research-article

Can they hear me now?: a security analysis of law enforcement wiretaps

Authors:

Matt BlazeAuthors Info & Claims

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Pages 512 - 523

https://doi.org/10.1145/1653662.1653724

Published: 09 November 2009 Publication History

Abstract

Although modern communications services are susceptible to third-party eavesdropping via a wide range of possible techniques, law enforcement agencies in the US and other countries generally use one of two technologies when they conduct legally-authorized interception of telephones and other communications traffic. The most common of these, designed to comply with the 1994 Communications Assistance for Law Enforcement Act(CALEA), use a standard interface provided in network switches.

This paper analyzes the security properties of these interfaces. We demonstrate that the standard CALEA interfaces are vulnerable to a range of unilateral attacks by the intercept target. In particular, because of poor design choices in the interception architecture and protocols, our experiments show it is practical for a CALEA-tapped target to overwhelm the link to law enforcement with spurious signaling messages without degrading her own traffic, effectively preventing call records as well as content from being monitored or recorded. We also identify stop-gap mitigation strategies that partially mitigate some of our identified attacks.

References

[1]

3rd Generation Partnership Project. Lawful interception architecture and functions. Technical Specification Group Services and System Aspects 3GPP TS33.107 v3.1.0, 2000.

[2]

Administrative Office of the United States Courts. Wiretap report, 2007.

[3]

American National Standards Institute. Lawfully authorized electronic surveillance. Joint Standard ANSI/J-STD-025B, TIA/ATIS, Aug. 2003.

[4]

ANSI. UMTS handover interface for lawful interception handover interface for lawful interception. Standard ANSI T1.724--2004, Alliance for Telecommunications Industry Solutions, Jan. 2004.

[5]

S. M. Bellovin, M. Blaze, W. Diffie, S. Landau, P. G. Neumann, and J. Rexford. Risking communications security: Potential hazards of the Protect America Act. IEEE Security and Privacy, 6(1):24--33, 2008.

Digital Library

[6]

Cisco Systems, Inc. VoIP over Frame Relay with Quality of Service (Fragmentation, Traffic Shaping, LLQ / IP RTP Priority), February 2006. Document ID 12156.

[7]

Communication Technologies, Inc. SMS over SS7. Technical Information Bulletin 03--2, National Communications System, Dec. 2003.

[8]

E. Cronin, M. Sherr, and M. Blaze. On the (un)reliability of eavesdropping. International Journal of Security and Networks (IJSN), 3(2):103--113, 2008.

Digital Library

[9]

C. T. Dikmen and M. Karabatur. System for intercept of wireless communications. Patent No. 6, 577, 865, U.S. PTO, 2003.

[10]

EWSD Product Line Management. EWSD integrated CALEA with dial-out capability. Bulletin 02PB-CALEA01, Siemens, 2002.

[11]

FBI CALEA Implementation Unit. AskCALEA frequently asked questions, Oct. 2008. http://www.askcalea.net/faqs.html.

[12]

R. Gayraud and O. Jacques. SIPp. http://sipp.sourceforge.net/.

[13]

R. M. Howell. Method of intercepting telecommunications. Patent No. 5, 920, 611, U.S. PTO, 1996.

[14]

R. M. Howell. Telecommunications intercept system. Patent No. 5, 943, 393, U.S. PTO, 1996.

[15]

International Packet Communications Consortium. Lawfully Authorized Electronic Surveillance for Softswitch-based Networks, July 2003.

[16]

IPFabrics. DeepSweep VoIP Surveillance Modules User's Manual, May 2007. http://www.ipfabrics.com/pdf/VoIP_SM_users_manual.pdf.

[17]

ITU. ISDN user-network interface layer 3 specification for basic call control. Recommendation Q.931, May 1998.

[18]

ITU. Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation. Recommendation X.680, November 2008.

[19]

E. E. Kampmeier, D. B. Smith, and M. R. Smith. Utilization of communication channels between a central office switch and a law enforcement agency. Patent No. 6, 728, 338, U.S. PTO, 2000.

[20]

S. Landau. Security, wiretapping, and the internet. IEEE Security and Privacy, 3(6):26--33, November 2005.

Digital Library

[21]

Orenstein, James. In the matter of an application {REDACTED} of the united states of america memorandum for an order authorizing the use of a pen register and trap and trace device... United States District Court Eastern District of New York Case 1:08-mc-00595-JO, December 2008.

[22]

PacketCable Electronic Surveillance Focus Team. PacketCable Electronic Surveillance Specification. Specification PKT-SP-ESP-I03-040113, Cable Television Laboratories, Inc., January 2004.

[23]

V. Prevelakis and D. Spinellis. The Athens affair. IEEE Spectrum, 44(7):26--33, 2007.

Digital Library

[24]

T. Ptacek and T. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., 1998.

[25]

Recall Technologies, Inc. R2801 Line Latch/Slave Controller. Product specification, 2005. http://recallt3.com/products.htm.

