Home page logo

interesting-people logo Interesting People mailing list archives

more on Phreaking the Wiretappers
From: David Farber <dave () farber net>
Date: Tue, 18 Apr 2006 13:57:45 -0400

Begin forwarded message:

From: Matt Blaze <blaze () cis upenn edu>
Date: April 18, 2006 1:22:03 PM EDT
To: dave () farber net
Subject: Re: [IP] Phreaking the Wiretappers

The talks I gave yesterday in Reston and last month at Stanford (mostly)
described our December 2005 IEEE Security and Privacy paper (with
Micah Sherr, Eric Cronin, and Sandy Clark), the full version of which
is here:

Now that most wireline switches implement the CALEA interfaces, loop
extenders are no longer the dominant law enforcement wiretap technology
(at least for better-funded federal agencies).  But because of the
backward compatibility features implemented by some CALEA
equipment, certain vulnerabilities -- particularly the ability to
disable call recording -- may remain.

High-fidelity, high-accuracy passive wiretapping, it turns out,
can also be hard to do reliably in digital networks.  We found
it to be easy to fool most convention Internet tools, at least under
many configurations:

I'm often surprised at how uncritical the courts re in accepting
electronic evidence, especially wiretap evidence.  It may be less
reliable than we assume it to be.


On Apr 18, 2006, at 12:44, David Farber wrote:

Begin forwarded message:

From: Ross Stapleton-Gray <ross () stapleton-gray com>
Date: April 18, 2006 12:20:36 PM EDT
To: Dave <dave () farber net>
Subject: Phreaking the Wiretappers

Matt Blaze et al. on research on methods to compromise wiretaps. The article in Govt Computer News (appended below): http:// www.gcn.com/online/vol1_no1/40428-1.html The NSF grant abstract: http://www.nsf.gov/awardsearch/showAward.do? AwardNumber=0524047

Wiretaps vulnerable to phreaking

04/17/06 -- 04:04 PM
By William Jackson,

You can’t always believe what you hear

Researchers at the University of Pennsylvania have found that it is not at all difficult for bad guys to outwit law enforcement wiretaps on their phone lines.

A team of graduate students working with a National Science Foundation grant set out to determine just how trustworthy the most common types of telephone wiretaps used by police and intelligence agencies are, said Professor Matt Blaze.

The results of these taps are accepted uncritically by courts, Blaze said at the 2006 International Conference on Network Security being held in Reston, Va.

“It turns out, it can fail in all sorts of unexpected ways,” he said. “Either party can disrupt a wire tap or introduce misleading information into the legal record.”

The techniques exploit vulnerabilities in the single signaling and audio channel used in analog telephone systems.

Blaze said the project was an attempt to establish some baselines for network security by assessing how easy it is to conduct reliable eavesdropping on the century-old protocols used in analog voice phone systems. End-to-end cryptography often is seen as the most certain way to secure a communications channel. But almost nobody uses that for voice conversations because of the complexity. And, as it turns out, it is not necessary.

The most common technology for tapping a phone line is a loop extender, which is a one-way bridge from the target subject’s local loop to the phone line of the listening station. The great majority of wiretaps are pen register taps, which record only the telephone numbers dialed by the target and when the calls are made. Only about 10 percent of taps actually record the content of calls. Both types use the same equipment.

But the caller can game the police equipment by using a notebook computer to fine-tune the pulse tones generated to dial a number. By tuning them properly, the correct numbers will be accepted by switching equipment at the caller’s central telephone office, but tones often will be misinterpreted on the police equipment, producing meaningless numbers.

Techniques similar to the old phreaking tricks used to steal long distance service can be used to turn off a wiretap recorder remotely. A signaling tone can be sent on the line that will fool police equipment into thinking the phone is back on the hook, causing the recorder to shut off. Blaze played a demonstration tape in which the participants were able to continue a conversation after the police equipment had “hung up.” The same technique can be used to block police equipment from recording the number being dialed and to inject a phony number later.

The 1996 Communications Assistance for Law Enforcement Act required vendors to include a wiretap interface in telephone switching equipment, which would theoretically thwart these tricks. But most vendors made their switches backward compatible to work with legacy loop extender equipment that police continue to use. This reintroduced the same vulnerabilities when using a CALEA interface.

This is an object lesson for software developers, Blaze said.

“We have to [be] careful about how backward compatibility can mean compatibility with old bugs,” he said.

Blaze said there is no concrete evidence that these techniques have been used to thwart legitimate wiretaps. But he said court records show that anomalies in recorded conversations often are accepted as inevitable by police and the courts, leaving open the question of how trustworthy those recordings are.

© 1996-2006 Post-Newsweek Media, Inc. All Rights Reserved.

You are subscribed as matt+ip () crypto com
To manage your subscription, go to

Archives at: http://www.interesting-people.org/archives/interesting- people/

You are subscribed as lists-ip () insecure org
To manage your subscription, go to

Archives at: http://www.interesting-people.org/archives/interesting-people/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]