Slashdot Mirror
How To DDoS a Federal Wiretap
alphadogg writes "Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the US. The flaws they've found 'represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial,' the researchers say in their paper, set to be presented Thursday at a computer security conference in Chicago. Following up on earlier work on evading analog wiretap devices called loop extenders, the Penn researchers took a deep look at the newer technical standards used to enable wiretapping on telecommunication switches. They found that while these newer devices probably don't suffer from many of the bugs they'd found in the loop extender world, they do introduce new flaws. In fact, wiretaps could probably be rendered useless if the connection between the switches and law enforcement are overwhelmed with useless data, something known as a denial of service (DOS) attack."
Great news! Thank you very much!
Great minds think alike; fools seldom differ.
Of course, criminals have plenty of easier ways to dodge police surveillance. They can use cash to buy prepaid mobile phones anonymously, or reach out to their accomplices with encrypted Skype calls, said Robert Graham, CEO with Errata Security.
Duh.
I prefer rogues to imbeciles because they sometimes take a rest.
Wiretaps DDOS you!
Ok, seriously? Overwhelm the signal to noise ratio and picking out the useful information becomes harder. It's just a question of how much and how long, not to mention how long after the fact is said information useful.
Better yet, why would anyone who seriously wants to avoid a wiretap *use a phone*? It seems like discussing anything over an unencrypted medium is asking for trouble.
I put on my robe and wizard hat..
As someone who worked on a CALEA system for 18 months, implementing, testing and helping design, I can tell you one thing.
The specs of all the systems are such that they DO NOT BUFFER the actual voice, only the data. I mean the numbers punched, busy signals, etc. Buffered voice would rapidly overwhelm the system, so it is just dropped if the link from the CO (central office) to the LE (law enforcement) goes down.
Call data can be buffered for days, so that isn't dropped.
This isn't a flaw, it was a design decision. Good luck DDoSing a major telco switching office.
Learning HOW to think is more important than learning WHAT to think.
New best way to get your funding cut: publish a paper that outlines a way to use DDOS to hinder a federal investigation. Old best: come out of the closet & join the communist party.
~dijjnn
This just in, arrest warrants issued for 92% of American females between the ages of 12 and 17.
Public use of any portable music system is a virtually guaranteed indicator of sociopathic tendencies. -- Zoso
....In fact, wiretaps could probably be rendered useless if the connection between the switches and law enforcement are overwhelmed with useless data....
Is it me or does this kinda read as: "If there is nothing useful going through the line, there is nothing to tap". Well no shit. If the caller can't complete the call or communicate with the person on the other end because of system overload, guess what, you won't be able to gather anything because the conversation never happened.
...sort of off-topic, but something I mention to my geek friends out of work: the black market of crime has endless jobs available for you.
Go into any barbershop in a shadier part of town and while you're getting a fantastic $12 haircut, mention to the oldest barber that you are working on security consulting to help people avoid getting into trouble with the law, especially in regards to keeping phone calls and information private.
At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better.
In reality, though, wiretaps aren't as important as having a good crew under you. A large percentage of black market consultants find themselves in jail because of the stool pigeon, not because of the wiretap information.
Given that the US Government had AT&T put optical splitters on the network backbones a while back, isn't this CAELA stuff obsolete? It still presumes that Warrants count and stuff and that they're not already copying all voice and data communications.
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
Here's a bit of background the /. editors didn't give you.
If you take a 2-second look at the paper (the pdf link in the summary), you see Matt Blaze's name.
He's been doing other work on making law enforcement wiretapping not work. For instance, go to http://www.usenix.org/events/sec06/tech/ and search the page for "Blaze"; you should find his talk (http://www.usenix.org/events/sec06/tech/mp3/blaze.mp3) and the Q&A session.
He also gave essentially the same talk as the first (under a different title) at http://www.usenix.org/event/lisa05/tech/ (again, search the page for "Blaze" or go straight to http://www.usenix.org/event/lisa05/tech/mp3/blaze.mp3).
