How to fool a wiretap.

The state of the universe.
Feb. 6 2006 6:44 AM

The Spy Who Didn't Shag Me

How to fool a wiretap.

This week, as Congress kicks off hearings that look unlikely to check the Orwellian excesses of the National Security Agency, government eavesdropping may seem on its way to a telephone near you. Take heart, however. You may not be entirely defenseless.

New research from computer scientists at the University of Pennsylvania reveals several simple, inexpensive maneuvers that can stymie widely used snooping systems. Unlike cryptography, these methods don't require participation from a code writer and a code breaker on either end of a conversation. And they were discovered using publicly available information and clever lab work—nothing classified.


Before you condemn the snoop spoilers, hear them out. "It's morally safer and practically safer to be talking about this," says computer scientist Matt Blaze, who heads the U. Penn group. "It's arrogant to think that you're so much smarter than the bad guys" and that they don't already know about these anti-eavesdropping techniques. And since wiretaps and e-mail snooping can be used to create a legal record, the public should know how this record can sometimes be manipulated, either by the people being snooped on or even by a third party. Blaze let the FBI and some state police agencies know in advance about his wiretapping paper.

How to thwart a phone tap

One do-it-yourself technique, described in the journal Privacy and Security, can prevent many wiretapping systems from catching the full audio content of a call. Many snooping systems rely on a cue called a C-tone to indicate that a target's telephone is idling on the hook. The absence of this sound, by contrast, tells the snoops that their target is starting up a conversation and audio recording should begin. So if a scientist (or target) generates a C-tone, which consists of two particular frequencies played together, many common wiretapping systems will simply stop recording—even if the C-tone sound is played quietly so that it won't interfere with the target's conversation. (Listen here to an audio example.)

Generating a C-tone is as easy as stocking up on duct tape. Most touch-tone phones have four rows and three columns of buttons. On some military phones, there's a fourth column that includes a C-tone button. Such devices can be purchased inexpensively on sites like eBay. Alternatively, a C-tone can be produced using parts for sale from Radio Shack or using software you can download for free from sites like this one (though in all of these cases, modifications may be needed to make the C-tone soft enough to talk over). As one of Blaze's grad students, Micah Sherr, joked, "If you're exceptionally skilled you could even get two people to sing harmoniously" and hit the right C-tone sound.

Blaze's team tested a range of wiretap systems in the lab, some used by law enforcement and others that were homemade. Older technologies, called loop extender systems, were particularly vulnerable to the C-tone ruse. But newer systems developed in accordance with the 1994 Communications Assistance for Law Enforcement Act were surprisingly susceptible as well. The Department of Justice may not have done the government any favors when it requested that new systems include the C-tone feature, perhaps so that the newer equipment would be compatible with the old. (Click here for diagrams of loop extender and CALEA systems and more on why they can be easy to fool.) A spokeswoman for the FBI said that according to the annual Federal Wiretap Report, which keeps track of the number of applications for interceptions that are granted or denied, roughly 90 percent of approved wiretap requests use CALEA systems. She acknowledged that many still have the C-tone feature but said that "practically none of the wiretaps done today is vulnerable to C-tone countermeasures." (The NSA—surprise!—declined to comment.) Blaze countered that unless the government has actively reconfigured or turned off the C-tone feature, its systems may still be susceptible. The good news for the snoops is that, if vulnerable, the CALEA systems can probably be fixed.

How to confuse an Internet eavesdropper  

Tricks discovered by Blaze's group and presented at the second annual International Federation for Information Processing Conference on Digital Forensics in Orlando, Fla., last week can largely confuse software designed to spy on e-mail, Web traffic, file sharing, or other communications sent over the Internet. E-mail and other Internet-sent information generally travels in the form of packets, or parts containing bytes of information. In order to confuse an Internet snooping program, Blaze's team tried directing extra decoy packets—containing "noise," or spurious information—in such a way that an eavesdropper would receive them but the real recipient of the message would not. The group did this, Blaze explained, by exploiting variations in the way Internet packets are routed and processed. Decoy messages directed at the eavesdropper might never be seen by the recipient to whom it would appear they were sent. The eavesdropper and message recipient would end up "seeing two different versions of the conversation," Blaze said. The goal, then, is that the eavesdropper gets one message, the recipient gets another, and the eavesdropper most likely doesn't know he's been duped. Sherr says this is a matter of basic computer programming.

In a test of 11 eavesdropping systems, including open-source and commercially available programs configured in various ways, the systems were largely unable to interpret the "real" message (a note from Mr. Holmes to Dr. Watson) when it was sent in the presence of decoy data (the passage "It was the best of times, it was the worst of times …" from Charles Dickens' A Tale of Two Cities). Strikingly, the Dickens decoy could also be sent by a third-party meddler, allowing him to confuse an eavesdropper and substantially alter the record of an Internet exchange—without either party to the exchange having the slightest idea.

Sure, smarter snooping programs are possible, Blaze says. Maybe the NSA already has them in place. Keep these tricks handy, though, as a first line of defense.

Amanda Schaffer is a science and medical columnist for Slate.



The Ebola Story

How our minds build narratives out of disaster.

The Budget Disaster That Completely Sabotaged the WHO’s Response to Ebola

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

The Shooting Tragedies That Forged Canada’s Gun Politics

A Highly Unscientific Ranking of Crazy-Old German Beers


Welcome to 13th Grade!

Some high schools are offering a fifth year. That’s a great idea.


The Actual World

“Mount Thoreau” and the naming of things in the wilderness.

Want Kids to Delay Sex? Let Planned Parenthood Teach Them Sex Ed.

Would You Trust Walmart to Provide Your Health Care? (You Should.)

  News & Politics
Oct. 22 2014 9:42 PM Landslide Landrieu Can the Louisiana Democrat use the powers of incumbency to save herself one more time?
Continuously Operating
Oct. 22 2014 2:38 PM Crack Open an Old One A highly unscientific evaluation of Germany’s oldest breweries.
Gentleman Scholar
Oct. 22 2014 5:54 PM May I Offer to Sharpen My Friends’ Knives? Or would that be rude?
  Double X
The XX Factor
Oct. 22 2014 4:27 PM Three Ways Your Text Messages Change After You Get Married
  Slate Plus
Tv Club
Oct. 22 2014 5:27 PM The Slate Walking Dead Podcast A spoiler-filled discussion of Episodes 1 and 2.
Oct. 22 2014 11:54 PM The Actual World “Mount Thoreau” and the naming of things in the wilderness.
Future Tense
Oct. 22 2014 5:33 PM One More Reason Not to Use PowerPoint: It’s The Gateway for a Serious Windows Vulnerability
  Health & Science
Wild Things
Oct. 22 2014 2:42 PM Orcas, Via Drone, for the First Time Ever
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.