Cryptography and Wiretapping

Matt Blaze analyzes the 2010 U.S. Wiretap Report.

In 2000, government policy finally reversed course, acknowledging that encryption needed to become a critical part of security in modern networks, something that deserved to be encouraged, even if it might occasionally cause some trouble for law enforcement wiretappers. And since that time the transparent use of cryptography by everyday people (and criminals) has, in fact, exploded. Crypto software and algorithms, once categorized for arms control purposes as a "munition" alongside rocket launchers and nuclear triggers, can now be openly discussed, improved and incorporated into products and services without the end user even knowing that it's there. Virtually every cellular telephone call is today encrypted and effectively impervious to unauthorized over-the-air eavesdropping. Web transactions, for everything from commerce to social networking, are now routinely encrypted end-to-end. (A few applications, particularly email and wireline telephony, remain stubbornly unencrypted, but they are increasingly the exception rather than the rule.)

So, with this increasing proliferation of eavesdrop-thwarting encryption built in to our infrastructure, we might expect law enforcement wiretap rooms to have become quiet, lonely places.

But not so fast: the latest wiretap report identifies a total of just six (out of 3194) cases in which encryption was encountered, and that prevented recovery of evidence a grand total of ... (drumroll) ... zero times. Not once. Previous wiretap reports have indicated similarly minuscule numbers.

I second Matt's recommendation of Susan Landau's book: Surveillance or Security: The Risks Posed by New Wiretapping Technologies (MIT Press, 2011). It's an excellent discussion of the security and politics of wiretapping.

Posted on July 27, 2011 at 2:10 PM • 33 Comments

Comments

Mike T.July 27, 2011 3:54 PM

That leaves me wondering exactly how effective the encryption we are using actually is.

Mike T.

mooJuly 27, 2011 4:54 PM

@NZ:

Yeah, I was going to lash out at that sentence too... no consumer-grade cell network I've heard of is decently secure. The protocols that even support encryption at all still suffer from design flaws, short key lengths, etc. and nobody cares much (by which I mean, the cell phone providers are not really incented to fix the problems).

Clive RobinsonJuly 27, 2011 5:35 PM

@ NZ, moo,

"Virtually every cellular telephone call is today encrypted and effectively impervious to unauthorized over-the-air eavesdropping."

In some respects this is true (not all networks use the weaker encryption such as the French designed A5), however it's the weak protocols that let it down so badly.

Basicaly the handset encryption is controled by the other end of the of the on air interface (it has to be for the phone to register). Which means very loosely that if you can force the handset in question to register to your cell controler then you can tell it to turn encryption off or use the keys you supply it with.

Now for quite reasonable sums of money you can go out and by a pico or femto cell base unit and for an equivalent some of money buy a jamming generator that can be used to block very localy the control channels of the local cells, but not that of your pico base. The result can be (if you get a few other things right) that your targets handset registers with your pico base.

You then own the handset, but it is upto you to provide the backhaul to an actual live network for calls to be placed.

Because you provide the backhaul you get the two voice channels (from and two) in unencrypted form.

This attack has been demonstrated a number of times and I belive there are open source software packages to use on various bits of easily available equipment that let you set up your own cellular service.

But as recently demonstrated in Lybia it is easily possible to hijack an existing network installation with little difficulty,

http://www.theregister.co.uk/2011/07/23/...

NZJuly 27, 2011 6:14 PM

First of all, I must admit that I thought about GSM networks.
Second, my primary concern is about passive attacks, not actively subverting the handset (although authenticating the network sounds like a good idea).
Now Wikipedia ( https://secure.wikimedia.org/wikipedia/en/wiki/GSM#GSM_service_security
) lists three ciphers and mentions critical weaknesses in all of them. So "effectively impervious to unauthorized over-the-air eavesdropping" sounds a bit too good to be true...

GSMessJuly 27, 2011 6:16 PM

"Virtually every cellular telephone call is today encrypted and effectively impervious to unauthorized over-the-air eavesdropping."
Incorrect.

"But as recently demonstrated in Lybia it is easily possible to hijack an existing network installation with little difficulty"
Correct with 5000-10000 bucks it's feasible.

Also modern cellphone wiretap briefcases are able to switch off encryption without triggering "encryption not available, etc" warning messages. No need to bruteforce the keys...

I like cellphones but they MUST be secure. Placing backdoors in the entire system because some jerks misuse is not the solution. Bug their homes, cars, keyboards(like the fbi), etc. But don't screw up the security of the entire world.
AES or TWOFISH (hehe) encryption should be optional in every cellphone at least for SMS

ThomasJuly 27, 2011 7:14 PM

@GSMess
"AES or TWOFISH (hehe) encryption should be optional in every cellphone at least for SMS"

The key management overhead could easily be more than the 160 characters of data in your SMS. By a few orders of magnitude.

