Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaws Allow Wiretaps to be Evaded

Posted by samzenpus on from the it's-coming-from-inside-the-house dept.

An anonymous reader writes "The New York Times is reporting that a team of researchers led by Matt Blaze has discovered that technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely. It is also possible to falsify the numbers dialed. The flaws are detailed in a paper being published by the IEEE. Someone who thinks he's being wiretapped can apparently just send a low tone down the line that turns off the recorder. The link has a demo."

47 of 191 comments (clear)

  1. Is this is a big deal? by matr0x_x · · Score: 2, Insightful

    How serious is this though - I mean, if I knew my line was tapped instead of working on getting it untapped I'd simply work on getting a second line!

    --
    LINUX ONLINE POKER: Linux Poker
    1. Re:Is this is a big deal? by ndansmith · · Score: 4, Insightful

      Likely the powers-that-be would know about your new line and tap it as well. It is better to let them think they are tapping you, when in reality you are circumventing the system.

    2. Re:Is this is a big deal? by Anonymous Coward · · Score: 3, Insightful

      Surely if sending a low frequency tone becomes a "standard", law enforcement agencies will change their methods to so that wiretaps can't be blocked by a low tone? In fact, the aticle says that only 10% of 'dated' wiretap machines can be defeated in this manner anyway, so don't rush out to buy the next phone offering compl33t an0nym1ty from the fedz!

      Where's the big deal?

    3. Re:Is this is a big deal? by tomhudson · · Score: 5, Insightful

      Do you want the truth?

      You can't handle the truth!

      " Look, our disinformation campaign is working! People who have something to hide will send the recorder activation tone down the line before each call, thinking they're keeping us from listening in. Bwhaahahaha"

      The truth is that in the current environment, you can't trust anything. Use your PC to scramble the call. If its that sensitive, anything else is foolish. Or use a one-time pad to encode it.

      Think of it, if you were the "powers that be", isn't this how you'd do it?

  2. quickest way to Cuba by RY · · Score: 5, Funny

    Try it and find out...

  3. In other news... by ThatGeek · · Score: 5, Insightful

    In other news, smart people can avoid being caught by doing stuff...

    I mean, any dolt can PGP or GnuPG encrypt a message or just hand deliver messages. Things like wiretaps are good for the duller knives in the drawer. We should still use them to "grab the low hanging fruit" and look elsewhere to capture the rest.

    If a person knows he's being wire tapped, he won't say anything incriminating anyway, and if the feds/cops don't get what they want over the phone, they'll just bug some offices instead.

    --
    What are you eating? isItVeg?.
    1. Re:In other news... by The+Snowman · · Score: 2, Informative

      Seriously, if I were planning a crime or terrorist act, you bet your ass I would encode all communication in some way -- whether it be encrypted emails or just a word code system over the phone that changes each time. This is similar to the Cold War days, when spies would leave innocent-looking messages in public places. Essentially, a non-computerized version of steganography.

      Where there is a will, there is a way. Where there is a stupid or lazy criminal, there is a prison sentence.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
    2. Re:In other news... by ikkonoishi · · Score: 4, Funny

      Attn. Agent Snowman:The cows have jumped the moon. I repeat the cows have jumped the moon. It is too late to close the barn door.

    3. Re:In other news... by PlayfullyClever · · Score: 5, Insightful

      Or just use a pre paid cell phone.

      The only groups these wiretaps hurt are the law-abiding citizens. The smart (read: dangerous) criminals have it all figured out-- Prepaid cell phones.

      Pre-paid cell phones are literally disposable, one-use toys to the bad guys. You don't even need a fake ID, just cash, and not all that much at that. How can they tap your phone when you use a different phone for each call? The best they could do is tap all the pre-paid phones and listen to every conversation out there -- good luck with that! (wanna bet the NSA is big into voice recognition?)

      --
      Check out my website: Playfully Clever
    4. Re:In other news... by s20451 · · Score: 2, Insightful

      The corollary to your post (and the counter-argument to the grandparent) is that a person planning nefarious acts should send everything in plaintext.

      Sending encrypted e-mails, for example, when nobody else in the world is doing so, is like putting a huge sign on your front lawn saying, "INTRIGUING SECRETS ARE GOING ON IN HERE!".

      Remember that cryptography is only one link in the information security chain, and that everything has to get back to plaintext eventually. Once the feds are interested in your data, there is nothing stopping them from parking a truck across the street and harvesting your info using TEMPEST.

