Electronic Shackles and Telephone Communications

The article is in Hebrew, but the security story is funny in any language.

It’s about a prisoner who was forced to wear an electronic shackle to monitor that he did not violate his home arrest. The shackle is pretty simple: if the suspect leaves the defined detention area, the electronic shackle signals through the telephone line to the local police.

How do you defeat a system such as this? Just stop paying your phone bill and wait for the phone company to shut off service.

Tags: , , , ,

Posted on December 21, 2005 at 12:03 PM29 Comments

Comments

Saar Drimer December 21, 2005 12:38 PM

…the guy was arretsed again and forced to pay the bill.

While looking for an English version of this article (without success) I found this gem (in English):
http://www.haaretz.com/hasen/spages/660712.html
“According to the police, the gang members used special welding equipment to break into businesses’ safes and instruments used to jam cellular phones to neutralize alarms around the safes… The suspects were arrested two weeks ago, and allegedly caused damages totaling millions of shekels.”

cyphertube December 21, 2005 12:39 PM

As Bruce suddenly gives me yet another reason to learn Hebrew….

This brings us back to the most simple of security lessons. No matter how great the technology is, there’s usually a very simple way to defeat it. Of course, a proper risk assessment would’ve found that and they would’ve realised that the state should pay the phone bill.

Ralph Broom December 21, 2005 1:25 PM

@cyphertube

Erm, how about having the system poll periodically (say, every 1-2 hours) and if it’s not heard from, send an officer? I don’t want to pay the felon’s phone bill, it’s already cost enough to prosecute them.

Joseph December 21, 2005 2:49 PM

@Preston

That’s what I was thinking. Why didn’t he just cut the line? It’s the same as having the service shut off.

Mike W December 21, 2005 3:07 PM

I’m not sure how leg-shackle phone devices typically work in California – but I heard of one guy who wanted to violate his home detention and attend a party at his buddy’s house next door. So he brought his landline phone with him to the party – attached with a new 100 foot phone cord.

Davi Ottenheimer December 21, 2005 3:20 PM

“he brought his landline phone with him to the party – attached with a new 100 foot phone cord”

Hey, if prisoners are expected to foot the bill (pun intended) for the communication link, then it should be common sense that market forces will lead them to easily defeat (pun not intended) or enhance the link. I am thinking a new wifi or even satellite shims are bound to be developed for the more affluent convicts. Maybe Martha already has one? If I can pay $200 to watch my home cable connection anywhere I can get the Internet…just imagine all the prisoners using Starbucks and other “hot-spots” as their new perimeter.

Davi Ottenheimer December 21, 2005 3:23 PM

“Why didn’t he just cut the line? It’s the same as having the service shut off.”

Ah, the old pull the plug method. That’s what many people used to do with the satellite TV boxes that relied on a dial-tone to report usage. And if you pulled the plug at the right moment during the connect sequence the data was lost instead of cached…

Blair Nilsson December 21, 2005 3:27 PM

While from a security point of view cutting the phone line or waiting for the service to be cut are almost the same (having the service cut off it slightly more risky, since you don’t know if the state is going to catch on and get the phone turned back on). One is a whole lot easier to “talk your way out”, if your found out.

Depending on the people involved another attack would be covering the shackle with tinfoil or leaving the area for short peroids of time, every now and then, staying at home, and see if either they start ignoring the system from false positives, or if they still get pinged if the phone is off the hook.

Being about to generate alarms at will and seeing the response is a powerful thing.
Yes, you do run the risk of them saying bugger it, and putting more security in….

Prehaps a better system is having the system call at random times, or have the shackle poll at some kind of hashed time (random from the prisoners point of view, but the main system knows when its meant to be called).

@cyphertube
man, what does it cost to have a phone over there? Your system needs it? Pay the damn phone bill. Turn off toll calls, sure as hell its better then the security not working, or, having to put more security in.

RS December 21, 2005 4:31 PM

‘Cut the line’ etc.

Or why not have a buddy call your number, generating a busy signal, so the system can’t dial in or out.

Good for occassional trips to the corner store!

Blair Nilsson December 21, 2005 5:52 PM

@Ravi Char

If you can hold him at home without an unacceptable risk to the public, then do so.

Its a trade off, and for most of the people the police drag in (at least in NZ – I haven’t traveled much) it would work, and its cheap, and that does have a lot going for it.

yeah, the process has a bug 🙂 – and that may need fixing.

Anonymous December 21, 2005 5:57 PM

“why not cut line”:
maybe because that would be more illegal, sort of actively working around the system? Whereas not paying phone bills is just not paying phone bills.

Moz December 21, 2005 7:05 PM

If the legal system had any clue at all it would be part of the sentencing conditions that the prisoner has a working phone line. So getting the phone cut off or anything like that is good for a trip into real custody.

I’m not a fan of this – if you want a cheap legal system why not try rehabilitation rather than “community care”. CC hasn’t worked for the mentally ill and I can’t see how it would work for criminals any better than simply a shorter sentence.

