[IP] more on Phreaking the Wiretappers
Begin forwarded message:
From: Matt Blaze <blaze@xxxxxxxxxxxxx>
Date: April 18, 2006 1:22:03 PM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] Phreaking the Wiretappers
The talks I gave yesterday in Reston and last month at Stanford (mostly)
described our December 2005 IEEE Security and Privacy paper (with
Micah Sherr, Eric Cronin, and Sandy Clark), the full version of which
is here:
http://www.crypto.com/papers/wiretapping/
Now that most wireline switches implement the CALEA interfaces, loop
extenders are no longer the dominant law enforcement wiretap technology
(at least for better-funded federal agencies). But because of the
backward compatibility features implemented by some CALEA
equipment, certain vulnerabilities -- particularly the ability to
disable call recording -- may remain.
High-fidelity, high-accuracy passive wiretapping, it turns out,
can also be hard to do reliably in digital networks. We found
it to be easy to fool most convention Internet tools, at least under
many configurations:
http://www.crypto.com/papers/internet-tap.pdf
I'm often surprised at how uncritical the courts re in accepting
electronic evidence, especially wiretap evidence. It may be less
reliable than we assume it to be.
-matt
On Apr 18, 2006, at 12:44, David Farber wrote:
Begin forwarded message:
From: Ross Stapleton-Gray <ross@xxxxxxxxxxxxxxxxxx>
Date: April 18, 2006 12:20:36 PM EDT
To: Dave <dave@xxxxxxxxxx>
Subject: Phreaking the Wiretappers
Matt Blaze et al. on research on methods to compromise wiretaps.
The article in Govt Computer News (appended below): http://
www.gcn.com/online/vol1_no1/40428-1.html
The NSF grant abstract: http://www.nsf.gov/awardsearch/showAward.do?
AwardNumber=0524047
Wiretaps vulnerable to phreaking
04/17/06 -- 04:04 PM
By William Jackson,
You can’t always believe what you hear
Researchers at the University of Pennsylvania have found that it is
not at all difficult for bad guys to outwit law enforcement
wiretaps on their phone lines.
A team of graduate students working with a National Science
Foundation grant set out to determine just how trustworthy the most
common types of telephone wiretaps used by police and intelligence
agencies are, said Professor Matt Blaze.
The results of these taps are accepted uncritically by courts,
Blaze said at the 2006 International Conference on Network Security
being held in Reston, Va.
“It turns out, it can fail in all sorts of unexpected ways,” he
said. “Either party can disrupt a wire tap or introduce misleading
information into the legal record.”
The techniques exploit vulnerabilities in the single signaling and
audio channel used in analog telephone systems.
Blaze said the project was an attempt to establish some baselines
for network security by assessing how easy it is to conduct
reliable eavesdropping on the century-old protocols used in analog
voice phone systems. End-to-end cryptography often is seen as the
most certain way to secure a communications channel. But almost
nobody uses that for voice conversations because of the complexity.
And, as it turns out, it is not necessary.
The most common technology for tapping a phone line is a loop
extender, which is a one-way bridge from the target subject’s local
loop to the phone line of the listening station. The great majority
of wiretaps are pen register taps, which record only the telephone
numbers dialed by the target and when the calls are made. Only
about 10 percent of taps actually record the content of calls. Both
types use the same equipment.
But the caller can game the police equipment by using a notebook
computer to fine-tune the pulse tones generated to dial a number.
By tuning them properly, the correct numbers will be accepted by
switching equipment at the caller’s central telephone office, but
tones often will be misinterpreted on the police equipment,
producing meaningless numbers.
Techniques similar to the old phreaking tricks used to steal long
distance service can be used to turn off a wiretap recorder
remotely. A signaling tone can be sent on the line that will fool
police equipment into thinking the phone is back on the hook,
causing the recorder to shut off. Blaze played a demonstration tape
in which the participants were able to continue a conversation
after the police equipment had “hung up.” The same technique can be
used to block police equipment from recording the number being
dialed and to inject a phony number later.
The 1996 Communications Assistance for Law Enforcement Act required
vendors to include a wiretap interface in telephone switching
equipment, which would theoretically thwart these tricks. But most
vendors made their switches backward compatible to work with legacy
loop extender equipment that police continue to use. This
reintroduced the same vulnerabilities when using a CALEA interface.
This is an object lesson for software developers, Blaze said.
“We have to [be] careful about how backward compatibility can mean
compatibility with old bugs,” he said.
Blaze said there is no concrete evidence that these techniques have
been used to thwart legitimate wiretaps. But he said court records
show that anomalies in recorded conversations often are accepted as
inevitable by police and the courts, leaving open the question of
how trustworthy those recordings are.
© 1996-2006 Post-Newsweek Media, Inc. All Rights Reserved.
-------------------------------------
You are subscribed as matt+ip@xxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/