      --
      Toronto-area transit rider? Rate your ride.
    5. Re:In other news... by Phil+Karn · · Score: 3, Informative

      You don't understand the problem. Extremely incriminating evidence can be obtained through traffic analysis, knowing who you talk to and when, without acquiring the actual content of your communications. That's what a "pen register" is -- traffic analysis of a telephone. Encrypting your calls or your emails won't help much if, for example, they can see you're talking to known terrorists.

    6. Re:In other news... by X · · Score: 4, Interesting

      Actually, you might want to talk to a certain mafioso who used PGP to protect his communications, only to find out that the FBI didn't even need a court order to tap his keyboard. :-(

      --
      sigs are a waste of space
    7. Re:In other news... by darkmeridian · · Score: 2, Insightful

      Yep. It's not as though the exploit allows the cops to think nothing's wrong. Surely, the cops will be curious when their wiretaps go:

      Caller: Yo. It's me.
      >CARRIER LOST

      Furthermore, the FBI has insane bugging technologies. Forget wiretaps. If they really want to get you, they'll stick parabolic or laser mikes all around you. Or bug your car and office or simply follow you around and take pictures of all your friends who they then bug and wiretap. Or what they really do is catch an associate on a felony and extort^H^H^H^H^H^H convince them to turn state's witness.

      So while cool, this exploit probably does not help "bad" guys too much.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    8. Re:In other news... by woolio · · Score: 3, Interesting
      wanna bet the NSA is big into voice recognition?

      At a recent IEEE conference, I noticed a large number of researchers' topics concerned voice recongition and voice synthesis.

      Although I'm not sure for who they were working or from where the funding came. (Plus, it was an international conference).
    9. Re:In other news... by dorkygeek · · Score: 3, Informative

      For the sake of free communication, I hope this stays like that in the UK then.

      On a sidenote, there were some interesting papers published at this years Cyber Safety conference. Especially interesting in our context: Prepaid Mobile Phones: the Anonymity Question by Gordon Gow.

      --
      Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
  4. Feature, not a bug... by Anonymous Coward · · Score: 3, Insightful

    That way when the party officials want to do something underhanded, they use the red 'bat phone' that nukes any cops that are trying to listen in on them. In this way, they can have it both ways. Watch the proles without being watched themselves.

    1. Re:Feature, not a bug... by Anonymous Coward · · Score: 2, Funny

      The cops may not be able to listen in, but now you're talking directly to Batman, so you're just as busted.

  5. RTFA and all that by kebes · · Score: 5, Insightful

    Let's keep this in perspective. The article says:

    A spokeswoman for the F.B.I. said "we're aware of the possibility" that older wiretap systems may be foiled through the techniques described in the paper. Catherine Milhoan, the spokeswoman, said after consulting with bureau wiretap experts that the vulnerability existed in only about 10 percent of state and federal wiretaps today. (emphasis added)

    So basically it is a minority of antiquated equipment that is vulnerable. Moreover, the person being wiretapped probably doesn't know what system is being used. It is not going to be possible to know, with any assurance, that you have actually defeated the system.

    What this probably means is that the FBI will phase out these older systems a little faster than they intended to (mostly due to the publicity-- they were probably already aware of this vulnerability, but didn't care much because "the bad guys" were not aware of it).

    1. Re:RTFA and all that by bhsx · · Score: 3, Informative

      RTWFA... The tried to force the Calea networks to keep the C-tone timeout. Congress didn't allow the force, but most Calea networks keep it anyway. Those that keep the C-tone are vulnerable to the same exploit.
      In other words: Most of the time, in current conditions, this will work.

      --
      put the what in the where?
  6. Is this like a default password... by PurifyYourMind · · Score: 4, Interesting

    ...on a router/etc.? Like a programmer's backdoor that they forgot to shut off after they sold the units? I guess it's security through obscurity... relying on the subject not knowing they're even being tapped, and thus having no reason to try to stop the tap.

  7. In other news... by Psionicist · · Score: 4, Insightful

    In other news: A team of researchers belived to be linked to an unknown group of terrorists was charged under the DMCA and PATRIOT act as a threat to national security. They are now being held for an unknown period if time, awaiting trial...

  8. Let me get this straight... by dada21 · · Score: 5, Funny



    High frequency tones turn off teenagers.

    Low frequency tones turn of the NSA.

    Slashdotter vocal tones turn off women.

    Did I miss anything?

  9. Bad news for voice over IP by MillionthMonkey · · Score: 2, Funny

    The FBI is going to want voIP providers to duplicate this remote recorder stopping flaw so that it works just like the POTS network that they're used to tapping!

