CTA Radio System Hack Exposes Weakness

A 20 year-old Chicago hacker by the name Marcel Carter was arrested for hacking into the Chicago Transit Authority’s radio system repeatedly for more than a year.  Don’t get overly scared by mainstream media’s portrayl of this kid as a dangerous genius who spent hours nightly hacking into CTA ‘super-servers’.

Carter either stole or found a CTA two-way radio that was already pre-programmed with the frequencies and codes that allowed him to harass transit employees for over a year.  This scenario however is much easier than you may want to imagine.

Many two-way radio systems in this country are built on old legacy technologies.  The security that is imposed on these radio systems is so easy to break a half skilled 14 year-old could execute the act of jamming the system.  Many of the systems in use today are still analog and use what’s known as CTCSS PL tones to keep unwanted jammers and others off the system.  The problem with this is PL (Private Line) tone systems is that they were not designed to keep systems secure.  PL tones rather lessen interference on large radio towers that are home to the high-powered radio systems.  With all that RF in such a small area, interference is commonplace.  PL Tones are a pre-defined set of tones that are encoded with a RF transmission to allow access to a repeater (radio system).  PL tone lists are by no means secret, there are only 42 CTCSS PL tones.  Today’s radio equipment can easily scan a transmission and find what PL tone is being used on that system in less than 60 seconds.  Once the PL tone is found on the system output frequency (the one you listen to). it’s just a matter finding the input frequency which again takes merely minutes to an hour at most.  Most of these radio system inputs & outputs are publicized on the Internet on scanner enthusiast websites.

The equipment needed to transmit on public safety frequencies or ones used by the CTA is relatively inexpensive and very easy to obtain.  Have $300-$400 burning  a hole in your pocket?  You could purchase perfectly legal amateur radio transceivers and do a simple modification or surf eBay for the proper equipment.  Either way you do it, it is very easy and quite cheap.

Once the radio system can be accessed, a person could begin to jam the frequencies hindering communications in an emergency and even impersonate public safety officers or dispatchers.

So why doesn’t jamming happen more often?  Well it does happen more than you think.  The city which I grew up in (Wausau, WI) is in the largest county in the state.  The radio systems here are large and span a very wide area.  Jamming is a nuisance that is a monthly problem for public safety dispatchers.  It is nearly 100% impossible to trace as long as the jammer/hacker isn’t stupid in his methods.  The main tool for tracing radio signals is often triangulation whether it’s from radio towers around the county to actually putting radio techs in the field moving around and honing in on the signal being transmitted from the jammer.

Police and fire systems are easy to break into and interfere with.  Most people don’t do it because it could endanger lives and would bring the attention of law enforcement quite quickly.  The story of Marcel Carter should be a wake-up call to our government.  It is time to drop old legacy analog systems and upgrade this countries network infrastructure.   The new digital systems aren’t 110% unbreakable but are incredibly tougher to get into.  A jammer/hacker would really really want to get in for a malicious reason to spend the time and money on equipment needed.  The Obama administration has dedicated billions of dollars to upgrading network infrastructure and I hope it is put to good use wiping out these old systems and old problems like Marcel can cause.