Signaling Vulnerabilities in Wiretapping Systems

Signaling Vulnerabilities in Wiretapping Systems

University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science November 2005 Signaling Vulnerabilities in Wiretapping Systems Micah Sherr University of Pennsylvania Eric Cronin University of Pennsylvania Sandy Clark University of Pennsylvania Matthew A. Blaze University of Pennsylvania, [email protected] Follow this and additional works at: https://repository.upenn.edu/cis_papers Recommended Citation Micah Sherr, Eric Cronin, Sandy Clark, and Matthew A. Blaze, "Signaling Vulnerabilities in Wiretapping Systems", . November 2005. Copyright 2005 IEEE. Reprinted from IEEE Security & Privacy, Volume 3, Issue 6, November-December 2005, pages 13-25. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to [email protected]. By choosing to view this document, you agree to all provisions of the copyright laws protecting it. This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_papers/224 For more information, please contact [email protected]. Signaling Vulnerabilities in Wiretapping Systems Abstract Many law enforcement wiretap systems are vulnerable to simple, unilateral countermeasures that exploit the unprotected in-band signals passed between the telephone network and the collection system. This article describes the problem as well as some remedies and workarounds. Comments Copyright 2005 IEEE. Reprinted from IEEE Security & Privacy, Volume 3, Issue 6, November-December 2005, pages 13-25. This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to [email protected]. By choosing to view this document, you agree to all provisions of the copyright laws protecting it. This journal article is available at ScholarlyCommons: https://repository.upenn.edu/cis_papers/224 Communications Security Signaling Vulnerabilities in Wiretapping Systems Many law enforcement wiretap systems are vulnerable to simple, unilateral countermeasures that exploit the unprotected in-band signals passed between the telephone network and the collection system. This article describes the problem as well as some remedies and workarounds. aw enforcement agencies in the US and else- don’t require active cooperation be- where use voice telephone interception systems tween subjects and their associates—and to collect wiretap evidence and intelligence they obscure not only the content, but also the metadata MICAH SHERR, L against criminal and national security subjects. that indicates the presence of communication and its ERIC CRONIN, Such systems provide a legal record of the digits dialed by endpoints in a way that is sometimes difficult to detect. SANDY CLARK, the subject and, in some cases, the audio content of the This has implications not only for the accuracy of the in- AND MATT calls themselves. Wiretapping is often credited as an es- telligence that can be obtained from these taps, but also BLAZE sential tool in the investigation and prosecution of serious for the acceptability and weight of legal evidence derived University of crime, especially when complex criminal enterprises and from it. Pennsylvania conspiracies are involved. Our analysis is based entirely on information obtained Unfortunately, however, many of the telephone in- from published sources and equipment purchased openly terception technologies that law enforcement depends in the retail and surplus markets. Thus it is possible (per- on for evidence collection are less reliable than previously haps even likely) that motivated wiretap targets such as thought. We found that the design and implementation those involved with organized crime have already discov- of these systems often render them vulnerable to simple, ered and actively employed them. We recommend that unilateral countermeasures that allow wiretap subjects currently fielded telephone interception systems be eval- (or their correspondents) to prevent accurate and com- uated with respect to these vulnerabilities and reconfig- plete capture of call data and contents. These counter- ured or modified where possible to reduce their measures exploit the in-band signals passed between the susceptibility. In addition, the possibility of these or simi- telephone network and the law enforcement agency. lar countermeasures should be considered in analyzing In particular, the evidence collected by virtually all in- previously collected wiretap evidence and intelligence. terception systems based on traditional technology, as Despite law enforcement’s growing reliance on wire- well as at least some systems based on newer interfaces, taps, little attention has been paid in the open literature to can be manipulated by the subject with practical tech- their reliability. Indeed, this article could represent the niques and readily available hardware. We found one first analysis of the security of modern telephone wiretap countermeasure, requiring only a standard PC, that pre- systems by the computing and communications research vents the accurate recording of dialed telephone numbers community. Drafts of this article have been made avail- and line statuses. Perhaps more seriously, we also found able to the law enforcement community. simple countermeasures that effectively and selectively suppress the recording of call audio with only modest Wiretapping and US law degradation of call quality. Broadly speaking, the federal laws governing electronic Unlike traditional wiretap countermeasures (such as surveillance for criminal (Federal Wiretap Act [Title encryption), our techniques are entirely unilateral—they III]1) and national security (Foreign Intelligence Sur- PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY 13 Communications Security “prospective,” meaning they report communication oc- curring immediately after their installation, typically in real or near-real time. Friendly line In practice, although the legal requirements for—and information collected by—these two kinds of legal wire- Dialed number taps varies widely, the same equipment can be used to im- recorder (DNR) plement both (audio-capture features can be disabled for Law enforcement agency DNR-only taps). Two wiretapping technologies com- monly available to law enforcement agencies are loop- extender taps and CALEA taps. Loop extender Central office switch Loop-extender taps The most basic and oldest wiretap technology involves a Target line direct electrical connection between the subject’s tele- Subject phone line and a second line terminating at the law en- forcement agency. Such a connection (literally a “tap”) Figure 1. Loop-extender wiretap architecture. The target telephone can be made anywhere along the length of the local loop line is tapped in the field with a loop-extender device, which relays serving the subject, in the telephone switching office, or the signals and content to the law enforcement agency over its own on the subject’s premises. In principle, no special hard- telephone line. ware is required for such interceptions at the tap point; it’s sufficient simply to “splice in” a pair of wires leading back to the law enforcement agency’s facilities. To en- veillance Act [FISA]2) investigations authorize two cat- sure proper isolation and level equalization of inter- egories of telephone wiretaps for use by US law en- cepted content, current law enforcement practice for forcement agencies. such taps uses a small device, called a loop extender or The first category, called a dialed number recorder dial-up slave, at the splice point. The device sends any (DNR) or pen register, records the digits dialed and other audio on the subject’s line to the law enforcement line, outgoing signaling information. DNR taps, which pro- re-encodes the signals, and performs level equalization. vide traffic analysis information, but not the call’s audio DNR equipment at the law enforcement agency de- contents or speaker identity, must pass relatively modest codes the dialed digit and call activity signals and, when judicial scrutiny to be authorized. A related investigative configured for a full audio interception, also records the technique, called a trap and trace for historical reasons, pro- calls’ voice contents. vides analogous information about incoming calls. To tap a line with a loop extender, a voice-grade tele- The second category, full audio interception (sometimes phone line (either a dedicated leased line or regular dial- called a Title III or FISA wiretap depending on its legal up line), controlled by law enforcement and terminating context), records not only the dialed digits and signaling, at the law enforcement agency, is provisioned in such a but also the actual call contents. Legal authorization for way that it shares at least one cable splice point with

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us