Read Surveillance or Security?: The Risks Posed by New Wiretapping Technologies Online
Authors: Susan Landau
The ability to illegally wiretap the Greek government stemmed from
vulnerabilities deliberately built into telephone switches. These were a
direct effect of complying with CALEA-like requirements.
Wiretapping creates two types of risks: risks to communications security
and threats to the society's social fabric. These can be described as technical
risks and policy risks. In this chapter, I will examine the technical vulnerabilities that arise from building wiretapping into communications infrastructure; in the next, the policy risks.
8.1 The Insecurity of Communications
While wiretapping in the United States is illegal without a court order, it
is often not hard to find ways to listen in or to discover revealing transactional information.15 But that does not necessarily mean that it is easy to track all communications by a particular party. To law enforcement that
distinction is important, but for someone whose communications or communications patterns are revealed, the distinction between all communications being tapped and sometimes being listened to may be academic.
If someone is talking over the PSTN from a fixed location, then, as has
already been described in chapter 4, a wiretap can be placed anywhere
from the phone itself to the switch at the central office, although the latter
typically requires insider help if it is not to be discovered. The fact that
the phone location is known makes surveillance simple. It is well within
the capability of anyone with a bit of training.16
If someone is talking 1990s fashion over a cell phone, radio scanners in
the area can easily pick up the conversation. Both the sale and use of such
scanners are illegal in the United States, but there are numerous examples
of scanners picking up such conversations. One well-known one was of
Speaker of the House Newt Gingrich discussing how to spin the ethics
charges against him, picked up by a Florida couple in 1996.17 The example
demonstrates why communications security matters. The couple was not
targeting Gingrich, but simply scanning the airwaves and found an interesting conversation, which they recorded.
Three things improve the security of cell phones: that communications
are digital rather than analog, that the scanner must be in the right cell to
pick up the conversation, and that digital cellular systems are encrypted
in the "air interface" between the handset and the cell tower. However,
the first is minimal protection: equipment to decode the digital signal is
not hard to find. The second provides somewhat more protection: it means
that in order to obtain all your communications your adversary must be
following you.
SMS messages are essentially broadcasts between the cell tower and a
cell phone. As such they are easy to intercept. The messages are encrypted.
However, the type of encryption, which varies with the type of network,
is not considered very secure.18
Communications over the Internet are easier to intercept than communications over the PSTN or cellular networks. The underlying reason is
that the packet-switched network allows many parameters to be set dynamically in response to demand. This flexibility gives attackers many potential
openings.19 Eavesdroppers can attach a packet sniffer or a mirroring technology that sends copies of Internet communications by exploiting such
vulnerabilities as improperly secured communications switches (e.g., with
easily guessed passwords or default logins), or improperly secured control
interfaces for the switches, routers, and so on.20 The fact that calls in the PSTN or cellular networks rarely pass through more than two carriers, while
communications in the Internet are likely to travel through a number of
domains controlled by different network operators,21 increases the opportunity for interception. This is compounded by the fact that packet-sniffing
tools are more widely available than the equivalent interception equipment for telephone networks.22
If someone is using the Internet to communicate, their communications
security is entirely dependent on the application's security. Unless email
and IM are encrypted or secured through a VPN, these communications
can be eavesdropped on. Confidentiality of VoIP depends entirely on the
security of the particular VoIP protocol. Skype, for example, encrypts conversations end to end. A 2005 analysis of Skype conducted by cryptographer Tom Berson concluded that "the confidentiality of a Skype session is
far greater than that offered by a wired or wireless telephone call or by
email and email attachments."" The same level of communications security, however, was not present for Tom-Skype, Skype software for use in
China. In 2008 a University of Toronto researcher discovered that TomSkype scanned text-chat messages between Tom-Skype and Skype users for
words deemed sensitive by the Chinese government and stored these,
along with IP addresses, usernames, and time and date of messages from
Tom-Skype calls made from cybercafes (transactional information was also
collected from Skype users interacting with Tom-Skype users). This information was kept on "insecure, publicly-accessible web servers."24
The Tom-Skype vulnerabilities were two: an architecture designed to
allow eavesdropping on Internet communications and poor securing of the
collected communications. The former highlights the problems of VoIP
security. As a National Institute of Standards and Technology report on
securing VoIP concluded, "VoIP can be done securely, but the path is not
smooth."25
Even encrypted communications can leak serious amounts of information. Work by Johns Hopkins researchers showed that through knowledge
of phonemes within a language, it is not hard to determine particular
words and phrases spoken over an encrypted VoIP channel.26
This ease of interception combined with the wealth of information
traveling communication networks puts us at greater risk than when the
Soviets cornered the U.S. wheat market in 1972. It is not just email that
can be read, but VoIP conversations listened to, browsing sessions observed
and so on.27 What if a foreign power were eavesdropping on the network
and was able to read queries posted to Google? What if the adversary
aggregated the data and performed the same computations as Google Flu Trends? Cornering the wheat market is one thing but cornering the market
for a flu vaccine just as a pandemic were about to hit the United States
would be quite another.
8.2 Network Convergence Creates Security Risks
When two disparate systems are combined, security problems may arise as
a result of the two systems unwittingly violating each other's security
expectations. Such is the case with network convergence, the interconnection between the PSTN, cellular networks, Internet, sensor and RFID networks, and control systems.