  10. Wanna get rid of a wiretap on your phone? by kcbrown · · Score: 5, Funny
    Seems to me there's a, um, more permanent solution:

    1. connect disposable phone to phone line
    2. call some unimportant number
    3. connect 50,000 volt source to the phone line
    4. ZAAAAAP!!!!
    5. Watch feds exit the van across the street. You know, the one with the smoke billowing out of it.

    Oh, yeah, guess I forgot a step: flee the country, because they'll be after your ass now!

    --
    Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
    1. Re:Wanna get rid of a wiretap on your phone? by mOdQuArK! · · Score: 3, Funny

      Just need more voltage to arc across the blown fuse terminals, right?

      Why yes, I do enjoy playing with Tesla coils. Why do you ask?

    2. Re:Wanna get rid of a wiretap on your phone? by Mattintosh · · Score: 2, Funny

      Sounds like a good time to test out those new BOFH-Brand(tm) "fuses" found in the nail aisle of your local hardware store.

  11. I, for one, welcome security flaws by PlayfullyClever · · Score: 5, Interesting

    Remember that we're all presumed innocent. To take an example of encryption, just because I'm using encryption does not mean that I am plotting nefarious schemes against my fellow citizens. I may be discussing confidential business things, for example. Y'know, dare I say it, I might actually work from home in an effort to not drive my car around and burn gas, hurt the environment, etc., etc.

    These sorts of mistakes can be dangerous. Imagine the above example--I'm some bigshot business-guy. I own a publicly traded company. The FBI inadvertently taps my phone and learns that someone at the company I work for has just invented something that will make the company a ton of money. Do you really think those agents aren't going to call up their stock-brokers and say, "BUY! BUY! BUY!" (Or, assume the other direction, if you prefer)

    Frankly, yes. I want to make it difficult for the government to wiretap it's citizens. I want somebody to look at the evidence that has been accumulated and act as my representative to say, "Hey, wait. Just because he encrypts his phone calls doesn't mean he's a terrorist." I want somebody to second-guess these guys.

    The story of the gutsy cop who goes against procedure to nab the bad guys before they enact their evil deeds is a great movie. But it's not real life--remember, in most cases we get the see the bad guys planning their acts in the movies so we know who the bad guy is. Reality is not that cut-and-dried.

    In short, I'm more worried about the government abusing it's power than of the terrorists blowing up a building. That happens alot more often.

    --
    Check out my website: Playfully Clever
    1. Re:I, for one, welcome security flaws by Cecil · · Score: 3, Informative

      The FBI inadvertently taps my phone and learns that someone at the company I work for has just invented something that will make the company a ton of money. Do you really think those agents aren't going to call up their stock-brokers and say, "BUY! BUY! BUY!"

      Listen, I hate the concept of a police state and wiretapping as much as the next guy, but this is a dumb defense. The SEC investigates transactions like that for a reason. "Gee, these two FBI agents who've never bothered to invest more than $10,000 in any single company, suddenly bought $400,000 worth of shares of this company at the perfect time and made $15,000,000. They might've been ridiculously lucky. Or more likely they might've had insider information. Let's look a little closer, shall we?"

      The stock market is like the world's biggest casino, and the SEC is certainly no less watchful and no less hesitant to break your legs if you try to cheat them.

      --
      Random and weird software I've written.
    2. Re:I, for one, welcome security flaws by harryseldon · · Score: 2, Insightful

      I own a publicly traded company.

      You here demonstrate you have no idea what a publicly traded company actually is.

  12. Don't use in-band signalling/control by AcidPenguin9873 · · Score: 2, Insightful

    Engineers figured this out a long time ago. TFA says it's only 10% of current systems anyway.

  13. I wonder if .... by jesusfingchrist · · Score: 5, Interesting

    The OP has anything to do with this :

    http://www.newsmax.com/archives/articles/2001/12/1 8/224826.shtml

    U.S. Police and Intelligence Hit by Spy Network

            Charles R. Smith
            Wednesday, Dec. 19, 2001

    Spies Tap Police and Government Phones

    In the wake of the Sept. 11 terrorist attack, the FBI has stumbled on the largest espionage ring ever discovered inside the United States. The U.S. Justice Department is now holding nearly 100 Israeli citizens with direct ties to foreign military, criminal and intelligence services.

    The spy ring reportedly includes employees of two Israeli-owned companies that currently perform almost all the official wiretaps for U.S. local, state and federal law enforcement.

    The U.S. law enforcement wiretaps, authorized by the Communications Assistance for Law Enforcement Act (CALEA), appear to have been breached by organized crime units working inside Israel and the Israeli intelligence service, Mossad.

