Down With OPP (Other People's Papers)
It was the best of times, it was the worst of times.
So Matt Blaze‘s wiretap hacking paper is finally out. Huzzah, this was one of the coolest talks I’ve seen in years. Matt, who gained all sorts of notoriety last year for effectively cryptanalyzing physical lock infrastructures, took on wiretap equipment this time. The results were pretty brutal. (New York Times article)
Here’s a basic summary of what Matt found:
- Telephone systems depend on an analog encoding for touch tones that is referred to as DTMF. (Unknown: Is pulse encoding still supported anywhere?) At some point in the CO (Central Office — the other side of where your phone is plugged in), those analog frequencies are converted into digits — 1, 2, 3, and so on. But which tones go to which numbers? Matt realized that there’s an infinite range of possible tonal frequencies and mixes, and that by deviating farther and farther from the specification, he could eventually determine the precise boundries of what his CO would accept as a given digit. Why would this be useful? Because it’s quite unlikely that any other device inserted inline (read: wiretap) would have the exact same tolerances. Matt could send a series of digits, some within tolerance, others slightly outside. From here, two things were possible:
- Too conservative: The wiretap would demand tighter adherence to DTMF specifications than the CO, and would thus reject numbers the CO was willing to route.
- Too liberal: The wiretap would be allow even more digits than the CO would — and thus, all those noise digits ignored by the CO would pollute the logger.
Either way, the pen register (number logger) loses.
- Historically, SS7 (Signaling System 7) was set up to take all internal messages required for operating the telephone network outside of the frequency ranges that home users could, for instance, blow into the phone using a whistle from a box of Captain Crunch. So-called “out of band signaling” did a reasonable job of holding attacks inside of infrastructure, such as the PBX’s that dot enterprises around the globe. (Disclosure — I’m formerly of Avaya, and was part of a group that fought toll fraud.) Wiretap technology apparently did not learn from SS7; the status of whether a line is on or off hook (an electrical message) gets transmitted via a special DTMF signal known as a C-Tone. When a C-Tone is detected, the phone is assumed to be hung up (and thus presumably safe to broadcast a signal over?). Matt noticed that by generating C-Tones, and then issuing a new string of digits, he could make a wiretap think a new call had started, while the CO blissfully continued to keep him connected to his old line. Given that wiretappers are banned from listening to certain calls (lawyers, for instance), Matt found that it was possible to make an analyst stop listening to a call that had never really been redirected to another number. Ouch.
- But what if a subject of a tap didn’t want to be listened to at all? You’d think he couldn’t play a C-Tone constantly, it’d be hard to talk over. But what if the tone was made fairly quiet — say, 1/1000th the maximum volume for the phone? Apparently, this was enough to stop Matt’s recorder from functioning.
- Matt also noted either side of a call could block or misroute communications, opening up frame jobs.
- The most painful thing — apparently, CALEA mandated a number of things that should have stopped all this. But, even though the FCC didn’t demand this…apparently most vendors built in backwards compatibility with the old systems, with predictably dire consequences. Ouch.
There’s a bit more, but I don’t know if I’m OK to tell the coda to this story. Needless to say though, Matt Blaze has cojones of diamond-coated steel. I think it’s fair to say that, if we do expect law enforcement to be able to monitor telecom with a warrant, they’re going to need some better tools to do so reliably.
On another note, somehow we’re hearing talk about how aliens might hack us through SETI. I’m sure Richard Carrigan is a nice guy, but I don’t think he understands just how … extraordinary … his claims are. Not many things in security are mathematically provable, but I do believe summarization functions (such as SETI’s FFT’s, and those scary stats class “averages” and “standard deviations”) qualify. SETI’s FFT’s have a known range of outputs with a known range for each output — this does not, even in the slightest, align well with a hacker’s desire for unknown outputs into unexpected memory ranges. Indeed, if SETI is hackable, what we would really have to worry about is attacks against compression engines, such as MP3 or (most usefully) G.729a/b. You’d have to have a signal that, when processed, overflowed some bound and got controllable values into memory used for execution flow. Now, there are certain encoder designs where I can vaguely imagine this, but if it hasn’t happened yet for such high value targets, or as far as I know, for any encoder, I don’t think there’s even the slightest reason to believe even a highly motivated human could hit SETI’s analyzers, let alone “aliens”.