SMSs are currently store-and-forward. If you really want to encrypt properly you'll need to exchange certs with the receiving phone(*) making it a live 2-way conversation.

(*) not much point doing crypto if the private key isn't generated on the receiving phone by the user.

KevinJuly 27, 2011 9:39 PM

It wouldn't matter if the encryption protocols between the cell phone and tower were 100% secure (as others have mentioned, they're not). The government taps at the cell tower or within the phone switches or at the VOIP providers servers, when the data is no longer encrypted.

We need devices which do convenient end-to-end encryption, but that's expensive (without economies of scale), not in demand, and key exchange is still a really hard problem to solve. The Feds need not worry; the free market is keeping the data un- and poorly-encrypted.

Matt BlazeJuly 27, 2011 10:24 PM

I am the author of the text Bruce quoted above.

Yes, many cellphone protocols suffer security weaknesses that make them vulnerable to active attack. (I'm well aware of these vulnerabilities, having done some of the work on them myself). But so what? The fact is, virtually every cellular call in the US is today encrypted over the air, while in the 1990's, cellular calls were typically transmitted in the clear (and vulnerable to interception by anyone with a simple radio receiver).

With the advent of encrypted cellphones, typical law enforcement wiretaps in the US no longer exploit the over the air interface. Instead, they tap at the wireline interface. And they do much more cellphone tapping today then they did when the calls were in the clear.

Yet we were repeatedly told, in the 1990's, that crypto had to be restricted from such applications because it would mean the end of legal wiretaps. Well, it didn't.

Just as we were skeptical of claims that crypto would end wiretaps in the 1990s, we should remain skeptical of claims that some current technology needs to be restricted because current techniques find it difficult to tap. Law enforcement eavesdroppers are, as has been proven again and again, quite resourceful, even when faced with new challenges.

Richard Steven HackJuly 27, 2011 11:22 PM

Matt: "Law enforcement eavesdroppers are, as has been proven again and again, quite resourceful, even when faced with new challenges."

"Resourceful" meaning get Congress to expand their ability to violate everyone's privacy en mass.

It's not being "resourceful" when you have legal permission to set up your own machine room at the service provider and tap everything going over their network (with Israeli equipment, I might add, not even US developed hardware.)

But your overall point is well taken. The cops only complaint is it "costs more" to do it the way they do now instead of "the easy way". Of course, THEY aren't paying for it, except maybe in budget terms - which they then turn around and use to get more budget anyway. So their complaints are entirely "crocodile tears."

MarianJuly 28, 2011 1:37 AM

@Kevin: "...and key exchange is still a really hard problem to solve".

That is not neccessarily true. There are Identity-based Encryption (IBE) schemes, that would let you use the conversation partner's phone number as public key. Sure, there still is the problem of key escrow at the key generating entity, but then you have that issue of trust with CAs too.

rogerhJuly 28, 2011 2:45 AM

So it seems the police can catch criminals without bothering to decrypt emails or whatever. Not surprising, encryption merely hides a small part of the picture - no-one has yet managed to encrypt real cash, hookers, fast cars or big houses. Which brings me to the question - just how valuable are government decrypt agencies?

What is the value of trying to decode intergovernmental communications in peacetime? Practically everything can be seen or deduced from day-to-day activity and real secrets do not go over a wire anyway - the secret-holder jumps on a plane.

So, sure, there might be some gain from tracking fools on the internet but as recent events have shown, a competent terrorist can easily fly under the radar and the drug business was booming the last time I looked. Time to wind down cold-war relics?

Jason T. MillerJuly 28, 2011 3:22 AM

Do criminals generally talk about "gangster s**t" on the phone when they suspect police are listening in?

If criminals do not suspect wiretapping, employing encryption _for uniquely criminal purposes_ seems pointless — perhaps it's useful to prevent other mafia dons from listening in, but banning technology because it's _generally useful_ merely because "it's equally useful to criminals" is patently absurd; replace "mafia don" with "CEO" or "high-school football coach," and nothing changes other than the nature of the "business."

And it's perfectly obvious that, unless the criminal is confident that the underlying system is "secure against law enforcement access," it won't be used for security against police wiretapping.

Thus the existence of well-known, ubiquitous "law enforcement key escrow systems" seems like it would do more to eliminate the practical utility of wiretapping in criminal investigations than the availability of even the most robust communications security products without "back doors." Thus it's entirely unclear to me why police would ever want it (unless they could almost magically hide it from "the bad guys," including, of course, "bad cops").

