Site icon Sophos News

Police bust their own radio shop manager for dodgy software updates

The manager in charge of Winnipeg’s police radios was arrested last Thursday for allegedly using fraudulent licenses to update the encrypted Motorola radios that police use to keep their conversations private, CBC News reports.

According to court documents, an employee tipped authorities off about the alleged actions of Ed Richardson, who was the manager of the radio shop for the City of Winnipeg. The radio shop is in charge of repairing and maintaining radios used by the Winnipeg Police Service and Winnipeg Fire Paramedic Service.

Richardson allegedly got his hands on millions of dollars’ worth of illegal licenses for the radios, which require frequent updates. Each of those software updates should have cost the city $94, but the informant said that Richardson didn’t like paying those fees to Motorola.

From the affidavit:

[The employee] does not believe his actions were for personal gain; he believes that Richardson likes the idea of not giving more money to Motorola.

According to what the employee told police, in 2011, Richardson gave him a device known as an iButton that was preloaded with more than 65,000 refresh keys, and told him…

You don’t want to know where these came from.

The employee said those keys “clearly” didn’t come from Motorola, according to the court document.

Police say that the bogus refresh keys would have cost the city millions if they’d been legitimately purchased. They estimate that the keys were used over 200 times, causing Motorola to lose nearly $19,000.

A ham radio enthusiast piqued the interest of US Feds

Police suspect that Richardson got the unauthorized keys from a Winnipeg ham radio enthusiast who was under investigation by the US Department of Homeland Security (DHS).

Court documents say that a DHS agent traveled to Winnipeg in 2016 to brief local police about the investigation. The agent told Winnipeg police that the man whom DHS was investigating reprogrammed Motorola radios for a roster of international clients. Such clients are of the criminal ilk, as in, people who have an interest in hiding their chats on encrypted radio. That includes drug lords. From the court documents:

[Encrypting radios] allows the criminal element to communicate without fear of interception by government or law enforcement. A significant number of these encrypted radios have been seized from the Mexican drug cartel members.

Police say that experts at Motorola checked out some of the encrypted radios seized by law enforcement and found that the techniques used to hack them were consistent with how they allege that the Winnipeg man went about it.

DHS detained the ham radio enthusiast in May 2016, when he was returning from a radio convention in Dayton, Ohio. Agents seized his electronics, including a laptop, tools used to encrypt Motorola radios, and an iButton that police believe he got from Richardson.

An iButton is a microchip similar to those used in a smart card but housed in a little, round, stainless steel button, or “can.” The iButton is incredibly tough and, among other uses, serves as a data logger for applications in harsh and demanding environments – for example, picking up temperature readings in agriculture.

iButtons are empty. You have to program them to do whatever it is you want them to do. In this case, that would be to store a whole lot of keys to encrypt Motorola radios that Motorola itself didn’t put into one of those little button cans. Police believe that Richardson gave the ham radio guy the iButton that police found in his possession when they detained him.

Prior to 2010, anybody could eavesdrop on police by buying a police scanner. Then, Winnipeg started using the fully encrypted Motorola radios, which require one of the encryption keys to use.

The radio shop employee was motivated to come forward with information about Richardson in 2017, when the city’s agencies were in the process of launching a new emergency radio system for first responders. Richardson was leading that project, and the employee feared that his allegedly corrupt boss could compromise it, according to the affidavit:

[The employee] is concerned that Richardson’s lack of integrity may put the security of this new radio system in jeopardy.

CBC News contacted Richardson earlier this month. He was reportedly surprised to hear he was under investigation, though he said he did know that the radio enthusiast was a person of interest to police. Richardson was put on leave a few days later.

A Winnipeg police spokesperson told CBC News that its investigation is now complete and that Richardson is expected to be formally charged during a court appearance next month. He’ll be looking at charges including fraud over $5,000, unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer, and possession of a device to obtain telecommunication service.

Exit mobile version