This article first appeared in the June 2002 issue of Monitoring Times.
With the anticipated release of a digital scanner from Uniden in a few months the issue of encryption has taken on a much greater importance among scanner listeners. What would the point be in purchasing a digital-capable scanner if all of the voice traffic were encrypted, making it unintelligible? And what about other forms of encryption now available to radio system operators?
For those readers that missed the April column, the EDACS Security Key (ESK) is a new product that M/A-COM is promoting as an add-on to their EDACS and ProVoice trunked radio systems. ESK encrypts the messages carried on the control channel, allowing only those radios programmed with the proper decryption key to operate on the network. This would have the added side effect of preventing trunk-tracking scanners from following EDACS conversations.
EDACS systems come in several different varieties. The standard system uses analog voice transmissions, which can be overheard on almost every scanner on the market. To actually follow a conversation you would need a trunk-tracking scanner capable of understanding the EDACS control channel. Some popular EDACS-capable scanners include the Radio Shack Pro-92, Pro-93 and Pro-94 as well as the Uniden Bearcat 245XLT and 780XLT. These and other trunk-tracking scanners work well on the "normal" EDACS systems.
Instead of analog voice transmissions, EDACS systems can be upgraded to carry voice traffic in digital form. The first digital voice format for EDACS was called "Voice Guard" and was introduced in the mid-1980's. The second-generation product, initially available around 1990, was called AEGIS and provided a large improvement in voice quality over Voice Guard. The current digital voice product is called "ProVoice" and uses an IMBE (Improved Multi-Band Excitation) voice encoder/decoder. (Even though APCO Project 25 also uses the IMBE vocoder, it is not interoperable with ProVoice.)
Each of these three digital voice products can additionally be encrypted in one of two ways. The first is called "VGE" and is a homegrown encryption method developed during the Voice Guard days. The second and probably more secure method uses the Data Encryption Standard (DES) as specified by the U.S. Federal Information Processing Standard (FIPS). DES and Triple-DES, a more secure variation of DES, have recently been replaced by the Advanced Encryption Standard (AES) as the recommended commercial cryptographic standard. DES is more than 20 years old and with the tremendous increase in computing power since then it has been shown to be vulnerable to "brute force" attacks on its relatively short 56-bit key.
So, an EDACS system may have analog, AEGIS digital or ProVoice digital voice traffic. If it has digital voice traffic, that traffic might be unencrypted (so-called "in the clear"), encrypted with VGE or encrypted with DES.
VGE and DES encrypt only the voice channel traffic. The ESK product will encrypt the control channel, and can be used independently of whether the voice traffic is analog or digital, encrypted or not.
Although ESK would prevent trunk-tracking scanners from following EDACS conversations, the primary purpose of this product is to tightly control the two-way radios that can use the system. Without ESK, anyone with an EDACS two-way radio and the proper equipment can program the radio to access the system, whether authorized or not. With ESK, only those radios containing the secret security key can decrypt control channel messages from the repeater, and more importantly, transmit properly encrypted control channel messages to the repeater. ESK will prevent "rogue" radios from making use of a protected EDACS system.
Lake and Will Counties, Illinois
In northeastern Illinois, Lake and Will Counties operate EDACS radio networks but so far have not shown a great deal of interest in encryption.
Lake County, bordering Wisconsin and Lake Michigan, contracted for an eight-channel, four-site simulcast system in 1999 to replace a hodgepodge of 20-year-old conventional radio systems. Assigned frequencies are 866.2500, 866.3000, 866.6375, 866.6875, 867.1250, 867.7250, 867.8125 and 868.5625 MHz.
Will County, just south of Chicago, has been operating EDACS since 1998. It serves well over 600 users on nearly 1,000 trunked portable and mobile radios. Besides the Sheriff's Office, a number of county and municipal agencies use the system, including the Office of Emergency Management, Animal Control, County Forest Preserve, Highway Department, Adult and Juvenile Detention facilities and the State's Attorney's Office. AEGIS encryption is in use on a few talkgroups.
The system uses the following frequencies: 866.2750, 866.7625, 867.1500, 867.7000, 868.2500 and 868.6000 MHz.
Illinois State Police
Sandwiched between Lake and Will Counties is Cook County, home to two simulcast EDACS systems, each with 10 channels. The Illinois State Police, who bought the first EDACS system in 1989, operates these systems as two zones, North and South. Some talkgroups are encrypted, primarily for detectives and covert operations.
The North system uses 866.8875, 866.4625, 867.3875, 866.9625, 867.4625, 867.8875, 868.3875, 868.4625, 868.8875 and 868.9625 MHz. North transmitter sites are Chicago (top of the Sears Tower), Des Plaines, East Dundee and Elgin.