Roger December 21, 2005 7:08 PM

Yes there are probably numerous attacks possible on electronic home detention systems. But a significant point that people seem to have missed is that home detention is only used for relatively trusted minor offenders, more or less as a privilege. It is actually in the trustee’s interest that the system (and trustee) continue to be trusted, since the alternative is real prison. Conversely a hardened or desperate convict will never be given this type of detention in the first place since he will simply cut the device off and run.

Having said that, it obviously shouldn’t be TOO easy to circumvent since these people have demonstrated that they probably do succumb to temptation. This tends to mean the system should be at least tamper evident, should be randomly but frequently audited, and should be fairly sensitive to signal timings in order to make relay attacks hard. One type of signal which is very timing sensitive is GPS. However nowdays inexpensive microprocessor clocks are fast enough that it may be sufficient to simply measure the shackle’s response time to a (cryptographic, replay resistant) signal from a fixed point. 0.1 microsecond resolution is easily achieved and at speed of light transmission will limit movement to a few tens of metres; this cannot be bettered by any form of relaying.

Example protocol: during idle time, the shackle increments a counter it shares with the base station, and does two encryptions of it with a 64 bit block cipher with two different keys. Periodically (perhaps once per second) the base station sends the first encryption as a challenge. If they match (initial comparison can be done in hardware), the shackle responds with the second encryption as fast as possible. If they don’t match, the shackle decrypts the challenege to check if its counter has gone out of synch, and updates it if the difference is between, say, 0 and 100,000. Back at the base station, we simply record responses and response times for later audit, together with a MAC. Both devices erase keys upon detecting tampering.

another_bruce December 22, 2005 12:29 AM

if i were a criminal on home detention with an electronic shackle reporting on me through my phone line, and i wanted to go to a party, here’s what i’d do:
i’d phone the microsoft help desk and leave the phone off the hook.
the robot would repeat the options over and over while i was out getting drunk!

RonK December 22, 2005 1:41 AM

@ Preston L. Bannister, et. al.

Why not disconnect the phone line? See:

@Roger
“It is actually in the trustee’s interest that the system (and trustee) continue to be trusted”

Not paying the phone bill makes it “plausibly deniable” that the result was intentional. The article states this also.

Compare with some (partially) stenographic file systems….

Roy Owens December 22, 2005 4:52 AM

Why not make a lot of very long phone calls — innocently, of course — to test the response to an unavailable line? If the system is tolerant of this, then simply call time-and-temperature, leave the phone off the hook, and come back tomorrow.

jayh December 22, 2005 8:50 AM

What a joke! It is akin to a police asking a thief to stay put till the police finishes restroom break.<<

Typically these are low risk prisoners who are very happy to be at home as opposed to prison. The last thing they want is to screw that up.

Anonymous December 22, 2005 10:36 AM

I’m guessing that the system already has a safeguard against cutting the phone line. I’m sure people have tried it before. That would explain why he let the phone company cut off his service. They are most likely different from a technical standpoint, not just a legal standpoint.

David December 22, 2005 11:06 AM

@ Blair “man, what does it cost to have a phone over there?”

The last time I was in Israel, putting in a phone line was a months-long undertaking involving a bureaucratic labyrinth that is unequalled by even our Federal Government here in the USA.

You’ll have an easier time trying to run a dual OC3 to the middle of Yellowstone National Park than to undertake to get new residential phone service to an apartment in downtown Haifa.

chris December 22, 2005 12:02 PM

Pay your own bill?

Sheesh. At least when the FBI puts a wiretap on your line, they take care of getting CallerID for you…

Joseph December 22, 2005 2:30 PM

Since I don’t know the details of how it checks that you’re somewhere. What bout VOIP, ie. Vonage or Skype. You could take your Vonage router to anyone’s house with broadband and presto you’re “home”. Furthermore you could use a WiFi service ( http://www.verizonwireless.com/b2c/promotion/controller?promotionType=miniPac&action=miniStart ) route your VIOP service through your laptop and you could be anywhere in the covered area.

Yes, this would require a laptop and somekind of powersupply, but you could run all of this equipment off your car’s power.

I know that’s probably a bit rambling, but it seems so easy to circumvent those precautions.

Joseph December 22, 2005 2:32 PM

Since I don’t know the details of how it checks that you’re somewhere. What bout VOIP, ie. Vonage or Skype. You could take your Vonage router to anyone’s house with broadband and presto you’re “home”. Furthermore you could use a WiFi service ( http://www.verizonwireless.com/b2c/promotion/controller?promotionType=miniPac&action=miniStart ) route your VIOP service through your laptop and you could be anywhere in the covered area.

Yes, this would require a laptop and somekind of powersupply, but you could run all of this equipment off your car’s power.

I know that’s probably a bit rambling, but it seems so easy to circumvent those precautions.

Gordonjcp December 23, 2005 10:27 AM

Why not just use a GSM modem in the base unit? GPS would be difficult to use, if the unit was in the house, but you could always keep track of what cell tower it is associated to. You could also just use it as a backup to the landline (“Hey, the landline went away!”)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.