Feeds

FBI seeks Internet telephony surveillance

spying on VoIP users

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

The US Justice Department and the FBI ask regulators for expanded technical capabilities to intercept Voice Over IP communications... and anything else that uses broadband, writes Kevin Poulsen of /SecurityFocus.

The FBI and Justice Department are worried that Voice Over IP (VoIP) applications may become safe havens for criminals to communicate with one another, unless U.S. regulators make broadband services more vulnerable to lawful electronic eavesdropping, according to comments filed with the FCC this month.

The government filing was prompted by the efforts of telecom entrepreneur Jeffrey Pulver to win a ruling that his growing peer-to-peer Internet telephony service Free World Dialup is not subject to the regulations that govern telephone companies.

Free World Dialup has been called "Napster for Phones." It's a free service aimed at developing Internet telephony as a mainstream alternative to the public switched telephone network. After an initial investment of about $250 for a Cisco SIP telephone -- a device that functions much like a conventional analog phone, but plugs directly into an IP network -- users can "dial" each other over the Internet anywhere in the world at no cost. Free World Dialup provides a directory service that assigns each user a virtual telephone number, and sets up each phone call. Since it was launched in November, the service has gathered over 12,000 users.

If it catches on, FWD could be a nightmare for old-fashioned telephone companies. Those companies were likely agitated further when Pulver asked [pdf] the FCC in February for a "declaratory ruling" that his service is outside the commission's jurisdiction. Pulver argues that FWD is not a telecommunications service, but is just an Internet application, no different from e-mail or instant messaging. Verizon, SBC and other phone companies filed comments in opposition to Puliver's petition.

And on the last day of the public comment period, so did the FBI.

It turns out that one of the regulations from which FWD would be incidentally exempt is the Communications Assistance for Law Enforcement Act (CALEA), the federal law that required telecommunications carriers to modify their networks to be wiretap-friendly for the FBI. Crafted in 1994, before the Internet was a household word, it's not entirely clear that CALEA even applies to Voice Over IP , but the government has had some success persuading companies that it does, or soon will, according to Stu Baker, a partner in the Washington law firm of Steptoe and Johnson. "Right now, I think Justice would lose a case trying to apply CALEA to VoIP," Baker wrote in an e-mail interview. "But eventually... VoIP will be a mainstream substitute for the switched network. So a lot of companies are complying now to avoid a hassle later."

The government worries that Free World Dialup's petition could buck that trend: if the FCC finds that FWD is free from the plug-and-play wiretap requirements, other Internet companies handling VoIP traffic might start thinking they're exempt as well. "The DOJ and FBI are concerned that if certain broadband telecommunications carriers fail to comply with CALEA due to a misunderstanding of their regulatory status, criminals may exploit the opportunity to evade lawful electronic surveillance," reads the government filing.

Pulver says it's the government that misunderstands the situation. "My hope is that the DoJ/FBI did not take the time to fully understand what Free World Dialup is and isn't, and after some proactive education it will be clear that we don't fall under the definitions," says Pulver. "It is much easier to build the wiretap function into the access method, which is infrastructure based, rather than on every Internet application that comes along."

Easier Broadband Surveillance Sought

Indeed, extending CALEA to cover Free World Dialup and services like it would likely be futile, says Orif Arkin, founder of SSys-Security Group and an expert on IP telephony security. Arkin says users determined to skirt surveillance could easily set up their own ad hoc directory services on the fly. "It's like a buddy list on instant messaging," says Arkin. "They just have to build up such a server, and give everyone access to it."

Arkin says the FBI's best bet for spying on VoIP users is to eavesdrop directly on a target's broadband connection, perhaps using the Bureau's "Carnivore" DCS-1000 network surveillance tool. With access to the raw traffic, VoIP phones become exceedingly easy to listen in on. "Those phones don't have a lot of CPU power, so the communication between the two ends is not encrypted," Arkin says. "Whoever was to sniff the information on the uplink or downlink or between those two can hear whatever is said."

That point isn't lost on Justice and the FBI. The government is asking that, should the FCC not reject FWD's petition outright, the commission at least delay its decision until after it's ruled on two other broadband proceedings that the Justice Department filed comments on last year.

In those proceedings, Justice is asking the FCC to reinterpret CALEA as extending to DSL and cable modem service -- not just telephone calls. It's also asking the commission to expand the scope of the law to include raw data communication -- Web surfing, e-mail, and anything else that crosses the wire. Broadband providers are already obliged to cooperate with court-ordered surveillance requests; the government's FCC proposals would go beyond that and require companies to reengineer their networks to make Internet eavesdropping easier technically, and dirt cheap on a case-by-case basis. "It would be a major expansion of the CALEA requirements," says David Sobel, an attorney with the Electronic Privacy Information Center. "It would really obliterate the distinction between voice and data."

Opponents of the CALEA expansion include AT&T and the National Cable and Telecommunications Association. But the government's argument for the additional capabilities is the same one that persuaded Congress to pass CALEA in the first place eight years ago, and it only carries more weight today. "Although we cannot describe in this forum the particular circumstances, the FBI has sought interceptions of transmissions carried by broadband technology, including cable modem technology, in terrorism-related ... investigations involving potentially life-threatening situations," the Justice Department wrote [pdf] in one of its filings last year. "Unless carriers are required to ensure such access, law enforcement surveillance capabilities will suffer a serious and dangerous gap." If the FCC adopts the government's position, then broadband's last mile will be the FBI's listening post, and Free World Dialup will be off the hook.

© SecurityFocus logo

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.