Peter A.July 28, 2011 5:33 AM

"A few applications, particularly email and wireline telephony, remain stubbornly unencrypted..."

User email traffic (submission and retrieval) goes almost exclusively over encrypted channels for a long time now. Virtually all major email servers out there offer STARTTLS these days, and great majority of them will use TLS when offered. Yes, it is still optional, as well as HTTPS, but most sensible admins enable it.

On my petty email server (which holds two email accounts: mine and my wife's) more than 90% of legitimate email travels encrypted MTA-to-MTA. Only spammers don't care. Any large commercial email admins here? Anybody care to count what percentage of non-spam SMTP transactions go over TLS?

Of course it is not an end-to-end encryption, email is stored in the plain on MTAs. S/MIME, PGP, etc. are rare birds still (and probably will remain such).


Landline telephony is another issue - it requires hardware changes to implement encryption and therefore it is not as easy to implement. I'm going risk a statement that encryption in the analog landlines would not be implemented ever - until the whole technology dies.

JurgenJuly 28, 2011 6:03 AM

Bruce, recently there was a case of child porn where the suspect gave up the password to the encrypted hard drive that held something in the order of 70Gb in incriminating pictures. It was estimated that without pwd, it would have cost so many decades to crack it and the encryption that the suspect may have walked free.
So yes, sometimes encryption or not does make the difference between conviction or not -- without wiretapping playing a role: Is there data on such 'non-wiretapping decryption to uncover evidence' cases?
But I second the point of useful stuff to be free i.e. its use not limited to criminals that don't tend to care for the law and will use encryption no matter what anyway. Otherwise [ I know this is not a popular subject...] guns would have to be banned -- they're used by criminals, too, you know..! Raises the point of the right of self-defense, through many means including encryption ...?

Authorized shmauthorizedJuly 28, 2011 6:58 AM

"impervious to unauthorized over-the-air eavesdropping"

Gotta love how this is essentially saying "vulnerable to authorized eavesdropping, and to endpoint eavesdropping, authorized or not".

So, how easy is it to get an 'authorization' rubberstamp anyway ?

SJuly 28, 2011 8:37 AM

@ Jurgen "Bruce, recently there was a case of child porn where the suspect gave up the password to the encrypted hard drive that held something in the order of 70Gb in incriminating pictures. It was estimated that without pwd, it would have cost so many decades to crack it and the encryption that the suspect may have walked free."

Or: the sections of the US government with the ability to crack the encryption would rather not blow their cover for (in their view) a relatively minor offence...

Clive - is the Reg article you posted related to the same vulnerabilities as this? Not sure, as you mention Libya, and this is UK based.

http://arstechnica.com/security/news/2011/07/...

For some reason the Reg is blocked on this firewall; I don't read it nearly as much as I used to, but it's still annoying sometimes. (Especially since I can still get to the Daily Mail, which is the non-tech equivalent)

Mike SJuly 28, 2011 10:05 AM

Regarding encrypted SMS, here are two papers that talk about how to do that:

[1] J. Lo, J. Bishop, and J. Eloff, "SMSSec: an end-to-end protocol for secure SMS," Computers & Security, vol. 27, pp. 154-167, 2008.
[2] K. Chikomo, M. Chong, A. Arnab, and A. Hutchison, "Security of Mobile Banking," University of Cape Town, South Africa, Tech. Rep., Nov, vol. 1, 2006.

The second paper give a survey of the landscape providing two options to securing SMS for mobile banking. Both are good reads.

Norman NJuly 28, 2011 10:49 AM

So for the encryption that *was* there (but apparently posed no problem), what does everyone speculate that it was? What was broken? (or was it a case of he sent it encrypted but had his password stickied to his dashboard?) Or a keylogger? This report can either be read as a worry, or as no big deal, depending on what actually was obtained, and how.

NN

Clive RobinsonJuly 28, 2011 10:58 AM

@ S,

""

Yes and no.

YES : The article you link to is what I was talking about with pico cells etc. What I call the "back haul" is the unencrypted audio that would normaly be sent down a leased line etc. In the case of the Vodafone system as it's going across a "public access network" they re-encrypt the audio data (no I'm not sure waht encryption the use for the backhaul).

As for using Linux that is because most of the software in those femtocells is actuall public domain and you can download it.

NO : the Lybia thing is altogether different it is actually taking over existing mobile operator infrastructure by lopping off the head or network operator service control center link then rebooting the base stations to gain control of the whole cell and adjoining cells etc to take over a whole region so that people can use the network handset to handset if not making network to network calls if you can also get an appropriate link under your control as well.

