Hackers pose rare, but serious, threat

It’s not what you’d call an epidemic — yet. But from time to time, a prankster with the know-how and the right equipment manages to invade a public-safety radio system. Whether the hacker transmits strange noises, spreads false information or blocks communications altogether, these break-ins pose a troubling, and potentially dangerous, challenge to emergency responders.

“Even a prank, in the wrong hands, is terrorism,” said Diane Lind, communications supervisor at the Burnsville (Minn.) Police Department, which arrested a man who had intruded on its radio system with giggles, belches and misleading statements.

When an unauthorized user sent racial epithets across its radio network early this year (see MRT, May 2004, page 10), the Chicago Fire Department joined the fraternity of public-safety agencies that have wrestled with hackers. Another recent addition to that club was the City of Madison, Wis. In March, a federal jury convicted a 25-year-old man who disrupted emergency communications in that city on several occasions throughout 2003.

In Minnesota, the Burnsville hacker also interfered with emergency radio systems in Minneapolis and several other communities in 2001. That same year, Denver police arrested a 16-year-old boy who had impersonated an officer and sent false reports over that city’s police radio system. In California, emergency radio systems in Berkeley, Los Angeles and Orange County endured hacker attacks in 2000.

“It caused confusion and was really a dangerous situation for police and fire ambulances, and for the citizens,” said Madison police detective Cindy Murphy, recalling the interference on her city’s radio network during Halloween festivities last year.

Madison endured three distinct kinds of attacks. From January through August, officers working on a certain city block intermittently found they could not send or receive messages for 20 minutes at a time.

On Halloween night, as police and paramedics worked a crowd of some 60,000 revelers downtown, a steady tone blocked communications on the city’s 800 MHz Motorola trunked network. On Nov. 11, during a period of two and a half hours, some officers heard sexually explicit sound files tacked onto the ends of legitimate voice communications.

Radio engineers who drove around Madison with detection equipment on Halloween night narrowed the source of interference to a specific block. Murphy started working the case the next day. Soon after the Nov. 11 incident, police arrested Rajib Mitra, a former graduate student, and confiscated radio and computer equipment from his apartment. He was convicted in March. Murphy would not explain how police think Mitra broke into the radio system for fear that the details might inspire copycats. Mitra was exploiting “a fundamental flaw” in trunked radio systems, and other hackers could easily duplicate his methods, she said. “We were able to re-create it with very basic equipment that you can purchase on eBay. With less than $200 worth of equipment, and with a little bit of technical knowledge, you can take out every $2000 handheld Motorola radio out there.”

It’s not clear what agencies can do to protect their radio networks against attacks of this kind, Murphy said. “It’s a question of whether you can fix something that really isn’t broken.”

Madison’s system uses a combination of analog and digital technology, said Chuck Jackson, vice president and director of systems operations at Motorola. On an all-digital trunking system, an unauthorized user would find it much harder to transmit voice messages or tones; encryption would provide an additional layer of protection, he said.

But if someone uses a high-powered transmitter to simply block the signals on a radio network, “well, that’s physics,” Jackson said. “Any radio system in that local area would have a vulnerability to that. But with wide-area systems, that’s a very localized thing, right around where the jamming transmitter is.”

And with a trunking system, this kind of jamming won’t last long, he added. “Once it sees an interfering carrier like that, it rolls over after a certain period of time to another channel.”

Jackson also declined to divulge details about how Mitra broke into the emergency frequencies.

Denver’s teenage hacker bought a surplus radio that was once used at the city’s airport and reprogrammed it to duplicate a valid police radio ID using software possibly purchased on eBay, said Gary Pasicznyk, electronic technician supervisor with the Denver Police Department.

The boy used the radio to chat with a police helicopter pilot and to call in false accident reports. At least once, police sent cars to assist an officer in distress, only to find there was no such officer, Pasicznyk said. The boy would also “drive around his neighborhood and attempt to call in license plates,”he said.

Police located the hacker by letting him continue to transmit on the stolen ID, moving the legitimate radio off that ID to avoid confusion. “We were able to partition that ID and put him on one select frequency,” Pasicznyk said. “That way, we were able to use direction-finding equipment to locate the suspect and, further, arrest him and find his programming software.”

Denver’s 800 MHz trunked system employs M/A-COM’s Enhanced Digital Access Communications System (EDACS) technology. To avert future attacks and gain other security advantages, the police are phasing in M/A-COM’s EDACS Security Key technology, Pasicznyk said.

The Burnsville police got help from the Federal Communications Commission in tracking down Aaron Goldberg, a 31-year-old licensed amateur radio operator. Goldberg’s alleged attacks escalated from giggles to noises to disturbing comments. In one instance, officers responding to a domestic disturbance received orders on the radio to fire their guns, said Lind. “Luckily, everyone is very well trained and very well disciplined, and they knew this was not a call from anybody on the scene.”

The FCC “helped us with some tracking mechanisms that we ended up installing in one of our unmarked squad cars to try to localize where the calls were coming from,” Lind said. But ultimately “it was just luck more than anything” that led to the hacker’s arrest. “They got a visual eyesight of him transmitting.” Goldberg was using the sort of programmable radio that anyone can buy in a store such as RadioShack or Best Buy, she said.

When the FCC’s Enforcement Bureau receives a complaint from a public-safety agency that some person is jamming its radio network, “that gets put at the front of the queue,” ahead of interference that might be caused by faulty equipment, an FCC spokesperson said. The FCC’s direction-finding equipment can pinpoint the particular antenna responsible for rogue transmissions, he said.

Burnsville and the other cities where Goldberg interfered use analog UHF systems from a variety of manufactures, said Lind. Minnesota plans to implement a statewide 800 MHz digital radio network that local agencies can join as well. A shift to that technology could provide better protection, she said.

Enforcement is another important weapon against malicious interference. Burnsville, for example, has not had a problem with hackers since Goldberg’s arrest.

“I think part of what keeps them off is that we have had a conviction, and we made it very public that there was someone on our radio, that they were caught and that they were convicted,” Lind said.

“These cases are very rare. When they do occur, Motorola does, and will continue to, work with law-enforcement agencies to go after the people doing this — the counterfeiters — and prosecute them,” said Steve Gorecki, a Motorola spokesperson. “And, as in Madison, we testify if necessary.”

“We treat this as something very serious because it is,” Jackson said.