Lawful wiretap interfaces are vulnerable to unlawful exploits
IBM researcher shows how criminals could take advantage of intercept architectures
- By William Jackson
- Feb 10, 2010
The Communications Assistance for Law Enforcement Act requires networks to provide interfaces that allow government to intercept data transmissions, just as they have long been able to tap telephone systems. But an IBM security researcher said criminals also could use the systems to wiretap the Internet.
Tom Cross, manager of IBM Internet Security System’s X-Force Advanced Research Team, examined the lawful intercept architecture used by Cisco Systems in its networking products and found six vulnerabilities.
“Each one by itself probably isn’t serious,” he said at the Black Hat Federal Briefings in Washington earlier this month, but taken together, they could let bad guys eavesdrop on Internet traffic.
Cross said he was not picking on Cisco. He chose that company’s system because it is the only one that has been made public. International telecommunications standards do not include wiretap capabilities in their protocols, and as a result, the lawful intercept architectures from each vendor are proprietary. But Cisco published its architecture in 2004.
“As far as I know, they are the only company that has done this,” Cross said.
Several of the vulnerabilities stem from the use of Version 3 of the Simple Network Messaging Protocol in setting up the digital wiretap. It is easy to use a brute force attack to gain a user name and password on the system, and it is possible to authenticate a fraudulent packet that authorizes the wiretap. The system also does not have an audit trail, which helps hide the wiretap, and unencrypted data can be sent anywhere once intercepted.
“This attack scenario is pretty practical,” Cross said after outlining a possible route of spoofing the system.
He said Cisco has corrected some of the vulnerabilities, but there is no way to evaluate the security of other proprietary architectures in use on the Internet.
“We can’t be sure about their security properties,” he said. “Cisco did the right thing when they published their interface.”
In fact, that is the reason Cisco published its architecture, said Jennifer Greeson, the company’s communications director.
“We recognize that security is complicated and needs to be addressed in partnership with customers and peers,” she said.
She said Cisco had corrected the problems as they apply to the company’s products, and the company appreciated the security team’s analysis.
“We are happy to have the input,” she said. “That’s why we decided to open the architecture for review.”
William Jackson is freelance writer and the author of the CyberEye blog.