The thing about cellular networks be they GSM or whatever is they are invariably designed for simple engineering so the only real security is on the "on air intterface" and that can as indicated be turned of if you capture a handset on a cell you own.

The trick for "evesdroppers" is keeping the handset in the pico or femto cell you own. As the cell equipment can easily be battery powered or run of a vehicles electrics that bit is easy, just make sure your cell control channel signals stay stronger than any other cell control channel signals at the handset (the easy way is by jamming the other control channels).

The hard part is providing the backhaul and as far as I'm aware you can do this a number of ways one of which is via another "on air interface" to a legitimate cell, you pick up the cost of the callss etc but you get the audio and dialing info.

OldFishJuly 28, 2011 11:15 AM

I want all of our traffic to be safe from authorized AND unauthorized wiretaps. Only then will it be of any use.

Clive RobinsonJuly 28, 2011 11:16 AM

@ Norman N

"So for the encryption that *was* there (bu apparently posed no problem), what does everyone speculate that it was?"

It does not realy matter what it was, it was only encrypted over the "on air interface" link between the handset and the cell operator base station.

"What was broken?"

The fact that the backhaul from the cell base to the network switching center was unencrypted and LEOo's have access at the network switching center.

That is the LEO's don't give a fig about the "on air interface" or following the suspect around in a vehicle evesdropping. They simply have a "bearer channel" back to their headquaters (or they can dial into it) from the cell network opearators switching center.

As Matt Blaze has noted before this "bearer channel" generaly being only 64Kbps can be subjected to a denial of service attack.

That is if you know that your cell phone is being "tapped" and you know a couple of other people whose cell phones are being tapped the three of you get together the first two place harmless calls to wives girlfriends etc and chat for a while, the boss then makes his far from harmless call and rings off then the other two ring off. Because the 64Kbps line is only designed for one set of audio the line is tied up by either the first or second harmless call and the third far from harmless call gets through un monitered.

GabrielJuly 28, 2011 8:15 PM

@Clive: now you've done it! they're gonna upgrade their backhaul capacity and implement sweeps whenever multiple targets are on the line. You shouldn't have told them! :)

RobertTJuly 28, 2011 11:32 PM

I'm surprised that nobody has mentioned "burner phones" because you can go through a lot of these $20 phones for the cost of a single good end-to-end encrypted cell phone network setup. the burner phone network also obscures the identities of the call end points, which is something that encryption cannot do. Unfortunately you have to solve a problem similar to traditional key distribution (namely burner phone number updating across the network, and the security of this database)

At one phone per week you have a $1000 cost per year for call deny-ability, unfortunately the mobile pico cell still picks up the call, so you need to be sure the LEO has insufficient evidence to link this phone to you, there are some simple solutions using special headsets with frequency shifting to obscure the caller identity.


NZJuly 29, 2011 1:34 PM

@RobertT

That's why in some countries you can't buy a prepaid contract without showing your ID.

jobberJuly 29, 2011 5:31 PM

Two solutions for end to end encrypted conversations via cell phone:

RedPhone for voice
TextSecure for sms.

Both apps by WhisperSystems (Moxie Marlinspike)

Nick PJuly 30, 2011 11:32 AM

@ jobber

Modern smartphone OS's are so easy to subvert that any encryption scheme working on top of them can't be trusted. Phones like Cryptophone improve things a bit by using hardened OS's. At the next level, OKL4 & INTEGRITY RTOS's have been used to embed trust. From that point, you have to be sure hardware, baseband stack and legacy protocols aren't vulnerable. All in all, mobile security is about like what desktops were in the Win95 days, maybe a bit better.

NZAugust 1, 2011 5:46 PM

@Nick P

It the situation really so grim (I honestly don't know)? Too bad that the most modern mobile OS is dead...

Dirk PraetAugust 1, 2011 6:06 PM

"A few applications, particularly email and wireline telephony, remain stubbornly unencrypted..."

For email, it really isn't rocket science to set up GPG or S/MIME on your MUA. Telephony still remains more a matter of market demand than anything else. It would be kind of interesting to see just how profitable it would be for a provider to offer strongly encrypted end-to-end telephony services to its customers. And then how long it would take for governments to demand backdoors or face elimination through litigation.

NZAugust 2, 2011 1:16 PM

@Dirk Praet

The problem with email is compatibility. For example, you send me a S/MIME letter. Will Gmail web interface show it?

Pooja ThakkarOctober 3, 2011 10:18 PM

Can plz tell me that what is the use of RNGs in database security... rply soon..

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..