Why "carnivore" type systems can't be (entirely) open source

[Owen Lewis]

----- Original Message -----
From: "Ross Anderson" <Ross.Anderson@cl.cam.ac.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: 04 February 2001 22:27
Subject: Re: Why "carnivore" type systems can't be (entirely) open source

> ..... billing and authentication are much more
> worthy of close attention than is confidentiality.

True.
>
> Phone phreaking was portrayed in the popular press in the 1970s as
> kids playing with blue boxes - Jobs and Woz being cited as examples -
> but its real use was providing unobtrusive comms for organised
> crime.

And some major scams  against the telcos too.

> What changed it all was the rise of the premium rate industry. All of
> a sudden, real money could be made from `dial-through fraud'. You set
> up an 0900 number, hack a few corporate PBXes, and program them to
> call up until you make millions.  When that happens, the interest of
> the phone company is to deny that it's possible, so they can collect
> the phone bill (and their share of the proceeds of the crime).

Now the story starts to get interesting. PBXes can be as full of security
holes as a Gruyere cheese. It is not possible that these are there without
the manufacturers' knowledge. Neither should they be there.
>
> In the old days, the phone company was (mildly) motivated to stamp out
> fraud. But all of a sudden, they became the scamsters' retail outlet,
> and now resort to all sorts of nasty little tricks to gouge their
> customers. In the US, it's worse than here, as deregulation has gone
> further, leading phone companies to attack each others' customers (and
> each other). See <http://www.bell-atl.com/security/fraud/tips.htm>.
>
> I have a whole chapter on this in my book. It's a fascinating if
> depressing study; the Internet sems to be following the path beaten by
> the phone companies, but about five times as quickly. The goal
> nowadays is not to make systems secure; it's to make them secure
> enough for you to blame the customer, without making them secure
> enough that he can defend himself properly. (Remember ATM fraud?)

Well that might be one goal but I could actually feel relieved if I were
sure it was the only one.
>
> Seen in this context, whether GSM security was a success or a failure
> depends on who you are.

Exactly. And the most important view is of the man in the street who is
pretty happy with what he's got. Hear many complaints (present company
excepted)? I don't.

> * From the phone companies' point of view, it was a success. The GSM
> operators have made vast amounts of money, and a (small) part of this
> is due to the challenge-response mechanism stopping cloning. The
> crypto weaknesses were irrelevant; they were never exploited in ways
> that did significant harm to call revenue.

Neither have they done significant harm to Joe Soap.
>

> * From the point of view of the large-country intelligence agencies,
> GSM was fine. They have access to local and international traffic in
> the clear anyway, and A5/2 makes tactical signint against developing
> countries easier.

Nah. Only the Sharks and the Jets (or equivalent ) could be thick enough to
rely on GSM for COMSEC. Tac sigint would be a profligate overkill in
resource allocation.

>...And the second wave of GSM equipment is bringing
> juicy features, such as remote control of handsets by the operator.

Now that's the bullseye.

Forget cipher. Current GSM has some interesting  features that lead to novel
exploitations and large security holes. Some of these are now widely known
and others perhaps not. I believe that they are controllable by those
knowledgeable enough and disciplined enough to do so. The security problem
becomes worse with DECT which is gaining largescale corporate acceptance. I
do not yet see how the security problems (non-crypto related) that seem
likely to arrive with UMTS can be countered.

> * From the point of view of the police and low-resource intelligence
> agencies, things are not quite so bright. The problem isn't the added
> technical complexity of GSM networks: court-ordered wiretaps can be
> left to the phone company (although finding the number to tap can be a
> hassle). The problem is the introduction of prepaid mobile phones.
> This not only decreases the signal to noise ratio of traffic analysis
> algorithms and makes it harder to target wiretaps, but also encourages
> crimes such as extortion and stalking.

In addition, as the world moves wireless, taps and court orders are likely
to become quite passe.Wouldn't it be nicer to collect the room audio all the
time rather than just the content of any telephone calls? And there's a
status symbol/dependency thing with mobile phones; many move about with one
all the time, even from room to room when at home.
>
> * From the customer's point of view, GSM was originally sold as being
> completely secure. The encryption of the air link certainly did stop
> Squidgygate-style casual eavesdropping.

The Gaussian Modified Shift Keying with time division multiplexing within
the duplexed channels, together with a degree of frequency agility, are
quite sufficient to stop casual eavesdropping  with no need for cipher at
all. The cipher is only necessary to defeat the organisations who could
afford to buy pretty sophisticated technical solutions. That's not my
definition of casual eavesdropping.

Squidgygate was allegedly ETACS  (NB FM) en claire earwigging. There are
some grounds to think that it may have been rather more carefully
stagemanaged than a casual intercept (i.e. the amateur earwigger was not
intercepting the conversation in real time....) .

>But almost all the phone
> tapping in the world is done by large spook agencies, to whom the
> encryption doesn't matter much.

Not quite. The last time (c.1994) I got a calculated estimate of the value
of over-the-counter bugging/tapping  systems sold in London alone the
turnover was UKP 12m a year. For the simple stuff that, mainly,  is sold
over the counter/mail order that roughly represented somewhere upstream of
24,000 units per year being sold retail in London alone. My personal view is
that this figure will have increased over the intervening years. This stuff
is mainly used domestically or for low level corporate espionage (boss bugs
sec/partner bugs partner etc). The better quality stuff is never advertised
nor is it particularly easy to obtain by the general public.

>....And things are bad for the subscriber
> when we look at billing. Cryptographic authentication of handsets
> can't stop the many frauds perpetrated by premium rate operators and
> phone companies. If anything, it makes it harder to wriggle out of
> bogus charges: the phone company can say in court that your smartcard
> and your PIN must have been used in the handset that made the call.
> The same will apply to 3gpp if micropayments aren't used (phone
> companies seem to be trying to avoid them, surprise surprise). The one
> minor compensation is that GSM facilitated the spread of prepaid
> phones, which can limit your exposure to premium rate scams.

And you can use old fashioned cash to top them up.

> So the security features designed into GSM don't help the subscriber.
> They were designed to provide `security' for the phone company: they
> dump most of the toll fraud risk, while not interrupting the flow of
> premium rate business -- whether genuine or fraudulent.

I agree that the elimination of toll fraud risk was a major mover for the
migration in system but there was user benefit in that too and there were
others benefits which were user related. Roaming, multiline, messaging - and
an assurance of privacy which has prevented post-GSM Squidgygates, be they
in castle or in croft.

> I raised many of these points at several of the Scrambling for Safety
> conferences (and elsewhere). Nigel and friends were not interested.
> Neither was Charles Clarke. I think the Home Office has a cheek to
> turn round now and start making a noise about phone muggings. I also
> think the DTI has a cheek using our tax money to attach an ex-BT guy
> to 3gpp to help with `security' - which appears to mean insisting on
> an all-singing, all-dancing law enforcement interface to the content,
> while not doing anything at all to protect citizens from fraud.


Owen