As the telecommunications world went wireless and digital, the tried-and-true method law enforcement agencies used for wiretaps—splicing into the local loop—was in danger of becoming an anachronism. In 1994, Congress passed the Communications Assistance for Law Enforcement Act, which required telecommunications switches to incorporate a capacity for government monitoring of phone calls and other communications. That requirement ultimately produced an ANSI standard, J-STD-025, that dictated the capabilities of the hardware interface used by law enforcement agencies. A team of academic researchers has now put that standard to the test, and found that it's vulnerable to various forms of denial and obfuscation attacks.

As the authors note, the monitoring of domestic communications has been a source of controversy in recent years; others have questioned whether having a standard capacity built into every piece of communication hardware leaves the US communications infrastructure at risk of external attack. They avoid these issues, however, and focus on a simpler question: how well does the J-standard actually work?

The answer, it appears, is that it's trivial to defeat it and interfere with wiretaps. The big caveat to this work is that the authors didn't have access to any of the actual hardware used by law enforcement agencies; they simply tested whether hardware that follows the J-standard could hold up to a variety of attacks. It's possible that hardware makers have exceeded the standards with more recent equipment, and obviated some of the problems.

Still, there are two reasons to think that at least some wiretaps would be vulnerable. The first is that the hardware that's actually deployed is probably from a variety of generations and manufacturers, making it likely that some of it does the bare minimum needed to comply. The second is that the authors demonstrate multiple vulnerabilities, making it unlikely that even the best equipment handles all of them.

Part of the problem is that there are two classes of phone monitoring available to law enforcement: simple call logging, which is relatively easy to obtain, and full call recording, which is typically more challenging. The two are handled separately within the protocol, and the capacity granted for the logging was based on typical usage patterns at the time: a single, 64kbps ISDN line. The authors go on to show that it's relatively simple to exceed this bandwidth with a single computer or smartphone, creating a denial of service situation.

Part of the problem is that there's an asymmetry between the basic information that needs to be sent down a phone line—there's a connection waiting—and all the information that law enforcement needs, such as the source, a datestamp, a case identifier, etc. This asymmetry ensures that even a simple unconnected call produces significant data that has to be stuffed down the 64kbps pipe.

The other part of the problem is that modern telephony creates a variety of methods of sending a lot of traffic to an individual phone line with minimal effort. So, for example, the authors use an ISDN phone to send commands to voicemail boxes at a rate of 94 calls a second. Forty-two text messages a second would also work, as would repeated call/hangups using IP telephony. A rate of 20 hangups a second would do the trick, and the researchers were easily able to exceed that from a residential broadband connection.

Since the J protocol doesn't allow for queueing or buffering, once the bandwidth is exceeded, any information that can't be stuffed down the pipes is lost. So, once these levels are exceeded, law enforcement call logging becomes unreliable. The protocol is less clear about the capacity allocated to content monitoring, but the authors' analysis suggests that this would be even easier to saturate.

More sophisticated attacks are also possible. For example, the J protocol calls for a termination of call recording once a tone is registered. However, communications hardware will only register the tone if it originates from specific hardware. As a result, a person being monitored could send the tone over their phone; the monitoring equipment should hang up, while the call would continue.

The authors were also able to craft a variety of IP packets that would interfere with monitoring. These include false datestamp information—which would inject irrelevant packets into the middle of a conversation—and eliminating the directionality information used by packets in some CDMA cellular systems. They also built packets that would be routed part of the way to the end user, but never reach them; these would be seen by the tap, but not interfere with the phone conversation.

All told, the authors come up with six attack scenarios that they consider practical, in that they could be carried out with readily available equipment. In fact, they tested a number of them using a laptop tethered to a CDMA phone (in one case, causing Sprint to throttle back their bandwidth).

They also suggest a number of stopgap measures that could be used to help avert some of their own scenarios, such as providing law enforcement with greater bandwidth. Still, it's clear that they think the J standard is due for a complete rewrite, as they suggest it was the product of compromise among law enforcement, hardware makers, and telcos, and a product of simpler telecommunications times.