The FBI Communications Breach of 2010: Applications and Perspectives
by Marc J. O'Connor
This article explores the "FBI communications breach," first reported in 2019, as an application of publicly known and researched vulnerabilities of P25 communications systems and considers them in an operational and intelligence context with possible tactics employed and as exploration of open-source technologies and literature.
This article assumes the Russian Intelligence Service (RIS) targeted Federal Bureau of Investigation (FBI) land mobile radio (APCO P25) and cellular telephony (4G LTE) employed by FBI counterintelligence activities in order to develop intelligence on FBI counterintelligence operations directed against the RIS.
Overview
P25 Land Mobile Radio systems is the communication technology employed by law enforcement and emergency first responders by over 38 countries, including the U.S., Canada, Mexico, and Russia. In the United States, it is the result of a decades-long transition from analog single channel radio systems to networked digital radio systems, beginning sometime in the 1990s and reaching some degree of completion in the mid-2000s.
APCO P25 Land Mobile Radio (LMR) systems are digital radio systems that provide narrowband data, voice encryption, and addressable and trunked (like a subnet) communications. The P25 LMR can have 9,999,999 individually addressed subscriber units organized into talk groups. P25 can be trunked and transported over Internet Protocol (IP) networks.
The FBI maintains the largest P25 land mobile radio system in the world, providing nationwide coverage to federal law enforcement operations, and inferred in this article, their counterintelligence surveillance teams. The FBI maintains this system for the Department of Justice, and the customers are the DOJ appendixes: DEA, BATFE, and U.S. Marshals Service. It is not solely a FBI resource.
From public news services, it was found that the RIS employed an operation to develop intelligence from FBI telecommunications in 2010. These telecommunications are inferred to be the nationwide Land Mobile Radio (LMR) network developed by DOJ for federal law enforcement, and exploitation of the backup telecommunications system, provided in public sources as LTE, or Long-Term Evolution, a cellular service more presently known as 4G, with an additional Push-To-Talk (PTT) capability to act as a two-way radio.
Technical Background
An individual APCO P25 radio carried by a person or installed in automobiles is a "subscriber unit." Each subscriber unit must be programmed with a unique unit identification in order to participate in trunked or networked communication. Each unit must also be programmed with a group unique talk group identification to participate in talk groups.
Cellular telephony selectors are better known: the IMSI, or telephone number, and the IMEI, which is the electronic serial number of many cellular devices. These two selectors, known as "the pair," are emitted constantly as the cellular device seeks an available base station to associate to the network. It is these selectors that are collected using IMEI catchers like the popular Stingray and Do-It-Yourself (DIY) interception systems.
P25 research has been performed using Software-Defined Radio (SDR) and open-source software, notably, Ettus Research Universal Software Radio Peripheral (USRP), GNU Radio software, and Wireshark.
It would appear axiomatic that an APCO P25-using country, like Russia, would have first-hand knowledge of vulnerabilities that would come to the attention of its intelligence services in addition to a large pool of talent and networks to develop technical exploits.
Operational-Technical Games
An actionable intelligence requirement for a clandestine intelligence officer is their surveillance status. Intelligence officers employ surveillance detection tactics, techniques, and procedures to determine hostile surveillance status.
Based on known P25 and cellular handset vulnerabilities, it is possible to develop actionable intelligence to satisfy this requirement using only signal externals: the peculiar metadata accompanying each transmission that is necessary to implement the communications service, but does not include content, per se.
Here the presence of certain telecommunications metadata could aid in the surveillance determination. The "fact of" peculiar metadata in vicinity of the intelligence officer would strongly indicate hostile surveillance activity. That peculiar metadata may be envisioned as a "tag cloud" of selectors where each tag is a metadata element from some electronic device.
In this scenario, these metadata are the a, IMEI from the PTT cellular devices, the unit identification, and talk group identification from the inferred use of P25 radios by the FBI - and these metadata form part of the tag cloud surrounding the FBI counterintelligence activity. These tag clouds are observable, unique, and sufficiently unchanging.
RIS surveillance detection would take the FBI surveillance from the surveillance pickup point and maneuver on foot or vehicle to sift the collection of signal externals in order to isolate FBI peculiar selectors. That media reporting implicated California, New York, and Washington D.C. RIS activities, then a better opportunity is presented for differentiation of selectors. In this, FBI tag clouds were observable at these locations, but the extraneous tag clouds unique to these locations would be eliminated, being peculiar to these geographic areas.
Over time, repetition of this sifting would refine the tag cloud collection - the same tag clouds in vicinity of an intelligence officer despite distance, observed and integrated over a long baseline. If one can envision that surveillance detection is a type of maneuver warfare, then the use of surveillance detection is limited by creativity and here it is likely used to provide a sifting/filtering mechanism.
