Various jurisdictions around the world have legal requirements to ensure that voice and data traffic can be wiretapped in the interest of public safety and national security. According to an IBM researcher, that same requirement for wiretapping, or lawful intercept of data, could potentially be abused by an attacker.
IBM Internet Security Systems researcher Tom Cross today detailed during a live Black Hat Webcast event some of the specific issues he uncovered looking into a lawful-intercept implementation developed by Cisco. Cisco's architecture for lawful intercept is now used by more than 15 vendors.
In the U.S., lawful intercept capabilities on Internet infrastructure are a legal requirement under the Communications Assistance for Law Enforcement Act (CALEA). Cross noted that many ISPs meet their CALEA compliance obligations by implementing Cisco's lawful intercept technology. The Cisco architecture is published as Internet RFC 3924, and provides a mechanism for a network to send data to law enforcement, but is not a blanket 'sniffing' of all traffic, according to Cross.
"There are other architectures for lawful intercept and some of them involve putting a fiber optic splitter in the network and taking all the content and moving it over to law enforcement," Cross said in a response to a question from InternetNews.com. "The difference between that approach and the Cisco one is that there is no involvement from the ISP in the process of determining whether or not the law-enforcement agency had the permission to access the content they are accessing."
Cross added that with the Cisco approach to lawful intercept, there is the potential that lawyers that work for the ISP might be "in the loop," which would provide greater assurance that that content is collected with the right lawful authorization.
At the core of the Cisco approach to lawful intercept is SNMPv3 , a protocol for network management. Cross noted that with a single UDP packet, attackers could potentially take control of an ISP's lawful intercept capability and have the traffic redirected anywhere they want. The UDP packet would need to include the correct user name and password for the SNMPv3 server. Cross added that it could be possible to "brute force" (that is, to repeatedly guess the combination) the information thanks to the way that SNMPv3 works.
"SNMPv3 provides you with very helpful error messages so when you have a packet that didn't authenticate correctly it tells you why," Cross said. "That helps you to break down the brute-forcing process and you can try user names until you get one that works."
Cross added that the verbose error message issue is a common security mistake that is made in a lot of protocols. In his view, he doesn't think it should be part of the SNMPv3 standard.
The fact that the Cisco architecture for lawful intercept is open for review is a good thing, according to Cross.
"It's important as we need to be able to identify and eliminate security vulnerabilities associated with systems like this," Cross said.
Additionally, Cross noted that there at least 15 other vendors that support the Cisco architecture for lawful intercept. However, he said he is unaware of any other vendor that had opened up its lawful intercept technology for peer review.
"I'd like to see more vendors take the step that Cisco took and publish their architecture so that it can be reviewed," Cross said. "The consequence of that is that we can all feel reassured that there is an architecture that effectively balances our rights and protects the content it's supposed to protect."