Feeds

FBI seeks Internet telephony surveillance

spying on VoIP users

  • alert
  • submit to reddit

Reducing security risks from open source software

The US Justice Department and the FBI ask regulators for expanded technical capabilities to intercept Voice Over IP communications... and anything else that uses broadband, writes Kevin Poulsen of /SecurityFocus.

The FBI and Justice Department are worried that Voice Over IP (VoIP) applications may become safe havens for criminals to communicate with one another, unless U.S. regulators make broadband services more vulnerable to lawful electronic eavesdropping, according to comments filed with the FCC this month.

The government filing was prompted by the efforts of telecom entrepreneur Jeffrey Pulver to win a ruling that his growing peer-to-peer Internet telephony service Free World Dialup is not subject to the regulations that govern telephone companies.

Free World Dialup has been called "Napster for Phones." It's a free service aimed at developing Internet telephony as a mainstream alternative to the public switched telephone network. After an initial investment of about $250 for a Cisco SIP telephone -- a device that functions much like a conventional analog phone, but plugs directly into an IP network -- users can "dial" each other over the Internet anywhere in the world at no cost. Free World Dialup provides a directory service that assigns each user a virtual telephone number, and sets up each phone call. Since it was launched in November, the service has gathered over 12,000 users.

If it catches on, FWD could be a nightmare for old-fashioned telephone companies. Those companies were likely agitated further when Pulver asked [pdf] the FCC in February for a "declaratory ruling" that his service is outside the commission's jurisdiction. Pulver argues that FWD is not a telecommunications service, but is just an Internet application, no different from e-mail or instant messaging. Verizon, SBC and other phone companies filed comments in opposition to Puliver's petition.

And on the last day of the public comment period, so did the FBI.

It turns out that one of the regulations from which FWD would be incidentally exempt is the Communications Assistance for Law Enforcement Act (CALEA), the federal law that required telecommunications carriers to modify their networks to be wiretap-friendly for the FBI. Crafted in 1994, before the Internet was a household word, it's not entirely clear that CALEA even applies to Voice Over IP , but the government has had some success persuading companies that it does, or soon will, according to Stu Baker, a partner in the Washington law firm of Steptoe and Johnson. "Right now, I think Justice would lose a case trying to apply CALEA to VoIP," Baker wrote in an e-mail interview. "But eventually... VoIP will be a mainstream substitute for the switched network. So a lot of companies are complying now to avoid a hassle later."

The government worries that Free World Dialup's petition could buck that trend: if the FCC finds that FWD is free from the plug-and-play wiretap requirements, other Internet companies handling VoIP traffic might start thinking they're exempt as well. "The DOJ and FBI are concerned that if certain broadband telecommunications carriers fail to comply with CALEA due to a misunderstanding of their regulatory status, criminals may exploit the opportunity to evade lawful electronic surveillance," reads the government filing.

Pulver says it's the government that misunderstands the situation. "My hope is that the DoJ/FBI did not take the time to fully understand what Free World Dialup is and isn't, and after some proactive education it will be clear that we don't fall under the definitions," says Pulver. "It is much easier to build the wiretap function into the access method, which is infrastructure based, rather than on every Internet application that comes along."

Easier Broadband Surveillance Sought

Indeed, extending CALEA to cover Free World Dialup and services like it would likely be futile, says Orif Arkin, founder of SSys-Security Group and an expert on IP telephony security. Arkin says users determined to skirt surveillance could easily set up their own ad hoc directory services on the fly. "It's like a buddy list on instant messaging," says Arkin. "They just have to build up such a server, and give everyone access to it."

Arkin says the FBI's best bet for spying on VoIP users is to eavesdrop directly on a target's broadband connection, perhaps using the Bureau's "Carnivore" DCS-1000 network surveillance tool. With access to the raw traffic, VoIP phones become exceedingly easy to listen in on. "Those phones don't have a lot of CPU power, so the communication between the two ends is not encrypted," Arkin says. "Whoever was to sniff the information on the uplink or downlink or between those two can hear whatever is said."

That point isn't lost on Justice and the FBI. The government is asking that, should the FCC not reject FWD's petition outright, the commission at least delay its decision until after it's ruled on two other broadband proceedings that the Justice Department filed comments on last year.

In those proceedings, Justice is asking the FCC to reinterpret CALEA as extending to DSL and cable modem service -- not just telephone calls. It's also asking the commission to expand the scope of the law to include raw data communication -- Web surfing, e-mail, and anything else that crosses the wire. Broadband providers are already obliged to cooperate with court-ordered surveillance requests; the government's FCC proposals would go beyond that and require companies to reengineer their networks to make Internet eavesdropping easier technically, and dirt cheap on a case-by-case basis. "It would be a major expansion of the CALEA requirements," says David Sobel, an attorney with the Electronic Privacy Information Center. "It would really obliterate the distinction between voice and data."

Opponents of the CALEA expansion include AT&T and the National Cable and Telecommunications Association. But the government's argument for the additional capabilities is the same one that persuaded Congress to pass CALEA in the first place eight years ago, and it only carries more weight today. "Although we cannot describe in this forum the particular circumstances, the FBI has sought interceptions of transmissions carried by broadband technology, including cable modem technology, in terrorism-related ... investigations involving potentially life-threatening situations," the Justice Department wrote [pdf] in one of its filings last year. "Unless carriers are required to ensure such access, law enforcement surveillance capabilities will suffer a serious and dangerous gap." If the FCC adopts the government's position, then broadband's last mile will be the FBI's listening post, and Free World Dialup will be off the hook.

© SecurityFocus logo

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.