Skip to content
Naked Security Naked Security

Police bust their own radio shop manager for dodgy software updates

Police allege that he updated radios with fraudulent software from a radio enthusiast who allegedly hacked encrypted radios for drug cartels.

The manager in charge of Winnipeg’s police radios was arrested last Thursday for allegedly using fraudulent licenses to update the encrypted Motorola radios that police use to keep their conversations private, CBC News reports.

According to court documents, an employee tipped authorities off about the alleged actions of Ed Richardson, who was the manager of the radio shop for the City of Winnipeg. The radio shop is in charge of repairing and maintaining radios used by the Winnipeg Police Service and Winnipeg Fire Paramedic Service.

Richardson allegedly got his hands on millions of dollars’ worth of illegal licenses for the radios, which require frequent updates. Each of those software updates should have cost the city $94, but the informant said that Richardson didn’t like paying those fees to Motorola.

From the affidavit:

[The employee] does not believe his actions were for personal gain; he believes that Richardson likes the idea of not giving more money to Motorola.

According to what the employee told police, in 2011, Richardson gave him a device known as an iButton that was preloaded with more than 65,000 refresh keys, and told him…

You don’t want to know where these came from.

The employee said those keys “clearly” didn’t come from Motorola, according to the court document.

Police say that the bogus refresh keys would have cost the city millions if they’d been legitimately purchased. They estimate that the keys were used over 200 times, causing Motorola to lose nearly $19,000.

A ham radio enthusiast piqued the interest of US Feds

Police suspect that Richardson got the unauthorized keys from a Winnipeg ham radio enthusiast who was under investigation by the US Department of Homeland Security (DHS).

Court documents say that a DHS agent traveled to Winnipeg in 2016 to brief local police about the investigation. The agent told Winnipeg police that the man whom DHS was investigating reprogrammed Motorola radios for a roster of international clients. Such clients are of the criminal ilk, as in, people who have an interest in hiding their chats on encrypted radio. That includes drug lords. From the court documents:

[Encrypting radios] allows the criminal element to communicate without fear of interception by government or law enforcement. A significant number of these encrypted radios have been seized from the Mexican drug cartel members.

Police say that experts at Motorola checked out some of the encrypted radios seized by law enforcement and found that the techniques used to hack them were consistent with how they allege that the Winnipeg man went about it.

DHS detained the ham radio enthusiast in May 2016, when he was returning from a radio convention in Dayton, Ohio. Agents seized his electronics, including a laptop, tools used to encrypt Motorola radios, and an iButton that police believe he got from Richardson.

An iButton is a microchip similar to those used in a smart card but housed in a little, round, stainless steel button, or “can.” The iButton is incredibly tough and, among other uses, serves as a data logger for applications in harsh and demanding environments – for example, picking up temperature readings in agriculture.

iButtons are empty. You have to program them to do whatever it is you want them to do. In this case, that would be to store a whole lot of keys to encrypt Motorola radios that Motorola itself didn’t put into one of those little button cans. Police believe that Richardson gave the ham radio guy the iButton that police found in his possession when they detained him.

Prior to 2010, anybody could eavesdrop on police by buying a police scanner. Then, Winnipeg started using the fully encrypted Motorola radios, which require one of the encryption keys to use.

The radio shop employee was motivated to come forward with information about Richardson in 2017, when the city’s agencies were in the process of launching a new emergency radio system for first responders. Richardson was leading that project, and the employee feared that his allegedly corrupt boss could compromise it, according to the affidavit:

[The employee] is concerned that Richardson’s lack of integrity may put the security of this new radio system in jeopardy.

CBC News contacted Richardson earlier this month. He was reportedly surprised to hear he was under investigation, though he said he did know that the radio enthusiast was a person of interest to police. Richardson was put on leave a few days later.

A Winnipeg police spokesperson told CBC News that its investigation is now complete and that Richardson is expected to be formally charged during a court appearance next month. He’ll be looking at charges including fraud over $5,000, unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer, and possession of a device to obtain telecommunication service.

7 Comments

Managing one’s own encryption keys (as opposed to buying one from a vendor) would seem to be better key management strategy.

I’m not sure that a vendor should be charging for this. Licensing encryption keys seems more criminal to me, especially since there’s no guarantee that the vendor is creating unique keys, or providing the keys to third parties.

The iButton contains a counter and a code to activate software updates in the radios. In past, a Motorola customer was ENCOURAGED to buy a software subscription service. They would receive an iButton to activate a certain number of radios. This has nothing to do with encrypting the radio communications which is usually a DES 56 or AES 256 code that is loaded with a crypto loading device or over the air from a secure server.

Derp. These are firmware upgrade (aka fix the stupid bugs that Motorola leaves in its radio firmware) authorizations. They have NOTHING to do with encryption, yet the authorities and every media report conflates the two.

They also toss out the “millions of dollars” quote simply because the iButton has a 16 bit counter that was maxed out to 65535 and 64k x $94 = $6m. If the iButton had a 32 bit counter, they’d be claiming that Richardson was sitting on $400b. The fact that the techs could only ever make use of a tiny fraction of those upgrade authorizations is conveniently ignored. Next up, someone downloads a movie with a theater price of $10, but since they could potentially share it with every human on the planet, it’s a trillion dollar crime.

Also, IMO, this article says that encryption capabilities were given to criminals, but does the source material (the court documents) *actually* allege that? Or just that “Encryption was given to others (typically ham radio operators), but criminals also like encryption, so he’s bad and on our radar”. Personally, I use AES256 for radio traffic and data transfer, so I must be a criminal/terrorist type myself. Where do I turn myself in?

Police want to run around in secret, talking in code on encrypted radios, without citizen oversight. They don’t want their errors revealed to anyone with the time to listen on scanners.

And then they complain that citizens use encryption.

Hypocrites.

Anyway, these radios update their encryption keys over the air by server. Something in this story is inaccurate.

This story isn’t actually about encryption or encryption keys. As far as I can see, it’s about fraud – circumventing licensing fees that were never paid because the technician who was trusted with the job got hold of pirated licence codes. He used the phoney codes on police radios… and the police busted him. (Seems like more of a Darwin Award-type story to me.)

Looking at the case reports and the charges, yes, Richardson violated trust and license agreements with Motorola. Using unauthorized codes to update radios is like the hacking of cellular phones to gain free telephone calls on a carrier’s network.
About encryption, I can’t see where he is guilty of any charge on this front, as it did not involve selling the encryption codes.
Here is a Ham radio guy who trolls many of the forums claiming to have full access to Motorola source codes and also claims to enable AES encryption for end users of Motorola equipment via access to the users’ personal computer. This is the guy the police and DHS should seek.
Yes, Richardson committed Fraud, but that’s as far as his case should go.
Target the source, not the end user if the law really wants to put an end to the illegal sale of software keys and hacks.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?