[26]

S. Sanfilippo. Hping -- Active Network Security Tool.

[27]

H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A transport protocol for real-time applications. RFC 3350, Internet Engineering Task Force, July 2003.

[28]

M. Sherr, E. Cronin, S. Clark, and M. Blaze. Signaling vulnerabilities in wiretapping systems. IEEE Security and Privacy, 3(6):13--25, November 2005.

Digital Library

[29]

Smith, Magistrate No. H-06-356M. In the matter of the application of the united states of america for an order authorizing (1) installation and use pen register and trap and trace device. United States District Court Southern District of Texas Houston Division Case 4:06-mj-00356, July 2006.

[30]

TeleCommunications Systems. Lucent/TCS short message service center. http://www1.telecomsys.com/carriers/lucent_smsc.cfm.

[31]

TeleDNA Inc. TeleDNA short messaging service center (SMSC), 2008. http://www.teledna.com/pdf/smsc.pdf.

[32]

P. Traynor, W. Enck, P. McDaniel, and T. L. Porta. Exploiting open functionality in SMS-capable cellular networks. Journal of Computer Security, 16(6):713--742, 2008.

Digital Library

[33]

United States Congress. Omnibus Crime Control and Safe Streets Act of 1968: Title III. Pub. L. No. 90--351, 82 Stat. 197, USA, June 1968. (codified as amended in 18 U.S.C. Sect. 2510--2522).

[34]

United States Congress. Communications Assistance for Law Enforcement Act. Pub. L. No. 103-414, 108 Stat. 4279, United States of America, Oct. 1994. (codified as amended in scattered sections of 18 U.S.C. and 47 U.S.C. Sect. 229, 1001--1010, 1021).

[35]

United States House of Representatives. Telecommunications carrier assistance to the government. H.R. Rep. No. 103--827, USA, Oct. 1994.

Cited By

Vella MColombo C(2022)D-Cloud-Collector: Admissible Forensic Evidence from Mobile Cloud StorageICT Systems Security and Privacy Protection10.1007/978-3-031-06975-8_10(161-178)Online publication date: 3-Jun-2022
https://doi.org/10.1007/978-3-031-06975-8_10
Bates AButler KSherr MShields CTraynor PWallach D(2015)Accountable wiretapping – or – I know they can hear you nowJournal of Computer Security10.3233/JCS-14051523:2(167-195)Online publication date: 3-Jun-2015
https://doi.org/10.3233/JCS-140515
Marczak WScott-Railton JMarquis-Boire MPaxson VFu K(2014)When governments hack opponentsProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671258(511-525)Online publication date: 20-Aug-2014
https://dl.acm.org/doi/10.5555/2671225.2671258
Show More Cited By

Index Terms

Can they hear me now?: a security analysis of law enforcement wiretaps
1. Information systems
  1. Information systems applications
2. Networks
  1. Network types
    1. Wired access networks

Recommendations

Signaling Vulnerabilities in Wiretapping Systems

Many law enforcement wiretap systems are vulnerable to simple, unilateral countermeasures that exploit the unprotected in-band signals passed between the telephone network and the collection system. This article describes the problem as well as some ...
Security, Wiretapping, and the Internet

Wiretaps have been used since the invention of the telegraph and have been a legal element of the U.S. law-enforcement arsenal for over a quarter century.In 1994, in keeping with law enforcement's efforts to have laws stay current with changing ...
Risking Communications Security: Potential Hazards of the Protect America Act

A new US law allows warrantless wiretapping whenever one end of the communication is believed to be outside national borders. This creates serious security risks: danger of exploitation of the system by unauthorized users, danger of criminal misuse by ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

November 2009

664 pages

ISBN:9781605588940

DOI:10.1145/1653662

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Somesh Jha
University of Wisconsin, USA
,
Angelos D. Keromytis
Columbia University, USA and Symantec Research Labs Europe, France

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 9 - 13, 2009

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
711
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)3

Reflects downloads up to 18 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Vella MColombo C(2022)D-Cloud-Collector: Admissible Forensic Evidence from Mobile Cloud StorageICT Systems Security and Privacy Protection10.1007/978-3-031-06975-8_10(161-178)Online publication date: 3-Jun-2022
https://doi.org/10.1007/978-3-031-06975-8_10
Bates AButler KSherr MShields CTraynor PWallach D(2015)Accountable wiretapping – or – I know they can hear you nowJournal of Computer Security10.3233/JCS-14051523:2(167-195)Online publication date: 3-Jun-2015
https://doi.org/10.3233/JCS-140515
Marczak WScott-Railton JMarquis-Boire MPaxson VFu K(2014)When governments hack opponentsProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671258(511-525)Online publication date: 20-Aug-2014
https://dl.acm.org/doi/10.5555/2671225.2671258
Sengar HWang HIranmanesh SBertino ESandhu RPark J(2014)Wiretap-proofProceedings of the 4th ACM conference on Data and application security and privacy10.1145/2557547.2557567(345-356)Online publication date: 3-Mar-2014
https://dl.acm.org/doi/10.1145/2557547.2557567

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten