing the standard and making sure they offer something to entice customers to their system. It also locks the customer in to the company and helps with repeat sales.

    Illegal? Nope. Just good ole capitalism.
    Cyrus

    Bubbles: I'd like to see that Red Blue Green c***sucker put one of those together, duct-tapin' it.

  28. #25
    Join Date
    Jan 10, 2013
    Location
    eastern side of au
    Posts
    256
    Thanks
    107
    Thanked 170 Times in 95 Posts
    Country: Australia

    Default

    Quote Originally Posted by cyrus View Post
    I'm sure the radio cops aren't going to come and bust down Motorola's door for doing something "illegal".

    Adding proprietary extensions to a standard is just a company's way of enhancing the standard and making sure they offer something to entice customers to their system. It also locks the customer in to the company and helps with repeat sales.

    Illegal? Nope. Just good ole capitalism.
    Maybe so, there is nothing really wrong with capitalism in the context it funds development of technology etc but I have friends who are customers of motorola and other companies asking the questions around vendor lock in and the true TCO and they are starting to walk to more open platforms or should I say moving away from less proprietary providers. In the case of one friend, they have walked from moto to another provider because of lockin and lack of interoperability between products which have all be been built to a 'open standard'.

    If moto is what Microsoft is to IT software then I wonder who if going to become the google of the digital radio market!