The South frequencies are 866.4125, 866.4375, 866.9375, 867.4125, 867.9375, 867.9125, 868.4375, 868.4125, 868.9375 and 868.9125 MHz. Transmitter sites are Chicago (also at the top of the Sears Tower), Argonne and Chicago Heights.
The city of Midland, Texas operates a two-site EDACS system from downtown and out at the airport. Frequencies are 856.7125, 857.7125, 858.7125, 859.7125, 860.7125, 856.2625, 857.2625, 858.2625, 859.2625 and 860.2625 MHz. Police, Fire, Water, Parks and the Emergency Operations Center are all on the system, as well as Airport Operations and the Airport Police. The Midland Fire and Police Department vehicles also have mobile data terminals (MDT) that communicate with the computer aided dispatch (CAD) system using the EDACS system.
Camden, New Jersey
Just outside Philadelphia, the city of Camden, New Jersey runs a five-channel EDACS system on 856.9875, 857.9875, 858.9875, 859.9875 and 860.9875 MHz. So far monitors have reported police transmissions with some AEGIS digital activity.
Toronto, Ontario, Canada
Pearson International Airport (identifier CYYZ) in Toronto, Ontario, has an EDACS system operating on 857.6375, 857.8875, 859.3875 and 859.6375 MHz. While you're listening, you can hear the north control tower on 118.7 MHz and the south tower on 118.35 MHz (remember that aircraft transmissions are in AM mode).
One of the earliest applications was for the ICOM PCR-1000, a very capable computer-control-only radio that initially could be controlled only via ICOM software running under Windows on a PC. Unfortunately, ICOM stuck to their shortsighted policy of not releasing the specification for the control commands that the radio understood, insisting that their "official" software was the only way to use the radio. This situation resulted in a number of individuals "reverse-engineering" the commands by eavesdropping on data cable between the radio and the computer. Unofficial command lists soon circulated on the Internet and a number of third-party control programs were developed.
One problem that a handful of early users experienced was the corruption
of the internal calibration data stored in an EEPROM (Electrically
Erasable Programmable Read-Only Memory) inside the PCR-1000. Apparently
it is possible to corrupt this data with some series of commands, causing
the radio to "go deaf" and no longer operate correctly. It would be a
prudent idea to back-up the contents of this EEPROM prior to experimenting
with third party control software. I have used a program called BackPCR,
with good results, although I've never had an EEPROM corruption problem.
For controlling the PCR-1000, one popular choice is Geoff Wicks' PCR Pilot software, available on his website at http://www.users.bigpond.com/geoffwicks/PCRPilot.htm
Control software on the Palm for the Uniden Bearcat BC245XLT can be found at
This is a smaller version of the commercial ScanPro software. You can download the Palm program for free, but registration will cost $10. I have not tried this software, but the description indicates that you can "edit frequencies, set trunking channels, and trunking system type here. Click on the Status display to show the scanner mode and squelch status anytime. Page through the entire bank to edit any frequency." There are also selections for priority, data skip and attenuation.
Similarly, a scaled-down version of ScanPro for the Uniden Bearcat
BC780XLT is advertised at
where you can order it for $14.95. The 780XLT does have more features on the front panel than the 245XLT but is not nearly as portable.
The OptoCom is a nifty computer-control-only receiver that was the
result of collaboration between Florida-based Optoelectronics and scanner
manufacturer GRE. There is a small demonstration control program at
which will load OptoCom frequencies into the Palm and then instruct the radio to scan them, allowing lockout and skip. It's pretty rudimentary, but the OptoCom instruction set is well documented and available for download on the Optoelectronics website.
This is not directly related to trunk tracking, but if you have the TenTec
RX-320 shortwave receiver you can use a Palm program written by Michael
Newell, WB4HUC, to control your radio. The software can be found at
Other radio-related software for the Palm can be found on Peter
K. Hodgson's website at
You'll find a variety of things, from DXing aids to satellite tracking.
Radio Monitoring Software
Mike Agner, KA3JJZ, maintains a very comprehensive list of computer
software for radio monitoring and control at
His list includes numerous DOS, Windows, Mac and UNIX software programs.
That's all for this month. Get out and enjoy the summertime (here in the Northern Hemisphere), if you can, and let me know what you're monitoring via electronic mail at firstname.lastname@example.org. As always, my website at http://www.signalharbor.com has additional information and links. Until next month, happy monitoring!
Click here for the index page.
Click here for the main page.