Authenticated Radio Disable - closes security vulnerability from 2014

[motoapx]

Haven't seen this mentioned much on the forums outside of the bit where Motorola accidentally bricked radios with the feature release... but I thought it deserved to have some additional attention drawn to it given a previous thread about TRBO subscriber security. The link below describes the feature in EMEA R2.6, but I believe this was pushed with R2.5.x in NA firmware (R2.6 for "e" series radios, apparently).

http://cwh050.blogspot.com/2016/05/new-in-r26-authenticated-radio-disable.html

It looks like Motorola has gotten around to "fixing" the radio inhibit security vulnerability that Mars and company had reported back to the company back in 2014, by way of the Authenticated Radio Disable feature. It seems that with ARD, when an inhibit command is sent to a subscriber, either knowledge of the device's EP / AES key, or a user passphrase is required to assert the inhibit function, which would keep unauthorized parties from disabling the radio as Mars originally reported.

Of course, "fixed" is in quotes here, because it looks like the ARD option may be a paid EID. Anyone know if ARD comes for free with the new firmware, or is this a paid option?

 

[DJ0WH]

This is a paid feature (EID).


Sent from my iPad using Tapatalk

 

[Mars]

This is a paid feature (EID).


Sent from my iPad using Tapatalk

Respectfully, why? Security enhancements/fixes shouldn't be paid features/upgrades.

 

[DJ0WH]

Because MOTOTRBO is not seen as "mission critical".... :-/


Sent from my iPad using Tapatalk

 

[Mars]

Because MOTOTRBO is not seen as "mission critical".... :-/

First, I'm not blaming you, or trying to make you the guy in the hot-seat here by asking these questions. You're a valued member of the forum, a very intelligent and helpful resource to everyone in the industry and seem like a sincere, genuine person.

What do "Mission Critical" and "Operations Critical" actually mean, in Motorola lingo? "Luxury and shit"?

Motorola has had some major difficulty in the last 4-5 years. Things are not looking good. I believe one of the reasons (among many) things are looking bleak, is because they've lost touch with the customers' needs. In North America, they are FIXATED on up-selling APX gear to those whom do not need it. Want AES-256 so you can satisfy your credit card merchant account security prerequisites for processing payment in the field? TRBO with 40-bit garbage isn't good enough...APX ONLY. But in the EMEA, AS or LA markets, AES seems to be available.

(On a sidenote, the fact AES is readily available for purchase through Motorola in the EMEA, AS and LA markets seems to contradict with the recent DHS ICE concerns of AES being exported to other countries -- which I've had no part of.)

Somehow, I don't think Greg cares about the direction of Motorola Solutions' two-way offerings at the moment.

 

[DJ0WH]

What can I say.....


Sent from my iPad using Tapatalk

 

[DJ0WH]

First, I'm not blaming you, or trying to make you the guy in the hot-seat here by asking these questions. You're a valued member of the forum, a very intelligent and helpful resource to everyone in the industry and seem like a sincere, genuine person.

What do "Mission Critical" and "Operations Critical" actually mean, in Motorola lingo? "Luxury and shit"?

Motorola has had some major difficulty in the last 4-5 years. Things are not looking good. I believe one of the reasons (among many) things are looking bleak, is because they've lost touch with the customers' needs. In North America, they are FIXATED on up-selling APX gear to those whom do not need it.

Somehow, I don't think Greg cares about the direction of Motorola Solutions' two-way offerings at the moment.

That's a discussion to have over several Molsons...


Sent from my iPad using Tapatalk

 

[Magnus]

Here is what Motorola says Mission Critical is.


https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjA6pu9oJTNAhUI7WMKHfKrAg8QFggiMAE&url=https%3A%2F%2Fwww.motorolasolutions.com%2Fcontent%2Fdam%2Fmsi%2Fdocs%2Fen-xw%2Fstatic_files%2FMission_Critical_Communications_Tougher_White_Paper.pdf&usg=AFQjCNHtE6gDqydcO_42rz-H90FyQCs9SQ&sig2=-o7yFJEp8v8-7n-iLws94A&bvm=bv.123664746,d.cGc

 

[cyrus]

What do "Mission Critical" and "Operations Critical" actually mean, in Motorola lingo? "Luxury and shit"?

At one point, Motorola referred to TRBO as Business Critical.

I have a feeling they were having a tough time selling Business Critical to smaller public safety agencies so they changed the name to Operations Critical.

 

[mss-dave]

Might just have to call the entire brand "Future Proof" here shortly.

Sent from Samsung G4 on Tapatalk