X
Tech

Researcher describes ease to detect, derail and exploit NSA's Lawful Interception

Infamous security researcher Felix "FX" Lindner exposed Lawful Interception surveillance systems as easy to detect, derail, and maliciously exploit in his recent talk at hacking conference 30c3.
Written by Violet Blue, Contributor

While headlines from European hacking conference 30c3 featured speakers vying for U.S. National Security Agency revelation sensationalism, one notorious hacker delivered an explosive talk that dismantled one thing the NSA, law enforcement, and global intelligence agencies depend on: "Lawful Interception" systems.

And German researcher Felix "FX" Lindner did exactly that, in what was stealthily 30c3's most controversial bombshell of the conference.

In a talk titled CounterStrike: Lawful Interception, Lindner explained to a standing-room-only theater of 3,000 hackers how easy it is to find out if you're under legally imposed surveillance, detailing how easily a user can jam the shoddy legacy systems running Lawful Interception (LI).

In explaining how LI works, Lindner revealed the shocking lack of accountability in its implementation and the "perverted incentive situation of all parties involved" that makes it easy to perform interception of communications without any record left behind.

In all, the hacker known for the default password list and Huawei's router backdoors told the world that he's confident the bug-ridden, copy/pasted systems are being used for data acquisition by intelligence services.

LI interfaces, he explained, are the same ones used for bulk collection in the NSA surveillance scandal.

After delivering the CounterStrike talk, Lindner told ZDNet: "I'm convinced that any serious actor, especially nation state or terrorist organizations, is already well aware of the limitations of LI and perfectly capable of circumventing it anytime they want."

He added: "They might use the increased attack surface to actually turn LI against the router itself."

"On the other hand, the current design makes it fairly easy for agencies to establish a tap without going through the official channels, so a change in the architecture is probably not in their interest."

LI it turns out, is based on years and years of legacy code.

It is also based on critically bad decisions — like Cisco's LI router configuration guideline that requires both the router and the mediation device used in LI to be registered in the Domain Name System (DNS).

In an exclusive interview with ZDNet, Lindner said his talk CounterStrike was "meant for network engineers as well as management of service provider companies," with the eye of, "hop[ing] of striking a chord with policy makers."

Lindner told ZDNet the three main issues he sees as failure points for Lawful Interception are:

1. Neglecting the fundamental contradiction between IP network architecture and lawful interception requirements

2. Out-sourcing of control and accountability to external components, making it possible to perform interceptions without any record of it

3. Ignoring the perverted incentive situation of all parties involved.

In CounterStrike, Lindner described what he called "laser packets" — IPv5 traffic a user can create to evade surveillance "because lasers don't pass through prisms."

laser-cstrike
Image: Felix "FX" Lindner

He was referring to PRISM, the U.S. Lawful Interception project leaked in stolen NSA documents by former U.S. government contractor Edward Snowden.

When the existence of the PRISM project was published by The Guardian and The Washington Post in June 2013, the Lawful Interception market — and abuse of its lawfulness — became exposed to the world.

Lawful Interception "as easy to avoid as anti-virus software"

One of the surprising statements Lindner made during his talk was that LI is as easy to evade as anti-virus software.

Anti-virus evasion is easy for any number of hackers. In 2008 a game called "Race to Zero" was played at the infamous American hacker conference DEFCON: attendees were given a well-known piece of malware detected by all anti-viruses at that time, and tasked to modify it so it would still work but would go undetected by all of anti-virus programs.

The winner completed the task in less than one hour.

Currently, malware on the dark market is sold only as "FUD" (Fully UnDetected to anti-virus software).

One source told ZDNet, "Given how much malware is on sale at any given time, this is obviously not a hard problem for the sellers to solve. Lawful Interception suffers from the same general problem: You want to spend as little time and performance as possible, therefore evasion is trivial."

However, as explained in Lindner's CounterStrike, in contrast to anti-virus software, LI does not get daily updates, so evasion techniques are certain to work for a long time.

