Thinking about the FBI CI comms / Russia story some more (and chatting
with some folks), I think most (but not all) of both the radio
compromise and the PTT phone app compromise can be explained by
systematic exploitation of known vulnerabilities.
For the radio stuff, we found (and published in 2011) attacks against
P25 encrypted communication that exploit the ways the protocol
aggressively leaks metadata. See
https://www.mattblaze.org/papers/p25sec.pdf … Our paper does not explain how to recover encrypted voice traffic, however.
Key management in P25 is a mess, and I would be unsurprised if there
were attacks against things like the key generation scheme used in, say,
Motorola's key-loaders. But I don't know of any specific weaknesses
here.
For the phone app attacks, remember that smartphone handsets leak all
sorts of unencrypted metadata - IMSI on the cellular network, but also
wifi and bluetooth MAC addresses. Systematically collecting this is easy
and would identify agents following you over time.
Once identified, this metadata also provides useful information for
targeting those handsets with more active attacks (at some risk of
alerting them, but that's a typical tradeoff in intelligence).
Basically, systematic application of well known techniques (well within
reach of a university, let alone a state actor) is sufficient to explain
the traffic analysis of both the FBI's radios and its smartphone PTT
app. Encrypted voice recovery is left as an exercise to the TLA.
BTW, a sub-scoop in the Yahoo story was the existence of the FBI PTT
app, which I've never seen any public reference to. (It basically
replaces the old Nextel system, which the FBI and other fed LE were
heavy users of).
Anyway, the key difference between the Russians and some nerd with a
scanner here isn't so much budget or tech ability, but willingness and
motivation to be extremely systematic in what's collected and analyzed.
----
ED. Note: back in late oughts I used this trick as super charged radar detector. the police in Beaverton / Hillsboro had a citywide wireless network setup with VPN, but you could see all the MAC's (BSSIDs) associated with the cruisers, the photo radar vans, the surveillance teams. if a cop joined their phone to the police network, you could then track that phone's MAC (BSSID) as known police device. you'd watch for VPN traffic (IPsec ESP or AH) to identify actual clients vs. just random connect by strangers. a directional antenna across from the police dept. sniffed 24/7/365...
set a custom alert in Kismet by MAC, then you're good to go! detect them before you see them, even if the radar is off :P
best regards,