Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

Plod say crims now too hard to find and catch online

By Iain Thomson in San Francisco


Europol has asked cellphone networks and other internet providers to stop using Carrier Grade Network Address Translation (CGNAT) – because it’s making life too difficult for cops trying to track cyber-villains across the web.

CGNAT is used by telcos running short of public IPv4 addresses. By deploying CGNAT, a mobile network or ISP can stick a bunch of customers – typically small businesses and home subscribers – on private IPv4 addresses and route them through a small set of global IPv4 addresses. This technique has been widely deployed by providers unwilling or unable to bung their users on world-routable IPv6 addresses.

Having so many people sitting behind a small pool of public IP addresses is upsetting the Euro plod: identifying and tracking suspects by their network addresses in server logs is tough as it's not clear exactly who is who. Officers can ask network providers to unmask subscribers, but that's not always easy if an investigation is in its early stages and there are hundreds of thousands of people behind just a few IP numbers.

The courts are already split on whether an IP address can be used to formally identify someone. CGNAT muddies the waters further, especially when mobile networks are involved as they are heavy users of CGNAT. In short, loads of people on their phones are behind a small brick wall of IPs and the cops are banging their heads against it.

Finally a reason not to bother with IPv6: Uh, security concerns...?


"CGN technology has created a serious online capability gap in law enforcement efforts to investigate and attribute crime," said Europol’s executive director Rob Wainwright in a statement on Tuesday.

"It is particularly alarming that individuals who are using mobile phones to connect to the internet to facilitate criminal activities cannot be identified because 90 per cent of mobile internet access providers have adopted a technology which prevents them from complying with their legal obligations to identify individual subscribers."

The call came after a conference was held in Estonia to discuss the issue, in which crime fighters gave examples of investigations that had been stymied thanks to CGNAT. Various options are being considered including a voluntary agreement with cellular networks and ISPs not to have too many users per IP address or a legal requirement that they record detailed logs so customers can be traced back through a mega-NAT.

"Ensuring EU law enforcement investigations are effective and result in the arrests of responsible parties is one of Europol’s key functions," said Steven Wilson, head of Europol’s European Cybercrime Centre. "The issues relating to CGN, specifically the non-attribution of malicious groups and individuals, should be resolved."

The nuclear option is to force network operators to use IPv6, but that's unlikely to happen anytime soon. The industry is banking on making a slow transition that minimizes costs. Legal action to fend off the plod would hurt profits and potentially result in even less enthusiastic cooperation between network providers and investigating officers. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

China's clampdown on Tor pushes its hackers into foreign backyards

Comparing Middle Kingdom's hacker forums to Russia's? Apples and pears

Tor(ched): Zerodium drops exploit for version 7 of anonymous browser

Bug allows malicious scripts to run even with protections active

Europol, FBI, UK's NCA ride out to Ukraine's cavalry call

Security service calls NotPetya an 'act of cyberterrorism'

Tor pedo's torpedo torpedoed: FBI spyware crossed the line but was in good faith, say judges

Analysis Playpen pervert fails to convince appeals court

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Cloudflare experiments with hidden Tor services

Matt Prince sets a daemon to work with the onions

Asian nations mull regional 'Europol' in fight against cybercrime

RSA APAC ASEAN ministers flag 'Asiapol' in closed-door talks

Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery

Of course this does nothing for victims' encrypted files

Ignore that FBI. We're the real FBI, says the FBI that's totally the FBI

Don't open that malware mail from the Feds that's not from the Feds, Feds warn

Tor-forker Joshua Yabut cuffed for armoured personnel carrier joyride

Anti-SJW National Guard commander, cryptocurrency dev in deep trouble