Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

Plod say crims now too hard to find and catch online

By Iain Thomson in San Francisco

Posted in Security, 18th October 2017 07:01 GMT

Europol has asked cellphone networks and other internet providers to stop using Carrier Grade Network Address Translation (CGNAT) – because it’s making life too difficult for cops trying to track cyber-villains across the web.

CGNAT is used by telcos running short of public IPv4 addresses. By deploying CGNAT, a mobile network or ISP can stick a bunch of customers – typically small businesses and home subscribers – on private IPv4 addresses and route them through a small set of global IPv4 addresses. This technique has been widely deployed by providers unwilling or unable to bung their users on world-routable IPv6 addresses.

Having so many people sitting behind a small pool of public IP addresses is upsetting the Euro plod: identifying and tracking suspects by their network addresses in server logs is tough as it's not clear exactly who is who. Officers can ask network providers to unmask subscribers, but that's not always easy if an investigation is in its early stages and there are hundreds of thousands of people behind just a few IP numbers.

The courts are already split on whether an IP address can be used to formally identify someone. CGNAT muddies the waters further, especially when mobile networks are involved as they are heavy users of CGNAT. In short, loads of people on their phones are behind a small brick wall of IPs and the cops are banging their heads against it.

Finally a reason not to bother with IPv6: Uh, security concerns...?


"CGN technology has created a serious online capability gap in law enforcement efforts to investigate and attribute crime," said Europol’s executive director Rob Wainwright in a statement on Tuesday.

"It is particularly alarming that individuals who are using mobile phones to connect to the internet to facilitate criminal activities cannot be identified because 90 per cent of mobile internet access providers have adopted a technology which prevents them from complying with their legal obligations to identify individual subscribers."

The call came after a conference was held in Estonia to discuss the issue, in which crime fighters gave examples of investigations that had been stymied thanks to CGNAT. Various options are being considered including a voluntary agreement with cellular networks and ISPs not to have too many users per IP address or a legal requirement that they record detailed logs so customers can be traced back through a mega-NAT.

"Ensuring EU law enforcement investigations are effective and result in the arrests of responsible parties is one of Europol’s key functions," said Steven Wilson, head of Europol’s European Cybercrime Centre. "The issues relating to CGN, specifically the non-attribution of malicious groups and individuals, should be resolved."

The nuclear option is to force network operators to use IPv6, but that's unlikely to happen anytime soon. The industry is banking on making a slow transition that minimizes costs. Legal action to fend off the plod would hurt profits and potentially result in even less enthusiastic cooperation between network providers and investigating officers. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Ignore that FBI. We're the real FBI, says the FBI that's totally the FBI

Don't open that malware mail from the Feds that's not from the Feds, Feds warn

Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery

Of course this does nothing for victims' encrypted files

Russia, China vow to kill off VPNs, Tor browser

New laws needed because today's censorship not good enough, apparently

Judge orders FBI to reveal whether White House launched 'Tor pedo' torpedo exploits

Alleged Playpen perverts win a concession

Fake mobile base stations spreading malware in China

'Swearing Trojan' pushes phishing texts around carriers' controls

I'll torpedo Tor weirdos, US AG storms: Feds have 'already infiltrated' darknet drug souks

Sessions sets up task force for dopes' dope dope crack down

Biggest Tor overhaul in a decade adds layers of security improvements

Plus: IP leak bug fixed in Tor Browser on macOS, Linux

FBI's Tor pedo torpedoes torpedoed by United States judge

Need a district court warrant to infect suspects? How did the Feds NIT see that coming?

EasyDoc malware adds Tor backdoor to Macs for botnet control

Smugness levels cut among Apple fanbois

Brazilians waxed: Uni's Tor relay node booted after harvesting .onions

Researchers kicked off network for slurping hidden services en masse