The use of surveillance detection augmented with signals monitoring provided by COTS hardware and software would provide supporting data to confirm/deny the presence of FBI personnel in the area based upon presence of selectors and traffic analysis of unit ID and talk group ID emitted from the APCO P25 handsets and IMSI/IMEI radiating from the PTT cellular handsets.
Once an RIS intelligence officer was certain they were under surveillance, this information may be correlated to observed selectors (the tag cloud) also at that point. Similarly, the absence of that metadata would inform perspectives as to an RIS officer's surveillance status.
The use of traffic analysis and pattern observation from physical and technical surveillance is the crux of the exploit. Operational sophistication stems from this and its fusion with tradecraft to produce military effects.
History
The use of SIGINT-enhanced surveillance detection has precedents. In 1977, the CIA employed a specialized radio receiver to detect KGB surveillance of CIA officers stationed in Moscow. Such a receiver was discovered with CIA officer Martha Peterson after her capture by the Soviet KGB while she was engaged in a high-risk operation in Moscow. KGB and East Bloc officers employed similar technologies with the Kopchik surveillance receiver. This communications breach is part of that historical and technical continuum.
Timeline of the Reported Breach in Relation to P25 Security Research and News
- 2009 - Development of open-source P25 research platform.
- 2010 - FBI "first breach" detected; DES research, first public P25 vulnerabilities made public.
- 2011 - P25 papers at Ruxcon and SecureComm.
- 2012 - FBI "full gravity" of breach realized.
- 2016 - Russian diplomats expelled.
- 2019 - Yahoo! breaks story. This is the first public reporting.
Between 2010 and 2012, there was an investigation of the breach, given the publicly reported outcome was "full gravity of hack realized."
Such an investigation likely supported the expulsion of Russian diplomats and was a component of a larger counterintelligence effort.
Application in Open-Source Warfare
In this scenario, military effects - deny/degrade- were induced by one state actor upon another, but noteworthy that the technologies involved and the tactics needed to employ them are available as open-source information and are developable and deployable by non-state actors.
Such application further distorts the symmetrical relationships and capabilities between state and non-state actors and develops a cognitive and perceptual terrain within that distorted space. Here, the non-state actor may develop counterintelligence that can compete with the state actor security services and use this (formerly) advanced SIGINT capability in competition with other groups, as in a fourth-generation warfare (4GW) environment.
A perspective may be taken that this exploit was successfully tested between two technically and operationally sophisticated adversaries - probably the most rigorous laboratory available for such an application.
Postface
This article focuses on a plausible scenario of communications exploitation that would produce actionable intelligence using open-source technologies. The thesis was developed from well-known security research that was operationalized in these exploits. It does not include specious and sensational narratives of vague "backdoors," and "broken encryption."
Bibliography
1.) Zach Dorfman, Jenna McLaughlin and Sean D. Naylor. Exclusive: Russia Carried Out a 'Stunning' Breach of FBI Communications System, Escalating the Spy Game on U.S. Soil, Yahoo! News, 2019.
2.) William Jackson. Project 25: The Long and Winding Road to Radio Interoperability, GCN, 2013.
3.) Stephen Glass, Vallipuram Muthukkumarasamy, Marius Portmann, Matthew Robert. Insecurity in Public-Safety Communications: APCO Project 25, 7th International ICST Conference, SecureComm 2011.
4.) Sandy Clark, Travis Goodpseed, Perry Metzger, Zachary Wasserman, Kevin Xu, Matthew A. Blaze. Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System, 2011.
5.) Matt Robert. APCO P25 Security Revisited, RUXCON 2011.
6.) Sandy Clark, Perry Metzger, Zachary Wasserman, Kevin Xu, Matthew A. Blaze. Security Weaknesses in the APCO Project 25 Two-Way Radio System, 2010.
7.) Chris Paget. DEFCON 18: Chris Paget - Practical Cellphone Spying - Video and Slides, DEFCON 18.
8.) Steve Glass, Portmann Marius, Vallipuram Muthukkumarasamy. A Software-Defined Radio Receiver for APCO Project 25 Signals, 2009.
9.) www.cryptomuseum.com/people/peterson/
10.) www.cryptomuseum.com/covert/radio/srr100
11.) www.cryptomuseum.com/covert/radio/kopchik
12.) Davey Winder. Russian Spies Breached FBI Encrypted Communication, Forbes, 2019. (Mirror)
13.) Mike Masnick. You'd Think the FBI Would be More Sensitive to Protecting Encrypted Communications Now That We Know the Russians Cracked the FBI's Comms, Techdirt 2019.
14.) American Fourth-Generation Warfare with Marc J. O'Connor (YouTube)
Marc J. O'Connor is the author of "Electronic Warfare for the Fourth-Generation Practitioner."