Raising the Paranoia Level
So while at the SOURCE Boston conference I attended a session called “Telephone Defenses against the Dark Arts” presented by James Atkinson of the Granite Island Group. If you never thought much about the security of voice communication then you have never met James. He is, without a doubt, the most thorough and paranoid person I have ever met when it comes to wiretapping and voice network security.
I have great admiration for people who just flat out know their stuff. All too often you talk to an “expert” on a subject who just doesn’t have the full breadth of knowledge required, this is NOT James. He brought us through a lot of the equipment and what it does but then came the fun stuff. He showed examples of how easy it is to directly access telephone system equipment on the side of the road. Often times all of the information you need is written on the inside of the door, so you need just open and read. Then, once in, it takes just a short period of time to punch down a couple wires and be listening or recording phone conversations.
The fun doesn’t stop there however, you know that box on the side of your house that the cable or telephone company installed? Is it secure? Of course not, why would it be. Well the reason is because a neighbor, friend, foe, or anyone curious could open it up and with just a few wires and a transmitter start listening to all your calls from a distance. It is also possible that your phone may be transmitting room audio even when you are not on a call. Yep….you could be transmitting room audio across your phone lines all the time! Those living room, or bedroom conversations may not be private after all.
This is not limited to your house, it also translates to the office. Those phones could also be transmitting room audio. Maybe not that big of a deal for some people, but what about the corporate board room? The C-Level offices? Could be a really big deal. The problem is that making the phones transmit room audio is not all that difficult. A couple quick modifications to the device and you would never know the difference. Oh and if you have a VOIP system, it is often as easy as changing some settings on the phone or updating the firmware. How often do you check your phone settings? Yeah thats what I thought.
Do you know how many cables you have in a given room? Would you notice if there was an extra? I probably wouldn’t. It is so easy to just toss some cable into the ceiling and tap into a phone line, or just install a mic. You move a few ceiling tiles and you are done. Now how many people pay attention to the ceiling tiles in case something has been moved? Unless you see a bunch of debris from the tile on the floor you would probably never notice. Even if you did notice, unless you knew what should be in the ceiling you wouldn’t know if something didn’t look right.
Then he got into the actual vulnerabilities of the phone system infrastructure. There are spots all over the place that are basically protected using the security through obscurity model. Want to take down city XYZ go three blocks down, lift up this plate, dig a 3′ deep hole, cut the cables. GAME OVER. Telco’s often protect the central office and then run the cables underground only to see them all pop up in one spot to then run along the telephone poles. Cut the wires where they come up from the ground and you guessed it…GAME OVER. We aren’t talking about minor outages to a few homes, we are talking cities without telephone access for days. Very eye opening.
None of what he was talking about was ultra sophisticated attacks, but they had serious implications. Imagine if you could listen in on Board meetings of public companies? That could make for some interesting stock market decisions. What about listening to the phone conversations of your competition? Could give you an edge when approaching customers. Too often we overlook voice security, I think I will start paying more attention….and maybe listening in on my neighbors. 😉
Seriously though, if you are worried that someone may be spying on you or your company I highly recommend you give James a call. If it’s there he will find it. Set aside a good chunk of change though, because he doesn’t come cheap.
Filed under: Security | 2 Comments
Tags: spying, telephone vulnerabilities, wiretapping