Lawful wiretap interfaces are vulnerable to unlawful exploits

IBM researcher shows how criminals could take advantage of intercept architectures

The Communications Assistance for Law Enforcement Act requires networks to provide interfaces that allow government to intercept data transmissions, just as they have long been able to tap telephone systems. But an IBM security researcher said criminals also could use the systems to wiretap the Internet.

Tom Cross, manager of IBM Internet Security System’s X-Force Advanced Research Team, examined the lawful intercept architecture used by Cisco Systems in its networking products and found six vulnerabilities.

“Each one by itself probably isn’t serious,” he said at the Black Hat Federal Briefings in Washington earlier this month, but taken together, they could let bad guys eavesdrop on Internet traffic.

Cross said he was not picking on Cisco. He chose that company’s system because it is the only one that has been made public. International telecommunications standards do not include wiretap capabilities in their protocols, and as a result, the lawful intercept architectures from each vendor are proprietary. But Cisco published its architecture in 2004.

“As far as I know, they are the only company that has done this,” Cross said.

Several of the vulnerabilities stem from the use of Version 3 of the Simple Network Messaging Protocol in setting up the digital wiretap. It is easy to use a brute force attack to gain a user name and password on the system, and it is possible to authenticate a fraudulent packet that authorizes the wiretap. The system also does not have an audit trail, which helps hide the wiretap, and unencrypted data can be sent anywhere once intercepted.

“This attack scenario is pretty practical,” Cross said after outlining a possible route of spoofing the system.

He said Cisco has corrected some of the vulnerabilities, but there is no way to evaluate the security of other proprietary architectures in use on the Internet.

“We can’t be sure about their security properties,” he said. “Cisco did the right thing when they published their interface.”

In fact, that is the reason Cisco published its architecture, said Jennifer Greeson, the company’s communications director.

“We recognize that security is complicated and needs to be addressed in partnership with customers and peers,” she said.

She said Cisco had corrected the problems as they apply to the company’s products, and the company appreciated the security team’s analysis.

“We are happy to have the input,” she said. “That’s why we decided to open the architecture for review.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Feb 16, 2010 freecode Austin, TX

This isn't news really, it's just that this was made public. The bad guys know the facts about hacking interfaces and have for a while. It's not just Cisco products, it's anything that provides the right point of intercept and can be exploited. The real problem isn't a "product" so much as reliance on the infallibility of same. All products have weaknesses to a degree, and no amount of hiding information ever stops a determined intruder. Not recognizing that any system that collects becomes a focal point for good and bad is the real issue. Intercept devices and systems provide the good and the bad with what they want: information. If it can be found, it can be exploited; if it can be exploited you should monitor the collector for anomalies and activities. At some point though, every collector becomes as much evidence as it is intelligence for both sides who might desire the information. Ponder that thought - because as we gain more dependence on information, we gain more vulnerabilities to the ability of others to manipulate that information for their own ends.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above