/head>
Many law enforcement wiretap systems are vulnerable to simple, unilateral countermeasures that exploit
the unprotected in-band signals passed between the telephone network and the collection system. This
article describes the problem as well as some remedies and workarounds.
Law enforcement agencies in the US and elsewhere use voice telephone interception systems
to collect wiretap evidence and intelligence
against criminal and national security subjects.
Such systems provide a legal record of the digits dialed by
the subject and, in some cases, the audio content of the
calls themselves. Wiretapping is often credited as an essential tool in the investigation and prosecution of serious
crime, especially when complex criminal enterprises and
conspiracies are involved.
Unfortunately, however, many of the telephone interception technologies that law enforcement depends
on for evidence collection are less reliable than previously
thought. We found that the design and implementation
of these systems often render them vulnerable to simple,
unilateral countermeasures that allow wiretap subjects
(or their correspondents) to prevent accurate and complete capture of call data and contents. These countermeasures exploit the in-band signals passed between the
telephone network and the law enforcement agency.
In particular, the evidence collected by virtually all interception systems based on traditional technology, as
well as at least some systems based on newer interfaces,
can be manipulated by the subject with practical techniques and readily available hardware. We found one
countermeasure, requiring only a standard PC, that prevents the accurate recording of dialed telephone numbers
and line statuses. Perhaps more seriously, we also found
simple countermeasures that effectively and selectively
suppress the recording of call audio with only modest
degradation of call quality.
Unlike traditional wiretap countermeasures (such as
encryption), our techniques are entirely unilateral—they
don’t require active cooperation between subjects and their associates—and
they obscure not only the content, but also the metadata
that indicates the presence of communication and its
endpoints in a way that is sometimes difficult to detect.
This has implications not only for the accuracy of the intelligence that can be obtained from these taps, but also
for the acceptability and weight of legal evidence derived
from it.
Our analysis is based entirely on information obtained
from published sources and equipment purchased openly
in the retail and surplus markets. Thus it is possible (perhaps even likely) that motivated wiretap targets such as
those involved with organized crime have already discovered and actively employed them. We recommend that
currently fielded telephone interception systems be evaluated with respect to these vulnerabilities and reconfigured or modified where possible to reduce their
susceptibility. In addition, the possibility of these or similar countermeasures should be considered in analyzing
previously collected wiretap evidence and intelligence.
Despite law enforcement's growing reliance on wiretaps, little attention has been paid in the open literature to
their reliability. Indeed, this article could represent the
first analysis of the security of modern telephone wiretap
systems by the computing and communications research
community. Drafts of this article have been made available to the law enforcement community
At first blush, the J-STD-025A CALEA interfaces seem
to effectively neutralize in-band signaling countermeasures; separate channels deliver the target’s signaling (the
CDC) and voice traffic (the CCC), and allow decoding
of DTMF tones at the switch instead of at a second unit at
the law enforcement agency. Because the telephone
company is responsible for DTMF decoding before
sending the data to the agency, it’s likely that the reported
digits are derived directly from the switch’s call-processing system, and because the line status is reported over a
separate signaling channel, such systems need not be vulnerable to in-band spoofing of the line status. Nevertheless, many CALEA implementations fall short of
achieving the level of robustness that their architecture
would appear to allow.
the law enforcement equipment that
processes the CCC should be configured not to shut off
when a C tone is present on the channel
Where did "D.B." come from? It was apparently a myth created by the press. We did question a man with the initials "D.B." but he wasn't the hijacker.
Where did "D.B." come from? It was apparently a myth created by the press. We did question a man with the initials "D.B." but he wasn't the hijacker.
Where did "D.B." come from? It was apparently a myth created by the press. We did question a man with the initials "D.B." but he wasn't the hijacker.
Where did "D.B." come from? It was apparently a myth created by the press. We did question a man with the initials "D.B." but he wasn't the hijacker.
Where did "D.B." come from? It was apparently a myth created by the press. We did question a man with the initials "D.B." but he wasn't the hijacker.
.
.
.