Slashdot Mirror
How To DDoS a Federal Wiretap
alphadogg writes "Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the US. The flaws they've found 'represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial,' the researchers say in their paper, set to be presented Thursday at a computer security conference in Chicago. Following up on earlier work on evading analog wiretap devices called loop extenders, the Penn researchers took a deep look at the newer technical standards used to enable wiretapping on telecommunication switches. They found that while these newer devices probably don't suffer from many of the bugs they'd found in the loop extender world, they do introduce new flaws. In fact, wiretaps could probably be rendered useless if the connection between the switches and law enforcement are overwhelmed with useless data, something known as a denial of service (DOS) attack."
Wiretaps DDOS you!
Ok, seriously? Overwhelm the signal to noise ratio and picking out the useful information becomes harder. It's just a question of how much and how long, not to mention how long after the fact is said information useful.
Better yet, why would anyone who seriously wants to avoid a wiretap *use a phone*? It seems like discussing anything over an unencrypted medium is asking for trouble.
I put on my robe and wizard hat..
As someone who worked on a CALEA system for 18 months, implementing, testing and helping design, I can tell you one thing.
The specs of all the systems are such that they DO NOT BUFFER the actual voice, only the data. I mean the numbers punched, busy signals, etc. Buffered voice would rapidly overwhelm the system, so it is just dropped if the link from the CO (central office) to the LE (law enforcement) goes down.
Call data can be buffered for days, so that isn't dropped.
This isn't a flaw, it was a design decision. Good luck DDoSing a major telco switching office.
Learning HOW to think is more important than learning WHAT to think.
New best way to get your funding cut: publish a paper that outlines a way to use DDOS to hinder a federal investigation. Old best: come out of the closet & join the communist party.
~dijjnn
This just in, arrest warrants issued for 92% of American females between the ages of 12 and 17.
Public use of any portable music system is a virtually guaranteed indicator of sociopathic tendencies. -- Zoso
...sort of off-topic, but something I mention to my geek friends out of work: the black market of crime has endless jobs available for you.
Go into any barbershop in a shadier part of town and while you're getting a fantastic $12 haircut, mention to the oldest barber that you are working on security consulting to help people avoid getting into trouble with the law, especially in regards to keeping phone calls and information private.
At $150 a pop to "consult" with a man in a nice suit, you can easily remind him that his phone and laptop aren't secure, even offer him advice on what he can do and what he can buy to keep his tracks concealed better.
In reality, though, wiretaps aren't as important as having a good crew under you. A large percentage of black market consultants find themselves in jail because of the stool pigeon, not because of the wiretap information.
Given that the US Government had AT&T put optical splitters on the network backbones a while back, isn't this CAELA stuff obsolete? It still presumes that Warrants count and stuff and that they're not already copying all voice and data communications.
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
Here's a bit of background the /. editors didn't give you.
If you take a 2-second look at the paper (the pdf link in the summary), you see Matt Blaze's name.
He's been doing other work on making law enforcement wiretapping not work. For instance, go to http://www.usenix.org/events/sec06/tech/ and search the page for "Blaze"; you should find his talk (http://www.usenix.org/events/sec06/tech/mp3/blaze.mp3) and the Q&A session.
He also gave essentially the same talk as the first (under a different title) at http://www.usenix.org/event/lisa05/tech/ (again, search the page for "Blaze" or go straight to http://www.usenix.org/event/lisa05/tech/mp3/blaze.mp3).
He also spoke at hotsec06, http://www.usenix.org/events/hotsec06/tech/, with no recorded mp3, and at an e-voting panel, http://www.usenix.org/events/sec07/tech/.
As you might infer, this isn't the first time Mr. (Dr.?) Blaze has been studying wiretapping (or other security issues). He's also quite a good, entertaining speaker. I recommend giving him a listen.
The short story (from the usenix talks): press the "C" key on your old 4x4-keypad phone. That's the in-band signal (doh!) used by law enforcement to mean "don't record now". Or, look up the tone frequency, then play it back at a much lower volume with a tone generator (your laptop might do) so it's more comfortable to talk over.
If spies/criminals/terrorists/politicians are stupid enough to use plain language over the phone to plan their dastardly deeds, then they deserve to be put into prison.
...for those who didn't RTFA:
First, this apparently applies to VoIP systems and cell phones, not analog land lines.
Second, it is not a DDoS attack, as the headline claims. It is a DoS attack, though. That extra D means "distributed" and refers to situations where you bring many computers (say, a botnet for example) to the party so that your cumulative traffic-generation ability exceeds your target's capacity. Those techniques are not in play here. I guess Internet-based distributed attacks have become so common that people don't bother knowing what the acronyms really mean anymore.
The channel you're trying to flood is a 64kbps data link between the phone company's switch and the law enforcement equipment. That is to say, the spec calls for 64kbps - so you don't really know if they have more than that in implementation. The idea is that if you program your system to rapidly make useless connections (such as text messages to random numbers) then you can flood this link and the equipment will lose track of the metadata describing an important message you send along during the flood. "Rapid" is on the order of 40 text messages per second; maybe you can program your equipment to do that.
They have not been able to test this attack in practice, and they're making assumptions - some of which I doubt - about what the result would be. Seems like a lot of trouble to go to for the chance that maybe there'll be a random probability that the call you care about doesn't get logged - and even then you won't know after the fact whether it worked. Anyone who takes communications security seriously enough to apply that much effort, will apply it to doing something more certain to work.
The fact that these researchers worked off of the standard for delivery compliance aka CALEA, has given them the false impression that all they need to do prevent a wiretap is to overload the connection between the agency and the DMS (the switch your call goes through).
What the J standard does not go into is the fact that at every step of the way there are checks to determine if data can be sent. If it cannot then it is stored until it is able to be sent. It is not uncommon for connections in the IP realm to come up and down so the system can buffer them both at the DMS, as well as at several points inbetween through the various offboard devices in the chain. Typically the data makes 2 stops between the DMS and the LEA.
This is strictly for the data portion of the call, IE dialed digits, in the wirless world it would include MMS/SMS, GPRS, etc.
The voice portion of the call is trunked from the DMS to the PSTN via a 3 way calling feature with 1 way audio. It basically dials the LEA's recording equipment every time the target makes a call, their equipment will record automatically when it answers the phone, like an answering machine. However the voice portion doesn't always have to go to a LEA. It can be configured to go to several phone numbers such as an agents mobile phone, a recording device, or other 3rd party.
Now you could overload the agencies recording equipment if you knew what number to dial using a war dialer type of attack, but that would lead authorities to your door and it would not prevent other agencies and other monitoring centers from receiving that same data. Most bench warrants will have several involved agencies each receiving intercepts from a single target.
Suffice to say that if you have a tap on your phone, it's going to get to the LEA and there isn't much you can do about it.
criminals and the terrorists deserve to be put into prison
careful thats not always a clear cut line, for instance bush considered only Christians to be citizens therefore anyone trying to overthrow Christianity, was trying to overthrow his country? Teaching science might not be too far from being considered a terrorist by many zealots (of which bush often listened to). With government listing to corporate interests and considering anything harmful to corporate profits, like breaking DRM, as theft. If this criminal/terrorist net doesn't include you yet, it could encompass many of your friends/family, isn't conspiring with known criminals and terrorists a crime? (best get off of Slashdot now, to be safe...)