    Both Attorney General John Ashcroft and FBI Director Robert Mueller were warned on Oct. 18 in a hand-delivered letter from local, state and federal law enforcement officials. The warning stated, "Law enforcement's current electronic surveillance capabilities are less effective today than they were at the time CALEA was enacted."

    --
    "Freedom and Justice for All" is a registered trademark of The United States Govt Inc. Not available in all areas.
  14. It's a trap! by Jeremi · · Score: 4, Funny
    1. Make up fake story about how to disable phone tapping via special tone
    2. Get story published on Slashdot (etc)
    3. If the people you are wiretapping start sending the tone, you now know they suspect they are being monitored
    4. Better yet, having used the tone, they now think they can talk freely
    5. gather evidence!
    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
  15. Double-edged sword by jemenake · · Score: 3, Insightful
    Someone who thinks he's being wiretapped can apparently just send a low tone down the line that turns off the recorder
    Of course nobody would actually play that tone over the phone unless they were trying to foil wiretaps, right? How long do you think it'll be before the feds try to ammend the Patriot Act to allow them to listen just for that tone even on lines that they don't have a wiretap warrant for? Imagine picking up any phone in the U.S., playing the tone into it, and immediately getting your conversation recorded.... simply by virtue that you've already demonstrated your "guilty mind".

    I feel safer already....
    1. Re:Double-edged sword by PlusFiveTroll · · Score: 2, Insightful

      Actually that sounds like a good idea, now the feds will have 30,000 hours of geeks talking about upgrading linux on there new athlon. The .gov will spend millions trying to go through all the tapes, most calls will never be listened to. All of the sudden the 'real' terrorist they should have been listening to in the first place will blow something up.

      Moral of the story, dont waste your time with a person just because they want a little privacy.

    2. Re:Double-edged sword by fatmal · · Score: 2, Funny

      Of course nobody would actually play that tone over the phone

      What if Barry White makes a call - does that count as a low tone?

  16. But sometimes... by Savage-Rabbit · · Score: 4, Interesting

    ... the powers-that-be add insult to injury. A few years ago German police woke up to the fact that a large portion of their wiretapping operation had gone sour. Apparently they used some sort of a digital voice-message like scheme to implement the surveillance and somebody, presumably a beancounter at one of the telecoms, decided to bill the customers in question for this 'service'.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
    1. Re:But sometimes... by Anonymous Coward · · Score: 2, Insightful

      somebody, presumably a beancounter at one of the telecoms, decided to bill the customers in question for this 'service'.

      Smart move if you can get away with it.

      LI (lawful intercept) costs many millions every year. The general trend (amongst the larger police states at least) has been to "mitigate" this cost by simply legislating that the carriers must provide these services and must provide them at no cost to the requestor. This leaves the carriers eating a great whacking cost for the privilege being thrown between the government and the rest of the criminals. In most countries I expect this charge is part of the "system access fee" or hidden in the 911 charge. Perhaps Germany neglected to do this and was none-too-gently reminded that somebody has to pay the piper.

  17. Limited Value by digitalchinky · · Score: 3, Insightful

    *Ahem* From the 'wire tapping' I know of it's all man in the middle, digitised, and stored on hard disk - with the cooperation of the telecoms or without. I haven't seen a 'tape recorder' in a good 10 years now. Still have them, just not needed any longer. I should imagine, given the hardware used in Australia, that US police would do a similar thing and if not - identical. The likelyhood these days of a machine that could be switched off remotely I would suggest is improbable at best.

    They did use "publicly available information" - what is made (or leaked to the) public is often years out of date, inaccurate, or simply not even true - rarely does it describe the technology in actual use, so don't go and loosen the straps on the tin foil just yet :-)

  18. Yeah, right... by garyok · · Score: 5, Funny

    Is this some sort of darwinian IQ test for terrorists? You can just imagine the gleeful delight on their simple, child-like faces and the unrestrained joy they will experience with unfettered access to telecommunicaions this will allow.

    [low hum down a phone line]

    "Hello. Is that you Omar?"

    "Why, yes it is Osama. How are you today? And what's the weather like like in your donkey burrow in Yemen? The weather's great here in Florida. My view from the Delano Hotel's room window is fabulous - I am also ordering martinis like James Bond."

    "Yes, yes... quit your bragging. Just because you weren't born with the most recognisable stripey beard in the world... Now can we please start planning our next atrocity?"

    "Ah yes. It is pleasing that we can freely discuss our locations and plans now that the engineers of the American military-industrial complex have told us how to easily counteract their most sophisticated surveillance. Their foolishness in revealing this technique to the entire world, via the internet, has allowed us to dispense with our counter-surveillance training, techniques, and equipment. It is truly a golden age for violent reactionaries wishing to impose a totalitarian pseudotheocracy on the idol-worshipping, hemp-smoking, fornicating, soulless infidels!"

