Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] OT - How secure is an ISDN line?
From: Dragos Ruiu <dr () KYX NET>
Date: Tue, 14 Nov 2000 23:06:30 -0800

Uhm... the answer is ... it's very easy to tap an ISDN phone line.
The equipment _used_ to be expensive. Look up a HP, PT500,
PT502 (I managed this product for a brief period at the very
beginning of it's life) or PT300 or PT302. Manufactured in
Edmonton, AB.  I believe the product was obsoleted a while
back, but I saw old ones for sale in Akihabara a few years
back :-).. Complete man in the middle Q.93x switch emulation
was one of the standard demo scripts coded in Forth as I
recall.  Fancier versions of the scripts were products. And
they were able to extract the B channels off PRI/BRI to
either analog, or digital serial, or record them to disk.

Many pieces of equipment exist to extract the B channel
to a pots analog line. Getting a shadowing 56K modem is
then your problem. More likely easier to record digitally
and post process in sw. I agree with the first poster, ISDN
is not more or less secure than the Plain Old Telephone System


On Fri, 20 Oct 2000, Peter Van Epp wrote:

On Thu, Oct 19, 2000 at 03:38:40PM -0400, JLJ wrote:
ISDN is as secure as a phone call, no more or less.  If you can access the
wire anywhere along the route and have equipment you can snoop the line,
just like you can a phone call.  I don't really think it's sa,"Noo send much
of anything in the clear anymore...

I have to disagree on this, while you can plug a phone (with a few
simple adjustments, comenly called a beige box) into an analogue
phone anywhere along the line and using either a linemans handset,
or a datatap (available from the many exchange&mart spy shops in the
uk). It was always my understanding that it was far more difficult
to intercept a digital connection rather than a analogue connection
that said, as long as they are using a 56k connection it sould be
pretty difficult to intercept anyway, of course you could slow the
connection down ( by way of line noise eiugh to force it into an
much more intercept friendly mode of none error correcting 4800/9600.

      I think you are discussing analog modems while the original poster was
discussing ISDN. If you can get the tap on the line I expect ISDN is the
easier of the pair to decode (at least with V90 analog modems) since the data
is digital and non encrypted (well, the modem isn't encrypted either, but see
below). That means if you can recover the clocking and data on the ISDN line
(which test sets will do) then you should be able to recover the data. Neither
this nor getting the appropriate access is trivial but it is possible for
a determined attacker. As stated end to end encryption is the best bet.
      The 56K modem case is hard because the DSP on either end is listening
to the incoming signal by subtracting its outgoing signal from the signal on
the line to recover the incoming data. As a man-in-the middle attacker you
lack the information about what either modem is currently sending to know
what to subtract from the signal on the line to recover the other side. If
anyone knows of a test set to do this I'd be interested in a reference because
we are having 56K modem problems and would love to be able to tap a monitor
modem on to a B channel of a PRI when it isn't one of the participating modems.
I suspect such a thing isn't possible due to lack of information, but I'd
love to be wrong :-).

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net

  By Date           By Thread  

Current thread:
  • Re: [PEN-TEST] OT - How secure is an ISDN line? Dragos Ruiu (Nov 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]