Feds Have a High-Speed Backdoor Into Wireless Carrier

An anonymous reader writes "An unnamed U.S. wireless carrier maintains an unfiltered, unmonitored DS-3 line from its internal network to a facility in Quantico, Virginia, according to Babak Pasdar, a computer security consultant who did work for the company in 2003. Customer voice calls, billing records, location information and data traffic are all allegedly exposed. A similar claim was leveled against Verizon Wireless in a 2006 lawsuit."

CALEA

[jaredmauch]

It's very likely this is to meet the realtime reporting/relay requirements of the CALEA statue which governs lawful intercept of voice and data communications.

Re:CALEA

[chill]

CALEA taps are on a per-warrant basis. They are explicitly ONE WAY. The LEA can NOT establish a connection back to the carrier. It must initiate the tap from the carrier side. The LEA can not input requests directly. They must pass them to the carrier to enter.

While a DS-3 might not be out of the question to the FBI, depending on the volume of traffic, I have yet to see an "unmonitored" line. Everything I've seen (and set up -- I do this for a living) is an IPSec tunnel from the carrier to the LEA with BER encoded ASN.1 for data and packetized native (to the carrier) encoded voice. And the line works one way only. Carrier --> LEA. The only packets flowing back are stateful connection packets.

In short, I think this story is B.S.

Yes, the FBI probably has a big line with no firewall. That is because the firewall(s) is/are on the carrier end. The carriers do extensive logging as well, so it doesn't surprise me that the FBI-end of the circuit isn't heavily logged. They log their REQUESTS and the carrier logs the connections.

Re:CALEA

[faedle]

While it is true that the connection is "one way", many large carriers do it with a conventional high-cap circuit, like a T-1 or DS-3, because it is easy.

It may appear to be unfiltered to the person making the connection. However, if it is anything like the T1 I hooked up where I worked, only the calls with active warrants are passed down the T1. That being said, the T1 hooks directly into the switch just like any other T1, and is configured to be a CALEA port in the switch itself. A wire-frame guy who isn't doing the programming/translations wouldn't know any better, so I think that's where this "idea" comes from.

Re:CALEA

[Adambomb]

well, the reason thats in CALEA that a legal wiretap must be reporting the details in real time to avoid the possibility of modifying the results of a wiretap from any side (IE: no '3 second broadcast delay' or situations like that).

Still horsepucky, but it IS part of CALEA as the above posters are mentioning.

Re:CALEA

[vertinox]

Don't do evil shit and you won't have to worry.

"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." -Cardinal Richelieu

Re:Cool

[chill]

A DS-3? With a really big check. :-) Depending on contract length I've seen them as cheap as $5,000 per month.

Re:So, what are we doing about it?

[whoever57]

Does anyone know what the status of any opportunistic encryption packages for Windows or Linux? Can this stuff be set up easily now?

OpenS/WAN supports opportunistic encryption.

Do the math

[thegameiam]

A GSM half-rate channel is 5.6Kbps (a fullrate channel is twice that, but let's look at the most extreme case). A DS3 = 45 Mbps. 45Mbps = 45000Kbps

45000Kbps / 5.6Kbps = 8037 simultaneous calls supported on a DS3, assuming 0% overhead, protocol, encryption, and that all calls are half-rate.

VZW and ATTW have subscriber counts in the millions.

Whatever the legality or circumstance of this, a single DS3 is hardly wholesale snooping.

Re:Do the math

[thegameiam]

For reference purposes, the AT&T, Sprint, and Verizon network backbones use NxOC-192 (10Gbps) and NxOC-768 (40Gbps) SONET circuits. Of course, that includes both voice AND data, but it should show the general irrelevance of a single DS3.

I've never seen an OC-24: the more common value in the US is an OC-48 (2.4Gbps). A good rule of thumb for getting the relative size of these pipes is that the number after the OC- represents roughly the number of DS3s which can be carried on the optical path. Of course, the DS3 is encapsulated as an STS-1 channel (53Mbps) on the larger circuit...