    "Wait! Who THE FUCK did you say told you this would work?!"

    "Yes, the Americans. They said we'd be safe if we did this. How typically naive of them. Their destruction is assured!"

    --
    One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors - Plato
  19. ThinkGeek by Leroy_Brown242 · · Score: 2, Funny

    So, how long until http://www.thinkgeek.com has phones that do this automaticly? :)

    --
    Pretty Pictures!
  20. quick fix by Anonymous Coward · · Score: 2, Funny

    just have everyone start phone conversations with "president bomb alquada" and /. the wire taps, they can't record, or at least filter everything.

  21. demo link by BushCheney08 · · Score: 3, Funny

    The link has a demo.

    Hey, it works! I tried the demo and a few minutes later the big black van parked out front drove away...

    --
    Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
  22. Off-Hook detectors and DTMF variability by billstewart · · Score: 3, Interesting
    It's not a backdoor, it's a design feature that's being phreaked. Analog Wiretaps can't use the phone switch standard signalling method to detect whether a phone's on-hook or off-hook, because they're patched around the switch, so the equipment transmits a tone whenever the phone's on-hook to tell the recorder not to bother recording. And because it's running on phone-quality wire, it's an in-band tone, usually one of the extra four Touch-Tone tones, which means that the phone's user can send the tone themselves to tell the wiretapper's recorder that they're not there. The recorder _could_ have been built to do voice detection, but it's an old design and this is a cheaper and dumber way to implement it.

    But wiretappers don't just record voice, they record dialed numbers and caller-id. The other set of flaws, which you can read about in the longer PDF paper, depend on the fact that DTMF detectors are usually analog devices with a certain amount of sensitivity, and in general the phone switch and the wiretapper's equipment won't be the same. So you can find out how far off to bend your touchtones and have the phone switch still listen to you, and then you can send touchtones in-spec or out-of-spec to confuse the wiretapper's equipment, which can't tell whether the phone switch is or is not listening to the numbers you can dial. If it's more sensitive than the phone switch, you can send bogus digits that the wiretapper will record and the phone switch will ignore - but if it's less sensitive, and you're sending your digits just at the edge of the phone switch's range, the wiretapper won't see them.

    You can play similar games with CallerID, giving the wiretapper lots of entertaining stuff to listen to when you're not on the phone.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  23. URLs for the REAL papers say lots more. by billstewart · · Score: 4, Informative
    The shorter HTML version mainly talks about attacks on the voice eavesdropping parts, while the Longer PDF paper for IEEE has even more technical detail and talks about attacks on dialed-number-recording Pen Registers and CallerID, which the Feds and Local Police are able to wiretap without the same level of court order that a voice wiretap requires. (I've done the NYUD-automatic-caching versions of the URLs, rather than the raw URL, to protect against Slashdotting.)

    Basically, there's a fairly high proportion of the wiretapping gear that's actually deployed is vulnerable, in spite of what the police PR folks say, and it's much easier to hack the pen-register technology (though probably impossible to prevent the phone company from giving a direct billing database feed to the Feds, which you probably can't hack.)

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  24. Who ya gonna call? by Chris+Tyler · · Score: 2, Insightful

    Sure, prepaid cellphones can be counted as "disposable, one-use toys", but you have to have someone to call! If both parties are going through prepaids like candy - one or two calls then on to the next phone - managing the constantly-changing phone numbers becomes more than a small chore, and it becomes a nightmare to keep a half-dozen parties in touch with each other. It's not going to happen on both ends of the connection.

    You don't need to tap the prepaids, you just need to tap the numbers that the prepaids are calling.

  25. Clever plan by heikkile · · Score: 2, Funny

    Problem: Too much wiretapping, not enough time to shift through them all. Solution: Get the suspect to mark the interesting discussions with a special tone. Give highest priority to the taps that have used this magic tone. Pretty clever, if you ask me.

    --

    In Murphy We Turst

  26. Wiretapping is mostly done by Verisign by Animats · · Score: 3, Informative
    It's not well known, but most wiretapping in the US is actually done by Verisign. It's a commercial service they sell. Verisign runs most of the SS7 signalling network used to control the phone system. So they put in a back door that lets them route calls to or from specific phones to their wiretapping center in Northern Virginia. From there, the wiretapping is fed out to law enforcement, the intelligence community, and other interception customers, using T1 lines.

    Since this works through SS7, and full call-control information is available, it's immune to any in-band tones.

    See this old Slashdot article with more links.