Decius wrote:

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity.

In the most serious countermeasures we discovered, a wiretap subject superimposes a continuous low-amplitude "C-tone" audio signal over normal call audio on the monitored line. The tone is misinterpreted by the wiretap system as an "on-hook" signal, which mutes monitored call audio and suspends audio recording. Most loop extender systems, as well as at least some CALEA systems, appear to be vulnerable to this countermeasure.

John Markoff has a story on this today.

Ha... They were using old school dtmf techniques to detect call status! Thats a bizarre approach. You'd think they'd have some device that spoke SS7 and the network would simply send the digital call traffic to them. U: I just read the paper. Apparently there IS no good reason they are using inband signals. Its a good paper. Read it.

Of course, this kind of vulnerability isn't what I'm really interested in with respect to CALEA equipment. The big question is how does Law Enforcement get access to the CALEA system and is the security/authentication of that access method sufficient to prevent other parties from using the system. I've heard unsubstantiated whisperings that it isn't... U: The paper seems to allude to this suspicion as well...

See the thread on expanded Pentagon surveillance! Whenever a system is created like this, there will ALWAYS be ways to abuse it by parties not authorized to utilize it, IN ADDITION TO the parties that are authorize to use it abusing it.

Decius wrote:

Ha... They were using old school dtmf techniques to detect call status! Thats a bizarre approach. You'd think they'd have some device that spoke SS7 and the network would simply send the digital call traffic to them. U: I just read the paper. Apparently there IS no good reason they are using inband signals. Its a good paper. Read it.

Of course, this kind of vulnerability isn't what I'm really interested in with respect to CALEA equipment. The big question is how does Law Enforcement get access to the CALEA system and is the security/authentication of that access method sufficient to prevent other parties from using the system. I've heard unsubstantiated whisperings that it isn't... U: The paper seems to allude to this suspicion as well...

SS8 makes a SS7-talking CALEA intercept device. Their idea on implementation is pretty much "just send us that DS3, we'll pick off what we want". Seems to do the job, but there are always other concerns with the system (timing, etc.). But yes, with DSx circuits and SS7, you can easily loop a circuit through a tap device and just copy the bits you want off of it and onto a disk.