Re:It doesn't add up

[danielsfca2]

I thought about that myself, but think about this: Since it's just one-way (it's not like Big Brother is going to cut in and start talking on your calls), the excessive delay that would be caused by routing your call itself across the country and back again isn't a problem. So perhaps when the FBI decides to, they can, on demand, cause your call audio to be -reflected- to the east coast facility and from there, out to the FBI.

That wouldn't require anything more than an additional data stream just like a three-way call, to transmit both sides of the conversation to our wonderful government overlords so they can look out for our best interests.

Re:Going to Prison now?

[freedom_india]

US law protects whistle blowers What law? The one passed in 1970s? That was repealed by Bush last year.
Today no law protects Federal Whistleblowers.
If they squeak, the KGB, sorry FBI, descends on them like rocks.
Either that, or your husband is exposed as a spy, or your son is arrested for dealing in drugs.
Get real man!
We have a president who says we should thank companies for breaking the law!
And who treats the contitution as toilet paper to wipe cheney's a$$.

network vcr's

[vic-traill]

Okay, so the DS3 is a Very Bad Thing for a tonne of reasons.

BUT ... The linked .doc says that

The scope of uncontrolled "Quantico Circuit" access allowed the third party to obtain significant information about any mobile phone subscribers, including -- listening in and recording all conversations en-mass; { ... ]

Note the focus on 'phone' and 'conversations'. Aside from demonstrating ignorance on the difference between 'mass' and masse', this statement *directly contradicts* the linked .pdf, which states that the exposed 'Data network' transports all mobile data service traffic and related business app traffic but *not* the raw traffic of the 'Cell network', which was not examined in the audit.

Anyone else read this similarly?

Which is it? This, plus the lack of detail around the location of the 'network vcrs', which presumably are traffic copy mechanisms, the location of which will determine exactly what data is exposed by this mechanism, gives me less of a warm-and-fuzzy feeling with respect to the allegation's supporting documentation.

I am in no way supporting the existence of this no-ACL, no-logging circuit into what is allegedly a major carrier's mobile support network. The devil is in the details in this dialogue, however, and there is no excuse for direct contradictions and lack of important detail.

What the hell are you talking about?

[keineobachtubersie]

"What law? The one passed in 1970s? That was repealed by Bush last year."

Would you mind explaining how a President can repeal a law? I think you could benefit from some education.

http://en.wikipedia.org/wiki/Whistleblower#Whistleblower_Protection_Act_of_2007

As to this

"Today no law protects Federal Whistleblowers."

That's wrong too. Both the Whistleblower Protection Act and the No FEAR act protect federal whistleblowers.

No FEAR Act

+4 informative for being totally wrong...

Mod Parent Down As Simply Wrong

[macdaddy]

EVERY wireline and wireless carrier has facility like this between their central offices and Quantico, Virginia.

No they don't. We don't. None of our peer ILECs or CLECs do. The only case in which this would ever be the norm is if you are an RBOC, very large CLEC or very large wireless carrier and regularly field CALEA requests from the same law enforcement agency. Read that again just to make sure what I'd said registered. Even then it would have be be in excess of 23 simultaneous calls to justify more than a single PRI (possible for a large carrier but that's still 23 CALEA requests to the same LEA). Any law enforcement agency can go to court to get an order for a CALEA request. This could be the CIA, the FBI, your state's BI, your local county sheriff or even small town rural 2-person police department. LEAs do not share facilities; by law they aren't permitted to. There are 10s of thousands of LEAs that could get a court ordered CALEA request on one of your subs. The law that is CALEA was written to require that the tapped service be indistinguishable from the untapped service. It also requires that LEAs not know another LEA has a trap on said line. Ie, you can't say to the 2nd LEA that wants to tap a given line that "the xBI already tapped that one; are you part of the same LEA?"

Sorry but that doesn't even pass the sniff test.