[118738] in Cypherpunks
Re: Unplugged! The biggest hack in history
daemon@ATHENA.MIT.EDU (Dave Emery)
Wed Oct 6 23:49:36 1999
Date: Wed, 6 Oct 1999 23:32:55 -0400
From: Dave Emery <die@die.com>
To: "John A. Limpert" <johnl@radix.net>
Cc: Greg Broiles <gbroiles@netbox.com>,
Marcel Popescu <mdpopescu@geocities.com>, cypherpunks@cyberpass.net
Message-ID: <19991006233255.I8045@die.com>
Mail-Followup-To: "John A. Limpert" <johnl@radix.net>,
Greg Broiles <gbroiles@netbox.com>,
Marcel Popescu <mdpopescu@geocities.com>, cypherpunks@cyberpass.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199910040908.FAA25793@mail1.radix.net>; from John A. Limpert on Mon, Oct 04, 1999 at 05:08:49AM -0400
Reply-To: Dave Emery <die@die.com>
On Mon, Oct 04, 1999 at 05:08:49AM -0400, John A. Limpert wrote:
> I've wondered how they wiretap a line with a pair of modern high speed
> modems. After reading the V.34 standard, it would seem to be very difficult
> to separate the two signals. It is hard enough when you have one of the
> transmitted signals. One possibility would be to tap both ends of the
> connection, record and compare the two signals. Maybe the trellis coding
> rules could be used to track and strip one of the signals.
The trick is to get some kind of directional access to the phone
line. A tap which merely samples voltage across the pair of wires will
yield an admixture of the two directions of transmission that is very
hard to separate out. If one can also sample current flowing through
the wires at the same time, one can isolate out one direction from the
other with enough directivity to be able to demodulate the stronger of
the two signals, especially if it is sending the idle LAPM flags
pattern. Once one has trained on the stronger signal it becomes
possible to exactly predict what it should be going into the wire and
figure out the impulse response of the line between the stronger modem
and the monitoring point. With this, it becomes possible to very
precisely predict the contribution of the stronger modem to the
composite signal and subtract it out, yielding the weaker signal.
I suspect that the reason the FBI used a nearby warehouse for
their interception rather than just running a line to the local FBI
office was precisely because they needed to access the current flowing
down the wire by interposing their tap in line with the cable between
the hacker's house and the CO. The same effect can be gotten by taking
advantage of the hybrid on the line card of the CO switch and getting
the switch to ship both directions of the line audio to the FBI office
in digital format, but this probably requires the CALEA modifications to
the switch which might not have been in place that long ago.
All of this means that datatapping a modern modem connection
requires very good fidelity access to the phone wires carrying the
signal or to the streams of 8 bit u-law encoded digital samples flowing
in both directions in the switch and/or the telco network. Neither of
these kinds of access is as simple as the standard kinds of access used
for traditional legal and illegal voice wiretaps - an aligator clip tap
and cheap cassette recorder just don't cut it.
On the other hand, given modern PC CPU floating point speeds, it
should be possible to do the entire blind demodulation and protocol
decoding on a fast off the shelf PC with a really good sound card.
$70,000 isn't needed - it is all software and some very cheap hardware
to measure current in the line as well as voltage.
One thing to remember is that modern modems use a derivitive
of X.25 layer II protocol called LAPM and actually do retransmits
on errored packets detected by the CRC-16 checksums so a monitoring
protocol analyzer would have to deal with errors in *its* reception
and errors in the communicating modems reception in order to reconstruct
some approximation of the PPP or whatever ASCII stream that was flowing.
What is actually modulating the modem carrier is a scrambling sequence
(for randomization, not security) generated by a shift register sequence
with HDLC framed LAPM packets riding on top. The user data is encapulated
in those packets along with signalling in the headers that allows
error detection and retransmission and passing out of band information
to control the connection and handle negotiation of line parameters.
--
Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
