Matt Blaze's
Science, Security, Curiosity
Weaknesses in CALEA Wiretaps
The metadata is still the message.

This week in Chicago, Micah Sherr, Gaurav Shah, Eric Cronin, Sandy Clark, and I have a paper at the ACM Computer and Communications Security Conference (CCS) that's getting a bit more attention than I expected. The paper, Can They Hear Me Now? A Security Analysis of Law Enforcement Wiretaps [pdf] examines the standard "lawful access" protocols used to deliver intercepted telephone (and some Internet) traffic to US law enforcement agencies. Picking up where our 2004 analysis of wireline loop extender wiretaps [pdf] left off, this paper looks at the security and reliability of the latest communications surveillance standards, which were mandated by the 1994 Communications Assistance for Law Enforcement Act (CALEA). The standards, it turns out, can leave wiretaps vulnerable to manipulation and denial of service by surveillance targets who employ relatively simple technical countermeasures.

Of particular concern to law enforcement and others who rely on wiretap evidence is the fact that the protocols can be prevented not just from collecting accurate call content (which can already be obscured by a target using encryption), but also from collecting the metadata record -- who called whom and when. Metadata-only taps (called "pen registers" for historical reasons) make up more than 90% of legal wiretaps in the US. Call metadata, which over time reveals a suspect's "community of interest" and behavior patterns, can be more revealing to an investigator than the content. Many agencies use software that automatically aggregates and analyzes call metadata to discover the members (and structure) of suspected criminal networks.

The wiretap standard, called ANSI J-STD-025, was originally designed to cover only the low-bandwidth voice telephone services that existed in the early 1990's. But as the communications services that law enforcement agencies might want to tap have expanded -- think SMS, 3G internet, VoIP, and so on -- the standard has been "patched" to allow the delivery of more and more different kinds of traffic. Unfortunately, many of these new services are a poor fit for the tapping architecture, especially in the way status messages are encoded for delivery to law enforcement and in the way backhaul bandwidth is provisioned. In particular, many modern services make it possible for a wiretap target to generate messages that saturate the relatively low bandwidth "call data channels" between the telephone company and the government, without affecting his or her own services. Worse, these channels are shared among all the taps in a particular central office, so a single person employing countermeasures can suppress wiretaps of other targets as well.

Just to be clear, we don't suggest that anyone actually do these things in the hopes of thwarting a government wiretap. Aside from being somewhat technically difficult, there would be no way to be sure that the countermeasures were actually working. And I know of no evidence that criminals are actually using these techniques today. (Of course, a determined and technically savvy criminal could prove me wrong about this.)

The real problem is that these protocols -- used in the most serious criminal investigations -- were apparently designed and deployed (and mandated in virtually every communications switch in the US) without first subjecting them to a meaningful security analysis. They were engineered to work well in the average case, but ignored the worst case of an adversary trying to create conditions unfavorable to the eavesdropper. And as the services for which these protocols are used have expanded, they've created a wider range of edge conditions, with more opportunities for manipulation and mischief.

That's a familiar theme for security engineers, and the CALEA wiretap standard is hardly the first example of a serious protocol being deployed without considering what an adversary might do. Unfortunately, it probably won't be the last, either.