New York Times
By John Schwartz and John Markoff
November 30, 2005
The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. It is also possible to falsify the numbers dialed, they said.
Someone being wiretapped can easily employ these "devastating countermeasures" with off-the-shelf equipment, said the lead researcher, Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania.
"This has implications not only for the accuracy of the intelligence that can be obtained from these taps, but also for the acceptability and weight of legal evidence derived from it," Mr. Blaze and his colleagues wrote in a paper that will be published today in Security & Privacy, a journal of the Institute of Electrical and Electronics Engineers.
A spokeswoman for the F.B.I. said "we're aware of the possibility" that older wiretap systems may be foiled through the techniques described in the paper. Catherine Milhoan, the spokeswoman, said after consulting with bureau wiretap experts that the vulnerability existed in only about 10 percent of state and federal wiretaps today.
"It is not considered an issue within the F.B.I.," Ms. Milhoan said.
According to the Justice Department's most recent wiretap report, state and federal courts authorized 1,710 "interceptions" of communications in 2004.
To defeat wiretapping systems, the target need only send the same "idle signal" that the tapping equipment sends to the recorder when the telephone is not in use. The target could continue to have a conversation while sending the forged signal.
The tone, also known as a C-tone, sounds like a low buzzing and is "slightly annoying but would not affect the voice quality" of the call, Mr. Blaze said, adding, "It turns the recorder right off."
The paper can be found at http://www.crypto.com/papers/wiretapping.
The flaw underscores how surveillance technologies are not necessarily invulnerable to abuse, a law enforcement expert said.
"If you are a determined bad guy, you will find relatively easy ways to avoid detection," said Mark Rasch, a former federal prosecutor who is now chief security counsel at Solutionary Inc., a computer security firm in Bethesda, Md. "The good news is that most bad guys are not clever and not determined. We used to call it criminal Darwinism."
Aviel D. Rubin, a professor of computer science at Johns Hopkins University and technical director of the Hopkins Information Security Institute, called the work by Mr. Blaze and his colleagues "exceedingly clever" - particularly the part that showed ways to confuse wiretap systems as to the numbers that have been dialed. Professor Rubin added, however, that anyone sophisticated enough to conduct this countermeasure probably had other ways to foil wiretaps with less effort.
Not all wiretapping technologies are vulnerable to the countermeasures, Mr. Blaze said; the most vulnerable are the older systems that connect to analog phone networks, often with alligator clips attached to physical phone wires. Many state and local law enforcement agencies still use those systems.
More modern systems tap into digital telephone networks and are more closely related to computers than to telephones. Under a 1994 law known as the Communications Assistance for Law Enforcement Act, telephone service providers must offer law enforcement agencies the ability to wiretap digital networks.
But in a technology twist, the F.B.I. has extended the life of the vulnerability. In 1999, the bureau demanded that new telephone systems keep the idle-tone feature for recording control in the new digital networks, which are known as Calea networks because of the abbreviation of the name of the legislation.
The Federal Communications Commission later overruled the F.B.I. and declared that providing the idle tone was voluntary. The researchers' paper states that marketing materials from telecommunications equipment vendors show that the "C-tone appears to be a relatively commonly available option."
When the researchers tried the same trick on newer systems that were configured to recognize the C-tone, it had the same effect as on older systems, they found.
Ms. Milhoan of the F.B.I. said that the C-tone feature could be turned off in the new systems and that when the bureau tested Mr. Blaze's method on machines with the function turned off, the effect was "negligible."
"We were aware of it, we dealt with it, and we believe Calea has addressed it," she said.
Mr. Blaze, a former security researcher at AT&T Labs, said he shared the information with the F.B.I. His team's research is financed by the National Science Foundation's Cyber Trust program, which is intended to promote computer network security.
The security researchers discovered the new flaw, he said, while doing research on new generations of telephone-tapping equipment.
In their paper, the researchers recommended that the F.B.I. conduct a thorough analysis of its wiretapping technologies, old and new, from the perspective of possible security threats, since the countermeasures could "threaten law enforcement's access to the entire spectrum of intercepted communications."
There is some indirect evidence that criminals might already know about the vulnerabilities in the systems, Mr. Blaze said, because of "unexplained gaps" in some wiretap records presented in trials.
Vulnerabilities like the researchers describe are widely known to engineers creating countersurveillance systems, said Jude Daggett, an executive at Security Concepts, a surveillance firm in Millbrae, Calif.
"The people in the countersurveillance industry come from the surveillance community," Mr. Daggett said. "They know what is possible, and their equipment needs to be comprehensive and needs to counteract any form of surveillance."