Wiretapping vulnerabilities
Chris Palmer and I went to the talk at Stanford that Matt Blaze gave on his work with Micah Sherr, Eric Cronin, and Sandy Clark on wiretapping vulnerabilities.
Here are my notes on what he said.
Wiretapping has become exciting because of reports on the NSA Program, but it's also interesting technically. We can examine how people (with or without legal authority) actually tap telephones in the real world.
"Once we know how it works, our next question as security people is always: how does it fail?"
This also leads to the question of the level of trustworthiness of wiretap evidence.
We are working on studying eavesdropping through a research program: what is required to build an eavesdropping-friendly or eavesdropping-resistant network? How does eavesdropping work and what kinds of noncryptographic countermeasures to it may exist? What are the limitations of wiretapping devices?
Law enforcement telephone wiretapping is an old technology and supposedly well-understood. It could be studied as an example of a mature, reliable wiretapping system.
Traditional wiretap threat model: the risks are detection of the tap, and obfuscation of content of communication. (The content could potentially be encrypted, but it isn't conceptually possible to encrypt the routing information end-to-end. The routing intermediaries need to be able to access it. So you can get transactional or routing information even in the presence of end-to-end cryptography.) [Note: you could in theory encrypt phone numbers en route to the phone company; the phone company would know whom you're calling, but an eavesdropper in between you and the phone company wouldn't know without the phone company's co-operation.]
There is an industry called the TSCM industry that purports to be able to detect wiretaps in some ways, for example via time-domain reflectometry. Blaze doesn't have a high regard for the TSCM industry. It's expensive and inconclusive. In his view, the best that a wiretap detection consultant can say is that no wiretap has been found and that the customer is invited to spend more money to pay for more sophisticated tests. [It's possible to imagine tapping equipment in a modern digital network that has absolutely no effect on the signal or on the electrical properties of the local loop. So even if there were perhaps good tests for wiretapping in the past, those might be getting less useful over time.]
However, there is a question of whether wiretapping evidence is reliable.
POTS is basically the same as it was 100 years ago -- with central offices and circuit-switching. A phone from 100 years ago will pretty much still work today. "Telephones are a remarkable example of engineering optimization" because they were built to work with very minimal requirements: just two wires between CO and the end subscriber, don't assume that the subscriber has power, don't assume that the subscriber has anything else. There is a DC current loop that provides 48 V DC power. The current loop determines the hook switch state. There's also audio signalling for in-band signalling from phone to CO -- or from CO to phone -- or for voice. It all depends on context and yet all these things are multiplexed over two wires, including the hook state and the audio signalling and the voice traffic.
If you wanted to tap this: you could do it in three different ways.
- Via the local loop (wired or wireless/cellular).
- Via the CO switch (software programming).
- Via trunk interception (e.g. fiber, microwave, satellite) with demultiplexing.
How do LEAs do it? Almost always at local loop or CO. (By contrast, intelligence agencies are more likely to try to tap trunks.)
Under U.S. law, wiretapping in general is illegal, with particular exceptions. These include pen registers (traffic analysis data) and full-content wiretaps (Title III and FISA). About ten times as many pen registers as full content wiretaps occur. It's harder legally, and also more expensive and labor-intensive, to do full-content wiretaps.
Wiretap technologies:
- Call detail records via subpoena -- provided after the fact (like a pen register, but retrospective)
- Older technology: Loop extender / dialup slave (both pen register and full-audio)
- Newer technology: CALEA / J-STD-025A (also both pen register and full-audio)
Q. What about cell phone location tracking?
A. There is an interface in CALEA for cell phone wireline interfaces.
Q. But does that include location?
A. No, not yet as a matter of the standards.
[Cf. EFF's page on cell phone location tracking which makes clear that law enforcement agencies have been routinely tracking cell phone users' movements. I'm not sure whether Blaze understood the question from the audience as related to this phenomenon.]
Loop extenders connect target line to a designated "friendly" line. The part at the telco is the loop extender, and the part attached to the friendly line back at the LEA is called a dialed number recorder (DNR) or collection device. The loop extender must perform some kind of electrical isolation to prevent detection. Interestingly, all of the audio is always sent over the friendly line; the only difference between a pen register and a full-audio collection is the configuration of the collection device equipment at the LEA's premises. The phone company can't directly control what LEAs see.