He also spoke at hotsec06, http://www.usenix.org/events/hotsec06/tech/, with no recorded mp3, and at an e-voting panel, http://www.usenix.org/events/sec07/tech/.
As you might infer, this isn't the first time Mr. (Dr.?) Blaze has been studying wiretapping (or other security issues). He's also quite a good, entertaining speaker. I recommend giving him a listen.
The short story (from the usenix talks): press the "C" key on your old 4x4-keypad phone. That's the in-band signal (doh!) used by law enforcement to mean "don't record now". Or, look up the tone frequency, then play it back at a much lower volume with a tone generator (your laptop might do) so it's more comfortable to talk over.
If spies/criminals/terrorists/politicians are stupid enough to use plain language over the phone to plan their dastardly deeds, then they deserve to be put into prison.
...for those who didn't RTFA:
First, this apparently applies to VoIP systems and cell phones, not analog land lines.
Second, it is not a DDoS attack, as the headline claims. It is a DoS attack, though. That extra D means "distributed" and refers to situations where you bring many computers (say, a botnet for example) to the party so that your cumulative traffic-generation ability exceeds your target's capacity. Those techniques are not in play here. I guess Internet-based distributed attacks have become so common that people don't bother knowing what the acronyms really mean anymore.
The channel you're trying to flood is a 64kbps data link between the phone company's switch and the law enforcement equipment. That is to say, the spec calls for 64kbps - so you don't really know if they have more than that in implementation. The idea is that if you program your system to rapidly make useless connections (such as text messages to random numbers) then you can flood this link and the equipment will lose track of the metadata describing an important message you send along during the flood. "Rapid" is on the order of 40 text messages per second; maybe you can program your equipment to do that.
They have not been able to test this attack in practice, and they're making assumptions - some of which I doubt - about what the result would be. Seems like a lot of trouble to go to for the chance that maybe there'll be a random probability that the call you care about doesn't get logged - and even then you won't know after the fact whether it worked. Anyone who takes communications security seriously enough to apply that much effort, will apply it to doing something more certain to work.
. . . if once you have the evidence you don't do anything with it, ala Nidal Hasan?
I know the foundations of our legal system lie stem from the formerly great British Empire, but there's no reason why we have to follow them into becoming a pussified police state that spends more time acting like a nanny than a great power.
Eventually, nobody will care about this because all communications will be encrypted end-to-end and wiretaps will be useless. Attempts to outlaw that would result in only criminals having encryption and honest people falling victim to wiretaps by criminals and foreign governments. Besides there are many ways to make encryption not look like encryption.
This is quite all right for law enforcement, as many new ways to breach people's privacy are emerging at the same time - RFIDs, GPS phones, new hackable devices, street cameras, voice-tracking lasers shinned on one's window and so on. On the whole, it will be easier than ever to do lawful or unlawful. curvallaince. They just need to stop cribbing about having to abandon some old technologies and adopting new ones.
Go into any barbershop in a shadier part of town and while you're getting a fantastic $12 haircut, mention to the oldest barber that you are working on security consulting to help people avoid getting into trouble with the law, especially in regards to keeping phone calls and information private.
I don't know, there aren't a whole lot of trees here, I'm going to have a hard time identifying the "shadier" part of town.
At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better.
A cheaper suit for starters.
At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better.
I like the idea, but what happens when he gets nabbed anyways, because he fell for something that seemed so trivial you didn't even mention it. (Or any other a number of scenarios that may or may not be your fault.)
Then he (or Guido) comes looking for you, once he's out of jail? Or the police come looking for you, his accomplice ...
I imagine it's lucrative, but sounds risky.
"At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better."
You better be giving him some damn good advice, or you might end up with some broken kneecaps if you're lucky, getting fished out of the river with cement shoes if not.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
The fact that these researchers worked off of the standard for delivery compliance aka CALEA, has given them the false impression that all they need to do prevent a wiretap is to overload the connection between the agency and the DMS (the switch your call goes through).
