Insecurity in Public-Safety Communications: APCO Project 25

  • Stephen Glass
  • Vallipuram Muthukkumarasamy
  • Marius Portmann
  • Matthew Robert
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 96)


APCO Project 25 (P25) radio networks are perhaps the most widely-deployed digital radio technology currently in use by emergency first-responders across the world. This paper presents the results of an investigation into the security aspects of the P25 communication protocol. The investigation uses a new software-defined radio approach to expose the vulnerabilities of the lowest layers of the protocol stack. We identify a number of serious security flaws which lead to practical attacks that can compromise the confidentiality, integrity and availability of P25 networks.


communications networks wireless network security security analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Project 25 FDMA Common Air Interface Description. Number TIA-102.BAAA-A. Telecommunications Industry Association, 2500 Wilson Boulevard, Arlington, VA 22201, USA (September 2003)Google Scholar
  2. 2.
    GNU Radio. Project website,
  3. 3.
    Ettus research llc, Company website,
  4. 4.
    Glass, S., Muthukkumarasamy, V., Portmann, M.: A software-defined radio receiver for APCO Project 25 signals. In: IWCMC 2009: Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing, pp. 67–72. ACM, New York (2009)Google Scholar
  5. 5.
    Project 25 — Digital Land Mobile Radio — Link Layer Authentication. Number TIA-102.AACE. Telecommunications Industry Association, 2500 Wilson Boulevard, Arlington, VA 22201, USA (December 2005)Google Scholar
  6. 6.
    Project 25 Over-The-Air-Rekeying(OTAR) Operational Description. Number TIA-102.AACB. Telecommunications Industry Association, 2500 Wilson Boulevard, Arlington, VA 22201, USA (January 2002)Google Scholar
  7. 7.
    Project 25 DES Encryption Protocol. Number TIA/EIA-102.AAAA-A. Telecommunications Industry Association, 2500 Wilson Boulevard, Arlington, VA 22201, USA (2001)Google Scholar
  8. 8.
    Loukides, M., Gilmore, J.: Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design. O’Reilly & Associates, Inc., Sebastopol (1998), Google Scholar
  9. 9.
    Rouvroy, G., Standaert, F.-X., Quisquater, J.-J., Legat, J.-D.: Design Strategies and Modified Descriptions to Optimize Cipher FPGA Implementations: Fast and Compact Results for DES and Triple-DES. In: Cheung, P.Y.K., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, pp. 181–193. Springer, Heidelberg (2003), doi:10.1007/978-3-540-45234-8_19CrossRefGoogle Scholar
  10. 10.
    Rouvroy, G., Standaert, F.-X., Quisquater, J.-J., Legat, J.-D.: Efficient uses of FPGAs for implementations of DES and its experimental linear cryptanalysis. IEEE Transactions on Computers 52(4), 473–482 (2003)CrossRefGoogle Scholar
  11. 11.
    Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., Schimmler, M.: Breaking Ciphers with COPACOBANA –A Cost-Optimized Parallel Code Breaker. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 101–118. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Project 25 Vocoder Description. Number ANSI/TIA/EIA-102.BABA-1998. Telecommunications Industry Association, 2500 Wilson Boulevard, Arlington, VA 22201, USA (May 1998)Google Scholar
  13. 13.
    Li, C., Wu, H., Chen, S., Li, X., Guo, D.: Efficient implementation for MD5-RC4 encryption using GPU with CUDA. In: 3rd International Conference on Anti-Counterfeiting, Security, and Identification in Communication (ASID 2009), pp. 167–170 (August 2009)Google Scholar
  14. 14.
    Mencer, O., Tsoi, K.H., Craimer, S., Todman, T., Luk, W., Wong, M.Y., Leong, P.H.W.: Cube: A 512-FPGA cluster. In: 5th Southern Conference on Programmable Logic, SPL 2009, pp. 51–57 (April 2009)Google Scholar
  15. 15.
    Clark, S., Metzger, P., Wasserman, Z., Xu, K., Blaze, M.A.: Security weaknesses in the APCO Project 25 two-way radio system. Technical Report MS-CIS-10-34, University of Pennsylvania (2010),
  16. 16.
    Project 54. Project website,
  17. 17.
    Kun, A.L., Thomas Miller III, W., Lenharth, W.H.: Computers in police cruisers. IEEE Pervasive Computing 3(4), 34–41 (2004)CrossRefGoogle Scholar
  18. 18.
    Ramsey, E.R., Thomas Miller III, W., Kun, A.L.: A software-based implementation of an APCO Project 25 compliant packet data transmitter. In: 2008 IEEE International Conference on Technologies for Homeland Security, Boston, MA, May 12-13. Institute of Electrical and Electronics Engineers (2008)Google Scholar
  19. 19.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Mantin, I.: A Practical Attack on the Fixed RC4 in the WEP Mode. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 395–411. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. In: Proceedings of the 7th Annual International Mobile Computing and Networking Conference, pp. 180–189. ACM SIGMOBIL, ACM Press, New York, NY (2001)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2012

Authors and Affiliations

  • Stephen Glass
    • 1
  • Vallipuram Muthukkumarasamy
    • 2
  • Marius Portmann
    • 1
  • Matthew Robert
    • 2
  1. 1.Queensland Research LaboratoryNICTABrisbaneAustralia
  2. 2.Griffith UniversityGold CoastAustralia

Personalised recommendations