It's inconvenient to get this equipment in order to study it because normally only authorized agencies are allowed to possess it. 18 USC 2512 may make it a felony to own the equipment. Vendors also won't necessarily sell it to just anyone.
"So, we had to shop on eBay."
LEAs, like everyone else, sell their used equipment on eBay. Within about a month, you'll get a lab full of wiretap equipment sold at bargain-basement prices. (Also, they often accidentally sent you recordings of old taps!) And it even looks like wiretapping equipment.
We were legal because we had an NSF grant which is a contract with the Federal government. There is an exception that allowed government contractors to acquire wiretap equipment. [18 USC 1252(2)(b)]
Loop extenders are owned by LEAs but are made to look like regular telco equipment -- it doesn't look particularly suspicious. No overt markings are preprinted. If you saw one on a utility pole or in a telco rack, you would probably consider it totally unremarkable; it's a small plastic piece of telecommunications equipment with a pair going in and two pairs coming out. A loop extender costs about $200 new from the manufacturer. Blaze "never spent more than about $10 for a slightly used one".
At the LEA you have a DNR ("dialed number recorder") which has an RJ11 input and then has an audio output and a tape recorder controller. It also has a "minimize" or mute button. The LEA is supposed to have a human being involved who will attempt to prevent recordings of people or conversations that are outside the scope of the warrant. It's very dull to sit there and have to keep pressing the minimize button when the wrong thing comes on the phone.
Q. Do LEAs actually use the minimize button?
A. Yes. These systems are designed for legal wiretaps to create evidence that you can use in court. If you want to play by the rules, then you use this. If you wanted to do an illegal or rogue wiretap, there are simpler, cheaper ways with other equipment.
We found three countermeasures that let subjects manipulate the recording process.
Countermeasure #1: manipulating captured digits. The dialed digits are sent via in-band audio signalling as DTMF tones. There is a tone decoder at the telco, and also a separate tone decoder in the DNR at the LEA. The DNR tone decoder tries to mimic the actions of the telco's tone decoder.
The DTMF standards standardize a lot of different aspects of DTMF, including the frequencies for the rows and columns. They specify the amplitudes and other things. In general, the standards for encoders are tighter than the standards for decoders. [Like Jon Postel's rule.]
But what this means is that these standards are not single tones or amplitude levels, but ranges. The sender is conservative and the receiver is liberal. DTMF encoding has the same basic idea.
The analog eavesdropper's dilemma: "Whether a tone is accepted as a valid DTMF digit depends on several parameters"; and there is no right answer to what happens when you're on the edge between accepting and rejecting a tone. The eavesdropper has a harder job because the eavesdropper has not to "comply with the standard" but rather to mimic the precise behavior of the equipment that was at the telco CO. And this is true for each and every parameter specified in the standard. Every analog decoder is necessarily going to be a little bit wrong -- too conservative or too liberal in some way.
You can use your phone switch as an oracle to figure out where its accept/reject edges are -- based on whether call completion occurs. It will be pretty consistent and accurate. You can do this for each of the tone and amplitude and duration parameters. It takes about 30-120 minutes to do an exhaustive test with respect to all parameters. Based on this information, you can produce "marginal" DTMF encodings. Some of these are just outside or just inside what your local phone switch will accept. We can call these "confusion" and "evasion" digits. The former will be ignored by the switch but may be accepted by the eavesdropper and the latter will be accepted by the switch and may be ignored by the eavesdropper.
You can then practice confusion/evasion dialing. You can dial a large number of digits and the eavesdropper will get, in practice, totally wrong information. "You would just never get the same answer on two different devices, but you could cause the calls to still go through to the desired number." You'd have to recalibrate every few days.
Countermeasure #2: false call records. Line status (on-hook, off-hook) can't be communicated in-band because if it tried to hang up the friendly line would hang up too. So line extenders use in-band audio signalling. And the standard for loop extenders is to transmit the DTMF C tone all the time to indicate that the line is idle (on-hook).
Therefore, the DNR will deactivate itself when it hears a C tone and activate itself when it no longer hears a C tone.