Lindner told the rapt audience at 30c3 that are ways to overload LI enabled routers, how to figure out if the LI software on your router has been activated, then evade a router that has activated its LI software, and how someone — like a nation state actor — can exploit the LI attack surface. 

"Routers aren't meant to look at packets"

Lindner was adamant in his talk that, "LI violates the pure, basic principle of the router." 

For the examples used in the CounterStrike talk, Lindner used Cisco routers; it's no surprise, as his security research team at Phenoelit is reputed to know more about Cisco routers and the code they run on than Cisco employees do themselves.

Finding out if you're a target of Lawful Interception appears surprisingly simple after Lindner's explanation of how a monitoring router can be forced to reboot.

Lindner explained that "punting a packet" is Cisco slang for passing a packet to the main CPU for forwarding, which pushes the CPU quickly to 100 percent and triggering a watchdog process, in turn forcing the router to kill the operation and reboot the router.

The hacker's suggestion would be to first traceroute to your intended communication partner.

Next, send around 10,000 packets to the communication partner, which get punted only if a "tap" is in place.

Then, he said to try running a traceroute a second time and if the route is different, one of you is being monitored — the different route is caused by the rebooting router.

Lindner quipped with somewhat bitter humor that there was no need to rush the second traceroute because these routers take 20 minutes to reboot.

CounterStrike 016
Image: Felix "FX" Lindner

The "perverted incentive situation"

When an Internet provider, such as AT&T, Verizon, and Comcast, and so on, reaches a certain size, it has to provide law enforcement access for Lawful Interception. 

In normal use of Lawful Interception, the Federal Bureau of Investigation (FBI) or another law enforcement agency find the service provider of the alleged criminal, and hands the ISP a court order.

In basic terms, the ISP then turns on LI features within the router, which mirrors certain packets in the target's traffic streams (or logs) so law enforcement can configure and obtain its own copy.

As Lindner explained, ISP's are required to have LI features available to law enforcement, as well as provide support to the authorities, who often don't understand what they're doing — at significant, ongoing cost to each ISP, typically double-digit millions a year. 

Needless to say, there is no fraud and abuse desk for LI at Internet providers and telcos.

The LI features on each ISP's router are provided by the router companies themselves. According to Lindner the Lawful Intercept code suffers from age, lack of understanding by the people handling it, and layers of bugs and security problems.

In CounterStrike, Lindner said:

"The people at the router vendors try to get out of the code for LI as fast as possible [the vendor tries to exectue as little code as possible for the LI functionality] because neither is liable. 

Neither the router vendor or the ISP are responsible for intercepted packets when they're not well defined."

ISPs and telcos don't have a reason to really care about the codebase of a router's LI software (features); ISPs don't care if it works, they just care if it turns on or off.

Lindner explained that many aspects of LI are regulated and standardized, so changing anything is a long-term project — something the United Nations' International Telecommunication Union (ITU) has been trying to seize control of for nearly a decade.

He alluded that network engineers in countries with more restrictive surveillance and filtering requirements have struggled for many years with the fact that LI would be difficult, costly and take a long time to fix.

Read this

But the glaring issue at the heart of it all is the lack of any business incentive to improve it.

Importantly, in the context of NSA revelations and leaked Snowden documents, it's clear from Lindner's talk that telcos don't have a reason to care about keeping logs of Law Enforcement use of Lawful Interception.

Hackers have been compromising wiretapping systems in telcos and ISPs for decades; naturally, so have nation states.

Belgium’s largest telecom provider Belgacom acknowledged in September 2013 it had been hacked and exploited for a massive intelligence gathering operation; reports stated the attack was carried out by British intelligence agency GCHQ.

According to Spiegel Online, leaked NSA documents included a presentation that outlined how Britain used spying technology for the operation that the NSA had developed; the operation GCHQ carried out on Belgacom.

In this instance, it would appear that Lawful Interception isn't actually broken. Perhaps all it needs is a new name.

Editorial standards