Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Have a High-Speed Backdoor Into Wireless Carrier

Posted by samzenpus on from the all-the-better-to-snoop-with dept.

An anonymous reader writes "An unnamed U.S. wireless carrier maintains an unfiltered, unmonitored DS-3 line from its internal network to a facility in Quantico, Virginia, according to Babak Pasdar, a computer security consultant who did work for the company in 2003. Customer voice calls, billing records, location information and data traffic are all allegedly exposed. A similar claim was leveled against Verizon Wireless in a 2006 lawsuit."

5 of 229 comments (clear)

  1. CALEA by jaredmauch · · Score: 4, Informative

    It's very likely this is to meet the realtime reporting/relay requirements of the CALEA statue which governs lawful intercept of voice and data communications.

    1. Re:CALEA by chill · · Score: 5, Informative

      CALEA taps are on a per-warrant basis. They are explicitly ONE WAY. The LEA can NOT establish a connection back to the carrier. It must initiate the tap from the carrier side. The LEA can not input requests directly. They must pass them to the carrier to enter.

      While a DS-3 might not be out of the question to the FBI, depending on the volume of traffic, I have yet to see an "unmonitored" line. Everything I've seen (and set up -- I do this for a living) is an IPSec tunnel from the carrier to the LEA with BER encoded ASN.1 for data and packetized native (to the carrier) encoded voice. And the line works one way only. Carrier --> LEA. The only packets flowing back are stateful connection packets.

      In short, I think this story is B.S.

      Yes, the FBI probably has a big line with no firewall. That is because the firewall(s) is/are on the carrier end. The carriers do extensive logging as well, so it doesn't surprise me that the FBI-end of the circuit isn't heavily logged. They log their REQUESTS and the carrier logs the connections.

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:CALEA by faedle · · Score: 5, Informative

      While it is true that the connection is "one way", many large carriers do it with a conventional high-cap circuit, like a T-1 or DS-3, because it is easy.

      It may appear to be unfiltered to the person making the connection. However, if it is anything like the T1 I hooked up where I worked, only the calls with active warrants are passed down the T1. That being said, the T1 hooks directly into the switch just like any other T1, and is configured to be a CALEA port in the switch itself. A wire-frame guy who isn't doing the programming/translations wouldn't know any better, so I think that's where this "idea" comes from.

    3. Re:CALEA by Adambomb · · Score: 4, Informative

      well, the reason thats in CALEA that a legal wiretap must be reporting the details in real time to avoid the possibility of modifying the results of a wiretap from any side (IE: no '3 second broadcast delay' or situations like that).

      Still horsepucky, but it IS part of CALEA as the above posters are mentioning.

      --
      Ice Cream has no bones.
  2. Do the math by thegameiam · · Score: 3, Informative

    A GSM half-rate channel is 5.6Kbps (a fullrate channel is twice that, but let's look at the most extreme case). A DS3 = 45 Mbps. 45Mbps = 45000Kbps

    45000Kbps / 5.6Kbps = 8037 simultaneous calls supported on a DS3, assuming 0% overhead, protocol, encryption, and that all calls are half-rate.

    VZW and ATTW have subscriber counts in the millions.

    Whatever the legality or circumstance of this, a single DS3 is hardly wholesale snooping.

    --
    Need Geek Rock? Try The Franchise!