lawful interception in german voipnetworks - ccc event blog · sniff data using wellknown intercept...
TRANSCRIPT
![Page 1: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/1.jpg)
Lawful Interception inGerman VoIPNetworks
22C3, Berlin
Hendrik [email protected]
http://www.wormulon.net/
![Page 2: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/2.jpg)
Agenda
● What is Lawful Interception (LI)?● Terms, Laws● Lawful Interception in PSTN networks● Lawful Interception in VoIP networks● Countermeasures● Interim Solution● Upcoming Nightmares
![Page 3: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/3.jpg)
What is Lawful Interception?
● spying on users● justified by the government● goal: gain information about subject● information: relationship rather than content● target: 'account'
– email, DSL, Usenet, phone number, SIP address– IRI: intercept related information
![Page 4: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/4.jpg)
Terms
● Bedarfstraeger, berechtigte Stelle– demand bearer, entitled agency– LEA: Law Enforcement Agency
● Massnahme– interception process
● Ausweisung– expulsion order– copying data– active vs. passive expulsion
![Page 5: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/5.jpg)
The Law
● Telekommunikationsüberwachungsverordnung
– telecommunication surveillance ordinance– TKUeV
● Technische Richtlinie zur Telekommunikationsüberwachungsverordnung
– technical guidelines– TR TKUeV
● Durchfuehrungsverordnung zur Telekommunikationsüberwachungsverordnung
– rules of conduct– DV TKUeV
![Page 6: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/6.jpg)
PSTN network
![Page 7: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/7.jpg)
LI in the Old World
● signalling and voice parallel (ISDN)– D channel, multiple B channels– inband singalling (analogue)
● LI on the upstream gateway (i.e. Siemens EWSD)
● in service since 20 years● redirections not visible to user
– no ping to measure roundtrip times– no traceroute to record route
![Page 8: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/8.jpg)
VoIP Paradigm
VoIP should have all PSTNLIfeatures
– undetectable to user– management (handover) interface– security
![Page 9: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/9.jpg)
The VoIP Universe
● signalling:– SIP– H.323– SCCP (Skinny)
● voice/media:– G.711 ulaw, alaw– G.723, G.726, G.729– GSM, iLBC, speex– proprietary
![Page 10: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/10.jpg)
simplified VoIP Setup
![Page 11: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/11.jpg)
standard VoIP Setup
![Page 12: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/12.jpg)
Solution: Conference Call
● each call becomes a conference call with a government official listening– implemented in client
● becomes visible in SIP: „Hi, I'm Eve and I'd like to get a copy of your voice stream“
![Page 13: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/13.jpg)
Solution: Media Gateway
● divert voice through a proxy that allows sniffing
● snignalling has to be modified● „This is your SIP server speaking. You are
being intercepted. Please send your data to the police. They'll forward it on for you.“
● easy to implement● easy to detect in most cases
![Page 14: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/14.jpg)
Solution: PSTN Diversion
● divert outgoing call into the PSTN● sniff data using wellknown intercept access
point (IAP)● divert traffic back into the VoIP network● requires transition SIP to {SS7|DSS1|MGCP}● not all SIPmessages can be translated● how about voice quality?
![Page 15: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/15.jpg)
Solution: passive Ausweisung
● add interception points (IAP) everywhere– in every POP > expensive
● the right thing could sure be found in the mess● eases abuse as everything is in place and waits
to be used● who controls what's intercepted?
– hackers gaining access– management overhead, updates
![Page 16: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/16.jpg)
Solution: active Ausweisung
● drive to the POP when needed and install temporary hardware
● problems:– delay of up to 48h until device is in place– visible physically– what happens in longterm surveillance?– how about roaming users?
![Page 17: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/17.jpg)
ideas?
● don't do LI at all● make the underlying 'access' ISP sniff the data● Bedarfstraeger/government writes readable
laws/instructions– ain't gonna happen– VoIP is kinda new to the government– define usecases that can be intercepted– accept the fact of untraceable calls
● outlaw VoIP?
![Page 18: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/18.jpg)
bad ideas
● If you divert traffic from SIP to PSTN– Do not show diverted calls in records– Do not add cost announcement– Do not bill user for intercepted calls
● make it easy to use– abuse
● make it permanent (inplace)– security
![Page 19: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/19.jpg)
Countermeasures
● make fake calls and save– round trip times– RecordRoute IP addresses– SDP header information
● alert user if things change
![Page 20: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/20.jpg)
Countermeasures cont'd.
● use random unsupported codec– PSTN gateway will drop call if used for interception
● add challenge authentication, checksums– DTLS
● TLS, SRTP– 'access' ISP has to provide data
![Page 21: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/21.jpg)
Poor man's LI
● record all data using libpcap– tcpdump s 1500 w foobar.cap udp
● use ethereal to reassemble RTP stream– save as audio file– nice statistics for debugging
![Page 22: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/22.jpg)
RegTP interim solution
● interim solution from July 2005– signalling only solution– based on ETSI TS 101 671– use SINA box (VPN tunnel) to send SIP signalling– totally bogus on first attempt
● needed lots of discussion
● Meeting in Mainz early in June● to be implemented by ISPs this year
![Page 23: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/23.jpg)
BNetzA Interim Issues
● sniffing based on account– how about inband authentication?
● authenticated using DTMF tones on mailbox
● delay– delay between call and data reception at LEA has
to be very low (500ms)● undetectable
– doable in most cases
![Page 24: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/24.jpg)
Media solution
● RTP has to be interceptable by 2007● BNetzA likes to have RTP media for
intercepted calls● some media is hard to capture
– call scenarios yet to be specified● lots of hardware needed in distributed systems● LEA need to have bandwidth and equipment
![Page 25: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/25.jpg)
Upcoming Nightmares
● World of Warcraft 'Voice Chat'– this is VoIP?!
● 'Vorratsdatenspeicherung'– data warehouse containing user information, call
logs– parameters:
● European 'solution'● 1236 months depending on government● ISPs have to store and provide data
![Page 26: Lawful Interception in German VoIPNetworks - CCC Event Blog · sniff data using wellknown intercept access ... use ethereal to reassemble RTP stream – save as audio file – nice](https://reader030.vdocuments.site/reader030/viewer/2022040219/5e1ae9527f3cd84cc14417f7/html5/thumbnails/26.jpg)
Resources
● RFC 3924, Cisco Architecture for Lawful Intercept in IP Networks
● http://bnetza.de/● http://www.wormulon.net/ > slides