What the J standard does not go into is the fact that at every step of the way there are checks to determine if data can be sent. If it cannot then it is stored until it is able to be sent. It is not uncommon for connections in the IP realm to come up and down so the system can buffer them both at the DMS, as well as at several points inbetween through the various offboard devices in the chain. Typically the data makes 2 stops between the DMS and the LEA.
This is strictly for the data portion of the call, IE dialed digits, in the wirless world it would include MMS/SMS, GPRS, etc.
The voice portion of the call is trunked from the DMS to the PSTN via a 3 way calling feature with 1 way audio. It basically dials the LEA's recording equipment every time the target makes a call, their equipment will record automatically when it answers the phone, like an answering machine. However the voice portion doesn't always have to go to a LEA. It can be configured to go to several phone numbers such as an agents mobile phone, a recording device, or other 3rd party.
Now you could overload the agencies recording equipment if you knew what number to dial using a war dialer type of attack, but that would lead authorities to your door and it would not prevent other agencies and other monitoring centers from receiving that same data. Most bench warrants will have several involved agencies each receiving intercepts from a single target.
Suffice to say that if you have a tap on your phone, it's going to get to the LEA and there isn't much you can do about it.
Great paper. Cisco is also nice enough to write up about their "Lawful" Intercept products. For example, in Configuring Lawful Intercept Support, they kindly warn the end-user that "To maintain VXSM performance, lawful intercept is limited to no more than 60 active calls." Thanks for the suggestion!
64K bits was a limit with x25. most stuff is done over ip now, and doesn't have that limitation. The entire premise for this article is incorrect. It talks about VoIP having the same 64K limitation when that isn't based on anything in reality at all.
What is it lately with people using precise terms with only vague ideas about what they actually mean? Is this a side-effect of H1N1 or something?
I mean, here we have someone talking about something an individual does all by themselves with one device, calling it a "distributed denial of service attack", when there's nothing "distributed" about it and it's just a denial of service attack.
In other contexts, we have people talking about Blizzard's new selling of in-game WoW pets for $10 a pop, calling that a microtransaction, when there's nothing "micro" about this, thes are just transactions. (A microtransaction is worth talking about as such only because strange things happen when the value of a transaction gets too close to the overhead of collecting that value, which does not happen up around the $10 range. I can talk about this at length, but it doesn't matter, people are still idiots and will say "microtransaction" to sound like they're more clever than they are.)
WTF? Gah! Makes me wish I could just reach through the internet to grab people and shake them.
You insensitive clod! I attack with FreeDOS.
ELOI, ELOI, LAMA SABACHTHANI!?
Chillax broham.
I believe they are talking about VOIP using the 3g side of their sprint phones. IE making a skype call over their wireless data. Assuming for a moment that Skype and other service providers don't have a CALEA setup (they are legally required to as they offer telecomm services and must comply with bench warrants), the fact is that any warrant on the targeted mobile would also capture all data. If one device were overloaded it would buffer until it was able to be sent.
CALEA is bomb proof in the way that your billing is bombproof. Companies don't like to loose $$$ by loosing billing records. Well a billing record is just a glorified CDR (call data record) which is all that CALEA is sending data wise, it's sending in bandwidth data, and out of band signalling as call data records.
Think about all the failsafes ma bell has to keep her billing streams intact and then double them for the government that wants to ensure law and order are kept.
And CALEA is just a standard that all devices must comply to for delivering voice and data. So they can inter operate with others products. You must remember that there are dozens of ways to intercept a phone call legally, from your mobile to the base station, from the base station to the DMS, etc etc. If they want to wiretap you, it's going to happen, CALEA or not, it just makes it easier.
The only way to avoid intercepts is to make a bug proof room, have a stranger buy prepaid phones with cash, and throw them away after every call. Criminals are stupid, thankfully.
it's only assuming a maximum channle of 64 bits. While this may have been true when the j-std was first written, it's not true now. It's definitely not the case when you're delivering voip calls using t1.678 or packetcable. There is no "channel" only packets.
