Skip to: [ search ] [ menus ] [ content ] Select style [ Aqua ] [ Citrus ] [ Fire ] [ Orange ] [ show/hide more content ]

Jammin’ the Feds’ radios with the $30 “GirlTech IMME!”

Today, University of Pennsylvania associate professor Matt Blaze presented, at the Usenix Security Conference in San Francisco, a paper on using a $30 child’s toy, the GirlTech IMME (a pink instant-messaging device by Mattel that is marketed to pre-teen girls) to disrupt radio communications used by every federal law enforcement agency, from the FBI to the Secret Service to Homeland Security. The wireless standard used in the expensive radios of the Feds is known as Project 25 or P25 and has been widely adopted across federal agencies over the last decade to promote interoperability with secure, digital, encrypted communications. A number of state and local police associations have also adopted P25. A handheld Midland P25 Digital costs $3,295 and scanners are almost $450.

Blaze has contacted the Justice Department and the Defense Department, which ALSO use P25, and now both are aware of the problems and are trying to mitigate against them.

The reason that P25 is so easy to jam is that the standard DOES NOT USE SPREAD SPECTRUM, which would put the jammer at a disadvantage. Project 25 relies on the transmission of metadata, instead, and the metadata must be transmitted PERFECTLY. It turns out that a pulse that lasts just 1/100 of a second is enough to disrupt the transmission of the metadata.

The researchers are expecting the general release of a Project 25 jamming kit, over the Net, sometime soon.

“It’s going to be someone somewhere creating the Project 25 jamming kit and it’ll be something that you download from the Net,” Blaze said. “We’re not there right now, but we’re pretty close.”

The title of the paper is “Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System,” (PDF) and the other authors are Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, and Kevin Xu.

From the title, you might guess that a second security vulnerability falls under the title: “human error.” Although the researchers found no problems with the encryption that is used in P25, the ALSO found that that federal agents FREQUENTLY do not turn encryption ON! The researcher were kind enough not to publicly announce which groups are the worst offenders. To intercept the federal P25 communications, the Pennsylvania researchers used a $1000 receiver that can be purchased off the shelf, but they say that they could have gotten by with hobbyist-grade inexpensive equipment from Radio Shack.

CNET presented an excerpt from the research paper:

“The traffic we monitored routinely disclosed some of the most sensitive law enforcement information that the government holds, including: Names and locations of criminal investigative targets, including those involved in organized crime… Information relayed by Title III wiretap plants…Plans for forthcoming arrests, raids and other confidential operations…

On some days, particularly weekends and holidays, we would capture less than one minute, while on others, we captured several hours. We monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and the Department of Homeland Security. Most traffic was apparently related to criminal law enforcement, but some of the traffic was clearly related to other sensitive operations, including counter- terrorism investigations and executive protection of high ranking officials…”

Yet a third vulnerability is that P25 transmits a unique identifier from each radio, which is broadcast in unencrypted form. This fact allows eavesdroppers to do “traffic analysis” (something routinely done in corporations,with cell phones) to find out who is talking to whom.

Last November, many of the same authors published a security analysis of Project 25 in which they state:

“In particular, P25 systems are highly susceptible to active traffic analysis attacks, in which radio user locations are surreptitiously determined, and selective jamming attacks, in which an attacker can jam specific kinds of traffic (such as encrypted messages or key management traffic). The P25 protocols make such attacks not only feasible but highly efficient, requiring, for example, significantly less aggregate energy output from a jammer than from the legitimate transmitters.”

-Bill at

Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”

You can view higher-resolution photos at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. The Cheshire Cat Photo Store on Zazzle® contains a wide variety of apparel and gifts decorated with our images of California. All locations are accessible from hereBe a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would be on our email list for updates, send us an email at

No Comments to “Jammin’ the Feds’ radios with the $30 “GirlTech IMME!””

  (RSS feed for these comments)

InspectorWordpress has prevented 52153 attacks.
Get Adobe Flash player