Recall that SMS messages use the SS7 signaling channel. Unlike voice
communications, SMSs are store and forward: data are held in an intermediate machine until the next device in the network is available to receive it
(this also differs from the Internet best-effort protocols). When phone
circuits are busy, voice calls do not make it through, but SMS messages are
queued until there is system availability. This allows SMSs to saturate the
SS7 signaling channel and could permit a DoS attack on the PSTN. Such
situations have already occurred accidentally. In 2002 SMS traffic sent in
response to questions asked in the Indian version of "Who Wants to Be a
Millionaire?" choked up all Indian GSM networks for an hour;' there have
been multiple such incidents.29
Patrick Traynor, Patrick McDaniel, and Thomas La Porta have modeled
the number of SMS messages needed to saturate cellular networks, and the
number is surprisingly low.30 (Note the use of the word model; it is illegal
to actually test this.) No solution appears readily extant for the problem,
but the federal Government Emergency Telecommunications Service
(GETS) program enables emergency personnel to connect through cell
phones and landlines even when these are congested.
Convergence breaks the security model of physical separation that the
networks had used as one aspect of security. Previously each network used
the form of authentication that provided appropriate security for the
network. For the PSTN, that was the phone number (of course the authentication was only of a physical address, not of a person). For cellular networks, authentication was also found in the phone number, and here there
was a higher chance than in the PSTN that the number designated a particular individual. For local area networks, including SCADA systems,
authentication was provided by physical access. Commands could be
entered only by a trusted employee in an access-restricted control room
on-site. Once the networks were no longer "air-gapped" from one another, that aspect of security disappeared. Through VoIP the Internet links to the
PSTN, while RFID and sensor nets as well as control system networks are
directly connected to the Internet.
Sometimes linkages happen without full knowledge of those who run
the system; often the connection is made without a sufficient replacement
in hand for the old form of authentication. (Nowhere is that more clear
than in the recent appearance of commercial mobile devices-BlackBerrysmarketed to remotely manage SCADA systems: "Whenever the Internet is
available, so is your information."") That creates serious and major
vulnerabilities.
Other risks arise from network interconnection. In order for VoIP calls
to connect to the PSTN, there has to be a software interface between the
PSTN and the Internet. The PSTN was not designed with the idea that
random software could access a switch. This gateway, if not properly configured, can provide a way for malware to enter the PSTN. Consider the
1990 AT&T outage resulting from a software update of its 4ESS switches.
A single switch signaled its neighbors that it was out of commission. A few
seconds later, the switch announced it was back in service. That update
caused neighboring switches to fail, and they sent out their own signals
to their neighbors that they were out of service; they followed this with
an update that they were back. Unfortunately their neighboring switches
had the same software. The cascading process shut down AT&T's longdistance service.32
AT&T was performing its own update; technicians were able to quickly
pinpoint the source of the problem and halt the failure. What if someone
nefarious had targeted the switches with flawed software? In order for such
an attack to work, the attacker has to be able to access the switch, possible
because the 1996 Telecommunications Act33 requires that telephone companies permit connection to the SS7 infrastructure for a small fee,34 which,
in 2009, was under $2,000 a year for AT&T (the fee varies by phone
company and location).35 This is well within the budget of a terrorist or
criminal organization. The attacker would have to be able to download
software to the switch. The ability to do so depends on AT&T's authentication model. Finally, the software would have to include a cascading fault
much like the one just described. We already have experience that such
software is possible to design.
Denial of service due to lack of bandwidth is already a concern in cellular networks. In 2009, even as AT&T embarked on a high-profile campaign urging customers to talk and use the Internet at the same time,36 the
company was seeking to cut customer bandwidth use.37 This is a harbinger of another vulnerability of network convergence: denial of service because
of conflicting demand between voice, SMS, and data on cellular networks.
All services want the bandwidth at once.
Cell phones are now both phones and computers. That means that the
malware that plagues personal computers has a chance to spread to cellular
networks. Currently few major attacks against cell phones exist. That is an
artifact of the multiple operating systems powering the devices as well as
a result of the fact that, in the United States and Europe, cell phones are
rarely used for financial transactions. That situation is changing.38 Once it
does, attacks on cell phones will undoubtedly proliferate.
Mobility creates a set of new risks. Cell phones check in with their
networks periodically. In GSM networks, for example, this is typically every
thirty minutes, but it can be longer if the network is congested; BlackBerrys
connect more frequently. Location information is given even when the
phone is not being used to communicate. An eavesdropper could use this
information. Recall ThorpeGlen, the British company that sells tools for
commercial traffic analysis. There are other ways of tracking as well, including companies that sell services to track individuals.39
Cellular networks now create temporary identifiers for cell phone users;
this effectively hides the user's identity to an idle scanner listening in on
all transmissions. But a more sophisticated system with some knowledge
of a user's traffic patterns-or the triangle of home, office, and a stop
at the neighborhood bar after work-may be used to track the user
despite the encryption. Malware installed on a user's cell phone may also
leak location information. Finally, as long as the battery remains in the
phone, in some circumstances it is possible to turn a cell phone on
remotely, enabling the phone to act as a beacon without the user's knowledge. So while the cellular network itself now provides some location
privacy for users, true location privacy is possible only if the cell phone
being carried is without its battery and is simply a dead piece of metal
or plastic.
8.3 Wiretapping Mobile Communications Creates Security Risks
Eavesdropping on conversations made over the PSTN includes placing a
tap at the central office. Wiretapping cell phones is more complicated. If
the cell phone is in use in a cell within its home system, the wiretapping
process is essentially the same as for the PSTN: the tap is placed at the
switch and is activated whenever the phone is in use. Complexity arises
when the cell phone roams.