That's an analog landline convention. They are talking about 3G which isn't getting to the world the same way a voice call would so there are no channels like there would be for say an analog call at 64kbps trunking and SS7 sent via a signaling link.
I think if you sent so much information you saturated your available bandwidth that any messages not picked up by CALEA also would fail to be delivered. I don't know what 'device' they picked up to do this testing since CALEA is a standard not a box. But I'm guessing that they found a flaw with it, not with the CALEA standard.
If even 10% of encryption software owners use the product to kill defenseless civilians, or if accidents with a 5 year old boy finding a PGP CD-ROM in dad's drawer and accidentally killing his 3 year old system are widespread, I would certainly support strict licensing requirements and usage restrictions on encryption.
It's unlikely to reach even 0.01%, since almost every browser and email program supports encryption. Every time you conduct a transaction over https, you're using encryption. Same for email login using TLS, and possibly also for accessing your home wireless network. http://en.wikipedia.org/wiki/Https
Your proposal for restricting encryption is presumably made from ignorance. It would greatly hinder online banking, online shopping, or anything else requiring secure login or identification. Even a slashdot login...
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
I'm not sure that our average dumba$$ criminal out there would be thinking of this or as they article says, opt for encrypted Skype.
For every mechanism the government tries to put into place to interdict in calls, there's always a way around it. In this case
I'm not completely sure what the attack is, other than attack the control channel for signaling the surveillance system. Why not
just capture all of the traffic and filter later, ala Echelon?
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Criminals smart enough to even understand what this issue is about are probably smart enough to do something useful with their lives
2. Otherwise if they are that smart and still engaged in crime, they're probably involved in major organized crime, in which case they already know (or should know) that wiretaps are a possibility so this brings nothing new to the table.
3. Law enforcement is probably going to notice (at some point) that their systems are getting jacked with and the reaction will not be a mellow one.
Most criminals get caught because they're stupid or lazy. Most smart criminals get caught because they got careless and made mistakes. Neither of these two things are likely to change anytime soon so I suspect that law enforcement will continue to be able to easily catch most criminals without employing fancy CSI zoom-enhance techniques.
Natural != (nontoxic || beneficial)
To quote A Miracle of Science, "If you can't disguise the needle, make the haystack bigger."
criminals and the terrorists deserve to be put into prison
careful thats not always a clear cut line, for instance bush considered only Christians to be citizens therefore anyone trying to overthrow Christianity, was trying to overthrow his country? Teaching science might not be too far from being considered a terrorist by many zealots (of which bush often listened to). With government listing to corporate interests and considering anything harmful to corporate profits, like breaking DRM, as theft. If this criminal/terrorist net doesn't include you yet, it could encompass many of your friends/family, isn't conspiring with known criminals and terrorists a crime? (best get off of Slashdot now, to be safe...)
meant to include a link to the GWB quote: No, I don't know that atheists should be considered as citizens, nor should they be considered patriots. This is one nation under God.
each key doesn't emit one tone. It emits two tones -- one based on [each of row and column]
That is indeed correct; it's also known as DTMF---dual tone multiple frequency. I think I meant to say something about that. Now I wonder why I didn't.
Thanks for pointing this out, though! :)
[Why] would that signal even exist?
Phone wiretap warrants are on people, not telephones. If you borrow my phone and the police is wiretapping me, they're not allowed to record any of your conversation (except they can listen in something like two seconds every minute to check it's still someone other than me talking).
That might serve as one motivation. The real answer is that they didn't understand the "Don't trust the client" principle. Especially don't trust your clients if you suspect them to be criminals... oh well.
I don't know, there aren't a whole lot of trees here, I'm going to have a hard time identifying the "shadier" part of town.
If your town has a large selection of restaurants instead of trees, perhaps you can find the more unsavory parts of town?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
That was his father.
Since your not going to get a green light that says your DOS attack is working why not just take your chances and play dark side of the moon really loud over your conversation.
So what you want to say is that he, unlike most consultants, would actually risk something if his advice isn't up to speed? Sounds like honest money to me. Unlike with most consultants...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I am amazed, sir. Simply amazed.