[Clips] Matt Blaze: Security Flaw Allows Wiretaps to Be Evaded

R. A. Hettinga rah at shipwright.com
Wed Nov 30 10:51:20 PST 2005

--- begin forwarded text

 Delivered-To: clips at philodox.com
 Date: Wed, 30 Nov 2005 13:48:25 -0500
 To: Philodox Clips List <clips at philodox.com>
 From: "R. A. Hettinga" <rah at shipwright.com>
 Subject: [Clips] Matt Blaze: Security Flaw Allows Wiretaps to Be Evaded
 Reply-To: rah at philodox.com
 Sender: clips-bounces at philodox.com


 The New York Times

 November 30, 2005

 Security Flaw Allows Wiretaps to Be Evaded, Study Finds

 The technology used for decades by law enforcement agents to wiretap
 telephones has a security flaw that allows the person being wiretapped to
 stop the recorder remotely, according to research by computer security
 experts who studied the system. It is also possible to falsify the numbers
 dialed, they said.

  Someone being wiretapped can easily employ these "devastating
 countermeasures" with off-the-shelf equipment, said the lead researcher,
 Matt Blaze, an associate professor of computer and information science at
 the University of Pennsylvania.

  "This has implications not only for the accuracy of the intelligence that
 can be obtained from these taps, but also for the acceptability and weight
 of legal evidence derived from it," Mr. Blaze and his colleagues wrote in a
 paper that will be published today in Security & Privacy, a journal of the
 Institute of Electrical and Electronics Engineers.

 A spokeswoman for the F.B.I. said "we're aware of the possibility" that
 older wiretap systems may be foiled through the techniques described in the
 paper. Catherine Milhoan, the spokeswoman, said after consulting with
 bureau wiretap experts that the vulnerability existed in only about 10
 percent of state and federal wiretaps today.

  "It is not considered an issue within the F.B.I.," Ms. Milhoan said.

  According to the Justice Department's most recent wiretap report, state
 and federal courts authorized 1,710 "interceptions" of communications in

  To defeat wiretapping systems, the target need only send the same "idle
 signal" that the tapping equipment sends to the recorder when the telephone
 is not in use. The target could continue to have a conversation while
 sending the forged signal.

 The tone, also known as a C-tone, sounds like a low buzzing and is
 "slightly annoying but would not affect the voice quality" of the call, Mr.
 Blaze said, adding, "It turns the recorder right off."

  The paper can be found at http://www.crypto.com/papers/wiretapping.

 The flaw underscores how surveillance technologies are not necessarily
 invulnerable to abuse, a law enforcement expert said.

 "If you are a determined bad guy, you will find relatively easy ways to
 avoid detection," said Mark Rasch, a former federal prosecutor who is now
 chief security counsel at Solutionary Inc., a computer security firm in
 Bethesda, Md. "The good news is that most bad guys are not clever and not
 determined. We used to call it criminal Darwinism."

 Aviel D. Rubin, a professor of computer science at Johns Hopkins University
 and technical director of the Hopkins Information Security Institute,
 called the work by Mr. Blaze and his colleagues "exceedingly clever" -
 particularly the part that showed ways to confuse wiretap systems as to the
 numbers that have been dialed. Professor Rubin added, however, that anyone
 sophisticated enough to conduct this countermeasure probably had other ways
 to foil wiretaps with less effort.

  Not all wiretapping technologies are vulnerable to the countermeasures,
 Mr. Blaze said; the most vulnerable are the older systems that connect to
 analog phone networks, often with alligator clips attached to physical
 phone wires. Many state and local law enforcement agencies still use those

 More modern systems tap into digital telephone networks and are more
 closely related to computers than to telephones. Under a 1994 law known as
 the Communications Assistance for Law Enforcement Act, telephone service
 providers must offer law enforcement agencies the ability to wiretap
 digital networks.

  But in a technology twist, the F.B.I. has extended the life of the
 vulnerability. In 1999, the bureau demanded that new telephone systems keep
 the idle-tone feature for recording control in the new digital networks,
 which are known as Calea networks because of the abbreviation of the name
 of the legislation.

 The Federal Communications Commission later overruled the F.B.I. and
 declared that providing the idle tone was voluntary. The researchers' paper
 states that marketing materials from telecommunications equipment vendors
 show that the "C-tone appears to be a relatively commonly available option."

 When the researchers tried the same trick on newer systems that were
 configured to recognize the C-tone, it had the same effect as on older
 systems, they found.

  Ms. Milhoan of the F.B.I. said that the C-tone feature could be turned off
 in the new systems and that when the bureau tested Mr. Blaze's method on
 machines with the function turned off, the effect was "negligible."

  "We were aware of it, we dealt with it, and we believe Calea has addressed
 it," she said.

  Mr. Blaze, a former security researcher at AT&T Labs, said he shared the
 information with the F.B.I. His team's research is financed by the National
 Science Foundation's Cyber Trust program, which is intended to promote
 computer network security.

  The security researchers discovered the new flaw, he said, while doing
 research on new generations of telephone-tapping equipment.

  In their paper, the researchers recommended that the F.B.I. conduct a
 thorough analysis of its wiretapping technologies, old and new, from the
 perspective of possible security threats, since the countermeasures could
 "threaten law enforcement's access to the entire spectrum of intercepted

  There is some indirect evidence that criminals might already know about
 the vulnerabilities in the systems, Mr. Blaze said, because of "unexplained
 gaps" in some wiretap records presented in trials.

 Vulnerabilities like the researchers describe are widely known to engineers
 creating countersurveillance systems, said Jude Daggett, an executive at
 Security Concepts, a surveillance firm in Millbrae, Calif.

 "The people in the countersurveillance industry come from the surveillance
 community," Mr. Daggett said. "They know what is possible, and their
 equipment needs to be comprehensive and needs to counteract any form of

 R. A. Hettinga <mailto: rah at ibuc.com>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 Clips mailing list
 Clips at philodox.com

--- end forwarded text

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list