How to fool a wiretap.

The state of the universe.
Feb. 6 2006 6:44 AM

The Spy Who Didn't Shag Me

How to fool a wiretap.

This week, as Congress kicks off hearings that look unlikely to check the Orwellian excesses of the National Security Agency, government eavesdropping may seem on its way to a telephone near you. Take heart, however. You may not be entirely defenseless.

New research from computer scientists at the University of Pennsylvania reveals several simple, inexpensive maneuvers that can stymie widely used snooping systems. Unlike cryptography, these methods don't require participation from a code writer and a code breaker on either end of a conversation. And they were discovered using publicly available information and clever lab work—nothing classified.

Amanda Schaffer Amanda Schaffer

Amanda Schaffer is a science and medical columnist for Slate.

Before you condemn the snoop spoilers, hear them out. "It's morally safer and practically safer to be talking about this," says computer scientist Matt Blaze, who heads the U. Penn group. "It's arrogant to think that you're so much smarter than the bad guys" and that they don't already know about these anti-eavesdropping techniques. And since wiretaps and e-mail snooping can be used to create a legal record, the public should know how this record can sometimes be manipulated, either by the people being snooped on or even by a third party. Blaze let the FBI and some state police agencies know in advance about his wiretapping paper.

How to thwart a phone tap

One do-it-yourself technique, described in the journal Privacy and Security, can prevent many wiretapping systems from catching the full audio content of a call. Many snooping systems rely on a cue called a C-tone to indicate that a target's telephone is idling on the hook. The absence of this sound, by contrast, tells the snoops that their target is starting up a conversation and audio recording should begin. So if a scientist (or target) generates a C-tone, which consists of two particular frequencies played together, many common wiretapping systems will simply stop recording—even if the C-tone sound is played quietly so that it won't interfere with the target's conversation. (Listen here to an audio example.)

Generating a C-tone is as easy as stocking up on duct tape. Most touch-tone phones have four rows and three columns of buttons. On some military phones, there's a fourth column that includes a C-tone button. Such devices can be purchased inexpensively on sites like eBay. Alternatively, a C-tone can be produced using parts for sale from Radio Shack or using software you can download for free from sites like this one (though in all of these cases, modifications may be needed to make the C-tone soft enough to talk over). As one of Blaze's grad students, Micah Sherr, joked, "If you're exceptionally skilled you could even get two people to sing harmoniously" and hit the right C-tone sound.

Blaze's team tested a range of wiretap systems in the lab, some used by law enforcement and others that were homemade. Older technologies, called loop extender systems, were particularly vulnerable to the C-tone ruse. But newer systems developed in accordance with the 1994 Communications Assistance for Law Enforcement Act were surprisingly susceptible as well. The Department of Justice may not have done the government any favors when it requested that new systems include the C-tone feature, perhaps so that the newer equipment would be compatible with the old. (Click here for diagrams of loop extender and CALEA systems and more on why they can be easy to fool.) A spokeswoman for the FBI said that according to the annual Federal Wiretap Report, which keeps track of the number of applications for interceptions that are granted or denied, roughly 90 percent of approved wiretap requests use CALEA systems. She acknowledged that many still have the C-tone feature but said that "practically none of the wiretaps done today is vulnerable to C-tone countermeasures." (The NSA—surprise!—declined to comment.) Blaze countered that unless the government has actively reconfigured or turned off the C-tone feature, its systems may still be susceptible. The good news for the snoops is that, if vulnerable, the CALEA systems can probably be fixed.

How to confuse an Internet eavesdropper  

Tricks discovered by Blaze's group and presented at the second annual International Federation for Information Processing Conference on Digital Forensics in Orlando, Fla., last week can largely confuse software designed to spy on e-mail, Web traffic, file sharing, or other communications sent over the Internet. E-mail and other Internet-sent information generally travels in the form of packets, or parts containing bytes of information. In order to confuse an Internet snooping program, Blaze's team tried directing extra decoy packets—containing "noise," or spurious information—in such a way that an eavesdropper would receive them but the real recipient of the message would not. The group did this, Blaze explained, by exploiting variations in the way Internet packets are routed and processed. Decoy messages directed at the eavesdropper might never be seen by the recipient to whom it would appear they were sent. The eavesdropper and message recipient would end up "seeing two different versions of the conversation," Blaze said. The goal, then, is that the eavesdropper gets one message, the recipient gets another, and the eavesdropper most likely doesn't know he's been duped. Sherr says this is a matter of basic computer programming.

In a test of 11 eavesdropping systems, including open-source and commercially available programs configured in various ways, the systems were largely unable to interpret the "real" message (a note from Mr. Holmes to Dr. Watson) when it was sent in the presence of decoy data (the passage "It was the best of times, it was the worst of times …" from Charles Dickens' A Tale of Two Cities). Strikingly, the Dickens decoy could also be sent by a third-party meddler, allowing him to confuse an eavesdropper and substantially alter the record of an Internet exchange—without either party to the exchange having the slightest idea.

Sure, smarter snooping programs are possible, Blaze says. Maybe the NSA already has them in place. Keep these tricks handy, though, as a first line of defense.