Expensive high-tech digital radios used by the FBI, Secret Service, and Homeland Security are designed so poorly that they can be jammed by a $30 children's toy, CNET has learned.

A GirlTech IMME, Mattel's pink instant-messaging device with a miniature keyboard that's marketed to pre-teen girls, can be used to disrupt sensitive radio communications used by every major federal law enforcement agency, a team of security researchers from the University of Pennsylvania is planning to announce tomorrow.

Converting the GirlTech gadget into a jammer may be beyond the ability of a street criminal for now, but that won't last, says associate professor Matt Blaze, who co-authored the paper that will be presented tomorrow at the Usenix Security symposium in San Francisco. CNET obtained a copy of the paper, which will be made publicly available in the afternoon.

"It's going to be someone somewhere creating the Project 25 jamming kit and it'll be something that you download from the Net," Blaze said. "We're not there right now, but we're pretty close."

Project 25, sometimes abbreviated as P25, is the name of the wireless standard used in the radios, which have been widely adopted across the federal government and many state and local police agencies over the last decade. The plan was to boost interoperability, so different agencies would be able to talk to one another, while providing secure encrypted communications.

The radios aren't cheap. A handheld Midland P25 Digital sells for $3,295, and scanners are closer to $450.

But federal agents frequently don't turn encryption on, the researchers found. (Their paper is titled "A Security Analysis of the APCO Project 25 Two-Way Radio System," and the other authors are Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, and Kevin Xu.)

Here's an excerpt:

The traffic we monitored routinely disclosed some of the most sensitive law enforcement information that the government holds, including: Names and locations of criminal investigative targets, including those involved in organized crime... Information relayed by Title III wiretap plants...Plans for forthcoming arrests, raids and other confidential operations... On some days, particularly weekends and holidays, we would capture less than one minute, while on others, we captured several hours. We monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and the Department of Homeland Security. Most traffic was apparently related to criminal law enforcement, but some of the traffic was clearly related to other sensitive operations, including counter- terrorism investigations and executive protection of high ranking officials...

To intercept the Project 25 radio communications, the researchers used a high-quality receiver that cost about $1,000 and can be purchased off-the-shelf. But, Blaze said, it's possible to do it on the cheap: "You can do everything you need with equipment you can buy at Radio Shack... hobbyist-grade equipment."

University of Pennsylvania

Blaze said he has contacted the Justice Department and the Defense Department, which also uses Project 25 digital radios. "They are now aware of the problem and are trying to mitigate against it," he said.

Representatives of the Association of Public-Safety Communications Officials (APCO), which has championed the Project 25 standard, did not respond to a request for comment this afternoon. Neither did the Telecommunications Industry Association, which maintains the standard.

The University of Pennsylvania researchers did not discover any vulnerabilities in the actual encryption algorithms used in the radios. They also chose not to disclose which agencies were the worst offenders, what cities the monitoring took place in, or what frequencies they found each agency used.

A third vulnerability they found was that each radio contains a unique identifier, akin to a phone number, that is broadcast in unencrypted form. So is the unique ID of the destination radio. That allows an eavesdropper to perform what's known as traffic analysis, meaning tracking who's talking to whom.

The reason jamming is relatively easy is that the Project 25 doesn't use spread spectrum, which puts the would-be jammer at a disadvantage. By contrast, P25 relies on metadata that must be transmitted perfectly for the receiver to make sense of the rest of the communication. A pulse lasting just 1/100th of a second, it turns out, is enough to disrupt the transmission of the metadata.

This isn't the first time that University of Pennsylvania researchers have taken a critical look at Project 25. Many of the same authors published a security analysis last November, which concluded that it's "strikingly vulnerable to a range of attacks."