p2p news / p2pnet: Wiretaps can be defeated by people with no special skills, and using ordinary equipment, say University of Pennsylvania researchers Micah Sherr, Eric Cronin, Sandy Clark and Matt Blaze.

Led by Blaze, the team analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies.

They found vulnerabilities in widely fielded interception technologies used for both “pen register” and “full audio” (Title III / FISA) taps, they say in Signaling vulnerabilities in wiretapping system, published in the November/December 2005 IEEE Security and Privacy.

“The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity,” they say.

Nor do countermeasures call for cooperation with the called party, elaborate equipment, or special skills, they state.

“We found exploitable vulnerabilities present in virtually all analog loop extender’ or ‘dialup slave’ wiretap systems and in at least some systems based on the newer J-STD-025A CALEA interfaces,” say Blaze, et al. “These systems depend on unsecured ‘in-band’ signals that can be spoofed or manipulated by an interception target via his or her own telephone line.

“In the most serious countermeasures we discovered, a wiretap subject superimposes a continuous low-amplitude ‘C-tone’ audio signal over normal call audio on the monitored line. The tone is misinterpreted by the wiretap system as an ‘on-hook’ signal, which mutes monitored call audio and suspends audio recording. Most loop extender systems, as well as at least some CALEA systems, appear to be vulnerable to this countermeasure. Audio examples (in MP3 format) of this countermeasure can be found below.”

But it doesn’t end there, say the researchers. Loop extender systems are susceptible to other countermeasures as well. In particular, a subject can employ a simple computer-aided dialing procedure Blaze & Co have dubbed “confusion/evasion dialing” that prevents dialed outgoing telephone numbers from being recorded accurately by the tap.

“Wiretap subjects can also falsely indicate the ending times for calls they make and receive and can inject false records of outgoing and incoming calls (appearing to be to or from any numbers they choose) into pen register logs,” they say, going on:

“Our analysis was based entirely on information obtained from published sources and equipment purchased openly in the retail and surplus markets. It is therefore possible (and perhaps even likely) that similar countermeasures have already been discovered and actively employed by motivated wiretap targets, e.g., in organized crime. Currently fielded telephone interception systems should be evaluated with respect to these vulnerabilities and re-configured or modified where possible to reduce their susceptibility. In addition, the possibility of these or similar countermeasures should be considered in analyzing previously collected wiretap evidence and intelligence.”

Read a detailed technical analysis of the vulnerabilities and their implications in the full paper here. Just in case, we’ve also stored a copy here.

Meanwhile >>>>>>>>>>>>>>>>>>>>>>>>

Recommendations

There is unfortunately little room to make conventional loop extender interception systems more robust against these countermeasures within their design constraints; the vulnerabilities arise from inherent properties of their architecture and design.

Some CALEA systems, on the other hand, may be able to be made more robust against these countermeasures with relatively modest configuration changes. In particular, CALEA equipment that processes call audio may have features that control recording via in-band C-tone (sometimes called “continuity tone”) signals on “Call Content Channel” (CCC) audio streams. These features should be disabled. Instead, these systems should be configured to rely exclusively on “Call Data Channel” (CDC) messages to determine when recording commences and stops. Telephone companies and law enforcement agencies should confirm the configuration and behavior of their CALEA delivery and collection systems with their vendors.

Wiretap evidence, whether collected by loop extender or CALEA systems, should be evaluated for signs of signaling countermeasures. In particular, records of dialed numbers and call times should be examined for discrepancies against telephone company call detail records. This reconciliation should be performed routinely and as soon as possible after the records become available.

We strongly urge that J-STD-025A and other interception standards and practices be evaluated critically against countermeasures such as those described in our paper and, more generally, against a broad threat model. Our analysis was by design limited in scope, with no attempt made to be comprehensive or exhaustive, and yet easily exploitable weaknesses were quickly found. It appears that a systematic search for vulnerabilities under a threat model that includes subject-initiated countermeasures was not a part of the development process for either the J-STD-025A standard or many of the systems that implement it. We suggest that the law enforcement community develop and articulate security and assurance requirements for interception systems, against which existing and future standards and technologies can be measured.

Audio example

In these MP3 audio captures, Alice and Bob are suspected of illegal activity and are the subjects of a full audio Title III wiretap interception on Alice’s line. Alice uses C-tone spoofing to selectively suppress recording of part of the conversation. The recordings were created in our laboratory on a simulated telephone network with various wiretapping products.

Use the browser “back” button to return here after visiting these links:

* This link [

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

] gives the audio stream as captured and recorded by a Recall Technologies NGNR-2000 law enforcement loop extender wiretap system connected to Alice’s line. Note the C-tone burst at the end of the recording (which ordinarily indicates that the tapped party has hung up and which causes recording to terminate). To the law enforcement agency, this appears to be a normal recording of a brief call.

* This link [

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

] gives the full conversation between Alice and Bob, as captured by an inexpensive, consumer-grade telephone recorder interface (sold by Radio Shack) connected to Alice’s line.

Also read:-
IEEE Security and Privacy – Security, Wiretapping, and the Internet, November/December, 2005

This entry was posted on Wednesday, November 30th, 2005 at 2:45 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2099 times