For the paranoid: Manager Mode security with DTR radios

realjoshfreeman · April 28, 2015, 11:51am

As an engineer and radio hobbyist, one of the things I do occasionally is advise folks who are looking for a roll-your-own communications solution. These are usually folks who won’t be going the commercial land-mobile route for one reason or another, so the toolkit is limited to Amateur Radio, GMRS, and the various un-licensed services.

The 900 MHz frequency-hopping radios like the Motorola DTRs and TriSquare TSX series appeal to some because they are a lot harder to interfere with or eavesdrop on than the typical FM handhelds popular in other services. The DTRs in particular hop frequencies quickly enough that you practically need state-level surveillance equipment to follow them, and then on top of that you have to be able to decode the digital voice. They’re about as secure as you can get without encryption, as long as you don’t use Public groups.

The DTRs come out of the box set up to use Public groups, which any other DTR will receive if it’s set to the same group and channel. I actually changed the default on my 550s to a different Public group and channel, and still found I was hearing other DTR users at a downtown public event. (Didn’t know they were that popular.)

The security issue here, if you’re concerned that someone with a little skill might want to mess with your comms for whatever reason, is that anyone who happens to receive your transmissions on a Public group will also see the ID of your radios. Knowing that ID and nothing else, a person with a DTR650 and the ability to program it can send Manager Mode commands to your radios, and there doesn’t appear to be any way to prevent it.

(Does anybody here know differently? OTAAll Allow: Off prevents wholesale cloning, but not the Manager Mode commands.)

The three Manager Mode commands are Remote Time, Remote Monitor, and Remote Disable. Of the three, Remote Time is not much of a threat. Remote Monitor will cause your DTR to open its mic and transmit, but it doesn’t do so quietly. You’d notice if it happened. Remote Disable, though, will shut your DTR down by the time you realize what’s happening. And once a DTR is Remote Disabled, it won’t do much of anything, including talk to the CPS software, until it’s Remote Enabled again by a Manager Mode-capable DTR. (So hopefully, you have one.)

I suppose it’s possible that re-flashing the DTR might re-enable it, but I don’t have a flash cable yet with which to try.

I expected to find, in the CPS software, a way of programming which radios in a system are authorized to send Manager Mode commands, so that all the radios in that system would only listen to those commands if they came from a radio on the “whitelist.” It doesn’t appear, however, that such is the case. (Please correct me if you know differently.)

The key to such an attack is the ability for an outsider to “sniff” your radio IDs by listening on Public groups, so the simple workaround is to use Private groups only.

Granted, most users are probably not concerned about this level of security. Just consider this an experience I had that I’m tossing out as my two-cent contribution to the DTR knowledge base on this forum.

Josh

sfdoc5 · May 18, 2015, 7:18am

OK what does this feature do???

Andy · May 18, 2015, 4:56pm

It’s supposed to block Over-The-Air Cloning.

uniformsierra · June 23, 2015, 7:52am

Just a quick note to introduce myself and say thanks to Josh for the hot tip on Manager Mode.
I’m a new DTR user (and forum member) and am keen to get my head around what they can and can’t do.

Thanks also to Andy for providing so much info around the site - makes learning soooo much easier!

Jay

wingedtweet · October 21, 2020, 8:18pm

I’ve found a defense against the “Remote Monitor” attack, or rather a retaliatory measure:

Find the attacking radio ID: Menu Button > Recent Calls > Select > View > scroll up/down until you find it.
Add that ID to your codeplug.
Remote Disable the attacking radio.

You’ll need a DTR410 or DTR650 or better in your fleet, because the DTR550 doesn’t have the ability to remote disable another radio, according to the user manual.

n1das · October 22, 2020, 9:56pm

The DTR600/700 models have the same Manager Mode features that the legacy DTRs have. I have played around with them and can confirm that manager mode in a DTR700 can control a DTR650 and a 410 for that matter, and vice versa. Manager Mode in the DTR600/700 is fully compatible with Manager Mode in the legacy DTRs.

The DLR series models (DLR1020 and DLR1060) do not have Manager Mode features. Since I have had a fleet of DLRs and a fleet of DTRs working with each other in Public and Private groups, I can confirm that the DLRs cannot be controlled by Manager Mode in the legacy DTRs or DTR600/700. The DLRs will not respond to Manager Mode commands from a DTR in Manager Mode.

Bowlieweekender · June 26, 2021, 2:32am

This is really good to know Josh. I just ordered a used pair of DTR650’s, never seen one in the flesh before. I’m interested in the range and level of security one can achieve without going the AES route on a regular pair of two-way radios which I’ve recently done.

Are you aware of anyone opening up a DTR and finding jumpers, unused features, ways to talk directly with the silicon handling the hopping logic?

Cheers Nigel