Q. Why does the friendly line hang up when you hang up?
A. It's hard to get the phone company to provision a "dry" circuit (which is unaffected by DC on-hook/off-hook signals).
This is actually a lot like the blue box problem with regard to 2600 Hz tones. The telephone system used to use in-band signalling where tones played within the communication channel itself would control the communication equipment; this allowed phone phreaks to make free phone calls by playing the right tone. (If someone you don't trust is using your equipment, letting tones they play control how your equipment behave can be a bit of a security risk.) But wiretappers apparently didn't learn this lesson: "If in-band signalling was good enough for AT&T, it should be good enough for the FBI." There is a close analogy between the blue box vulnerability and the wiretap equipment's vulnerability. Sure enough, sending a C tone down your target line doesn't cause your call to hang up but it does call the DNR at the LEA to ignore the communications coming in over the friendly line. It indicates that the call has ended and turns off the recording equipment.
You can therefore fake a lot of different events and cause the evidence collected by the LEA to be wrong.
Countermeasure #3: disabling audio recording. You don't have to send a full-volume C tone. You can send a very quiet C tone in the background to suppress recording. This is sufficient. Either the wiretap subject or the other party can do this. The automatic gain control in the DNR will cause the DNR to detect the quiet C tone.
Demo (same as on Blaze's web site) -- cheaper recorder (that wasn't vulnerable to the C tone) could record the call but the professional loop extender equipment couldn't.
Now, what about CALEA? Loop extenders are largely being replaced by CALEA-compliant systems. Theoretically, these signals are decoded at the switch and therefore most of these countermeasures could be neutralized. "In principle, this should mean that this is the end of the talk." The CALEA design has the potential to be immune because of the way it separates content from signal.
However, law enforce asked for backwards compatibility in CALEA equipment. FCC refused to make this mandatory (and they were correct from the point of view of making wiretapping more reliable and effective). But it turned out that many vendors implemented it anyway in response to LEA requests. Therefore by default a large amount of CALEA-compliant equipment actually causes the C tone to be usable even here.
Consequently in many systems it's possible to disrupt interception and also to confuse the eavesdropper by introducing inaccurate call records. Someone who's being wiretapped can falsely incriminate other parties. To make this more accurate, they should actually get the call detail records and then compare them with the wiretap evidence.
Q. Can you play a C tone into your own phone line?
A. Sure, there's no law against it. It's easy to generate a C tone on a computer. The law disfavors wiretapping by default and therefore there is nothing illegal about a wiretap subject trying to prevent wiretapping.
Q. Has this problem come up in court?
A. We looked at trial transcripts to try to find out. Trial transcripts actually show many strange malfunctions of wiretap equipment -- but defense attorneys have never tried to challenge wiretap evidence. It would be a fool's errand.
Q. Or has it just not come up?
A. Wiretap evidence is often just one piece of evidence that's corroborated by other evidence. Therefore, even if the wiretap equipment malfunctioned or were untrustworthy, it would be rare that proving this would, by itself, lead to an acquittal.
Q. What percentage of switches implement the J-standard?
A. Almost all, but we don't know for sure.
Q. Couldn't you disable the equipment's response to the C tone?
A. Some vendors are able to do this in response to our research and others are not.
Q. Are the backwards compatibility features turned on by default?
A. Yes, usually, and many of them can't even be turned off by the end user.
Q. What about the other industry of outsourced wiretapping, e.g. via VeriSign? They will act as the LEA on the LEA's behalf so the LEA doesn't have to buy the equipment.
A. If the C tone processing is present on any one of those interfaces then it will be vulnerable, but we don't know for sure.
Q. Could your answering machine play the C tone as part of your outgoing message, e.g. as your answering machine beep?
A. Yes.
We were curious how the wiretapper finds out the phone numbers of incoming callers. The answer is that they use traditional caller ID. If the target doesn't subscribe to caller ID, their standard practice has been to call the phone company, impersonate the wiretap subject, and order it for them. "So if caller ID appears on your phone, don't necessarily regard it as a nice gift!"
- Links from other weblogs:
Thu Mar 30 17:32:51: How wiretapping works from EAST TO WEST
wiretapping techniques at Stanford and produced a set of fascinating, thoroughgoing notes:
LINK
