The researchers, who won an award for their paper at a national conference, are working with law enforcement agencies to alleviate problems through software tweaks and training. But they said they also identified other security flaws with the radios that may be harder to fix.
With a bit of technical know-how, they were able to jam radio transmissions using a modified toy - an instant-messaging device designed for preteens. In addition, by using a radio to send out unobtrusive "pings," they were able to track the location of all radios tuned to a given frequency, as well as the federal agency the users worked for.
"It's like Harry Potter's Marauder's Map," said lead author Sandy Clark, referring to the magical parchment that reveals the location of anyone at Hogwarts School.
The main problem - the unintended transmission of secret details in the open - appeared to be the result of using the radios incorrectly, according to the researchers, who presented their findings at the USENIX Security Symposium in San Francisco. But the study authors stressed that the true blame belonged with the needlessly complex design of the radio system, not with the federal agents.
"These people are really good at their jobs," Clark said. "They're professionals. It's not the fault of the user."
Spokesmen for both the FBI and the Department of Homeland Security declined to comment.
Federal agencies have been very receptive in learning about the shortcomings and in working together to address them, said the researchers, who were funded partly by the National Science Foundation.
To those who would carp that such research gives ideas to terrorists and other criminals, the authors say it's dangerous to assume that bad guys haven't already spotted the flaws, too.
"We may be pretty smart, but we're not that smart," said Matt Blaze, associate professor of computer science at Penn.
Ian Goldberg, who chaired the conference session at which the Penn team presented its results, agreed.
"It's better that we now know about it and can fix it," said Goldberg, associate professor of computer science at the University of Waterloo in Canada. "It's well settled in most quarters that open science is the way to get there."
Clark, a graduate student and the study's lead author, acknowledged that she entered the research world later than some, though she declined to state her age.
A few years ago, she was working as a computer systems manager at Princeton University and longed to go back to school, but was unsure of herself.
A self-described member of the hacker community, she liked going to the biannual conference called HOPE, short for Hackers on Planet Earth, whom she described as the "white hats." At one such conference she met Blaze, who was impressed, and she visited his lab a few times.
"The next thing I knew, she was one of my Ph.D. students," said Blaze, a prominent computer scientist who helped design a predecessor of today's standard protocol for protecting Internet traffic.
Clark draws a line between hacking and her serious academic research at Penn on electronic security. But she remains a proud member of the hacker world.
Originally, the word hacker had a negative connotation for some, but these days it carries a certain aura of cultural phenomenon. Think of Lisbeth Salander in the bestselling trilogy by the Swedish author Stieg Larsson. (Clark liked the books, though unlike Salander she is outgoing and cheerful.)
And there's a big overlap between hacking and the burgeoning "maker" movement, which is governed by the can-do ethos that a tech-savvy person can build anything from robots to bacteria in a garage.
Clark and Blaze said they first stumbled across a sensitive radio transmission by accident as they were conducting their research, and decided to look for more to see if it was an aberration. It wasn't.
They declined to reveal the agencies involved or details of their conversations, but said there was discussion of planned raids, organized crime probes, and undercover operations.
The radios are made by a variety of manufacturers but all use a system of protocols called P25. The unprotected transmission of private chatter appeared to fall into several categories.
In some cases users clearly thought they were sending encrypted messages, either because they said as much or because the details of the conversations were obviously meant to be secret but were not. In other cases users discussed trying to send these kinds of protected messages but failing because of some technological glitch.
The Penn team identified several apparent causes of the problems. One was that a user can set a radio to transmit unencrypted messages but can still receive encrypted traffic if the device is programmed with the correct electronic "key." The user can then send back an unencrypted message, and the recipient does not realize it is unprotected. When the researchers picked up such traffic, they heard only one side of the conversation.
Another flaw: On various models, the switch for encrypted mode was easy to turn off accidentally when doing other things, such as changing channels.
And the icons or lights that indicated encrypted transmission tended to be small and ambiguous, the study authors found. In one model it was a flashing light that also was used for other warning modes; in another, it was a faint gray circle with a line through it. In both cases, users could not see the symbol when holding the radio up to the ear or mouth.
One fix the computer scientists came up with was to program the radios so that a certain channel would always be secure, while a second would always be unprotected. More user training is another solution, but ultimately, Blaze and Clark say an overall system redesign may be needed.
If such a thing occurs, they hope it works. But in case it doesn't, they are sure to be listening.
"Most of us became interested in security because it's a puzzle to be solved," Clark said. "It's kind of a black box. . . . It's because you want to know how something works."
Contact staff writer Tom Avril at 215-854-2430 or tavril@phillynews.com
