Wiretapping and datatapping are both easy – if you’re the phone company

Posted on September 23, 2007


Tapping your phone is frighteningly easy these days. So is tapping your Internet data stream. A while back, I wrote an essay over on The Daedalnexus titled “Telephony 101 – aka wiretapping is easy if you’re the phone company.” I’ve decided to repost it here with a few updates in light of Martin’s post (and comments) today about how telecommunications companies are requesting immunity from prosecution for their parts in the illegal warrantless wiretapping program that Bush II ran.

The gist of it? If you use a phone or the Internet, you can be wiretapped and datatapped with just a few keystrokes from a technician located hundreds or thousands of miles from you, and all that protects you from that is network security and, at one point, a warrant.

Today [5/19/2006], NPR’s All Things Considered interviewed Carol Wilson, editor-at-large for Telephony Magazine. Ms. Wilson generally did a passable job of explaining, in non-technical terms, how the phone network works. But something that she said at the end of the interview would have left an impression in most people’s minds that is just plain wrong. So I emailed NPR the following clarification letter, quoted below.

Toward the end of today’s interview of Carol Wilson, Editor at Large for Telephony Magazine, Melissa Block asked how the phone company performed wiretapping. Ms. Wilson responded that collecting the content of the phone call was “dramatically different” and “a whole different technology” that was “implemented in a very different way” from how phone calls are logged for billing purposes. While this is true, the emphasis Ms. Wilson put on her statement implied that wiretapping was technically difficult to perform. As someone who designed telephony electronics for 6 years, I can say that is not the case.

The very same system that sets up a phone call from New York to Las Angeles can just as easily be set up to transmit the content to one, two, or a dozen different phone numbers simultaneously. And because such wiretapping is performed by the phone company itself, there is no way to detect that the phone call was being listened to and/or recorded by the police, FBI, or NSA. As Ms. Wilson says, such wiretapping is only supposed to be done under authority of a court order, but technologically, the only thing preventing the NSA, or a hacker even, from listening in on any conversation is the phone company’s network security.

Now, since I actually wanted my letter to be read on the air, I intentionally kept the detail to a minimum. But to understand how your phone, and your data, can be easily tapped, I wanted to explain in significantly more detail how the telephone network functions.

When you pick up your phone, your phone sends a signal to a piece of electronics known as “access equipment.” Access equipment does exactly what you’d think – it provides the you access to the telephone network via line cards that are designed to ring your phone, detects when you pick up the receiver, converts the incoming voice data (we’ll come back to this one in a minute) from digital into analog signals that the phone’s speaker converts into sound, and it converts the analog signal created by the voice microphone into outgoing digital data. The access equipment has to be located within a few miles at most of the phones it services, so most neighborhoods have large boxes with fans that house the electronics to serve the neighborhood. Apartment complexes or high-rise condos will have “wiring closets” where the access equipment is located.

Most access equipment communicates to the main telephone network switch over a DS1 or T1 (T1 is the actual cabling while DS1 is the signaling protocol used over the T1 cable). DS1s can carry up to 24 independent telephone connections simultaneously, and each connection is composed of 64 kbps voice data. With a little overhead added to make sure the electronics stay synchronized to the network switch, the total bit rate of the T1 is 1.544 Mbps, going in both directions at the same time (aka “full duplex”). Given that 24 isn’t a really big number any more, most neighborhoods will be serviced by either multiple T1s or, just as likely, a DS3 or T3. DS3 congregates 28 DS1s for a total of 672 phone lines at 44.736 MHz and coaxial cable instead of unshielded twisted pair cable that is very similar to Ethernet cable.

Moving further up the telephony hierarchy, we come to the network switch. It’s designed to switch thousands or tens of thousands of phone calls simultaneously. It does this with what’s called a “time slot interchanger (TSI).” Remember how I said that each DS1 had 24 channels? Each channel is called a “time slot,” (for those of you with an technical background, the protocol is known as time-domain multiplexing) and a TSI moves the voice data from one time slot to another time slot. When combined with a “crossbar switch” that connects any one of hundreds of incoming DS1s to any other outgoing DS1, the TSI connects your phone call through the network switch on its way from you to whomever you’re calling. Switches know which DS1 to connect to by storing information about where each DS1 is going physically (DS1 #376-390 might go to Kansas City, for example). [NOTE: Large switches often input DS3s or even larger optical links known as OC-12, OC-48, or OC-192 instead of DS1s. However, for this discussion, we’re interested in what happens on a DS1 level.]

As Ms. Wilson said, the network switch (also known as a “central office switch”) is responsible for setting up a link into the long-distance provider’s billing network. As you dial the phone number, that number is sent to the billing computers and they keep track of the duration of the call, the number calling, and the called number. This determines who who gets the bill and for how much, and the system is roughly equivalent for land lines and for cellular phones. The billing network is just complex enough to ensure that the phone companies bill the right people, so its technology is pretty wimpy. Nowhere near powerful enough to tap into the content of the phone conversation itself.

But the network switch in the central office (CO) is more than capable of being configured to wiretap a phone conversation. Once the phone conversation is in digital format (which happens at the access equipment), it’s just as easy to copy the phone conversation as it is to copy a song in MP3 format. CO switches can be configured remotely by the phone company to copy the digital phone conversation to multiple time slots on multiple DS1s – all it takes is a few keystrokes by a configuration technician sitting in an office building somewhere. This means that the 64 kpbs voice data you’re creating as you talk into your phone can be copied to your local police department, FBI headquarters, the local NSA listening post, and the cell phones in the surveillance van up the street simultaneously and without you ever noticing. Literally, any phone conversation can be copied and transmitted to any other phone number on the planet, and because it’s been tapped by the phone company and in digital format, there won’t be any tell-tale clicks (like you used to hear when your younger sibling picked up the phone to eavesdrop on your phone calls) to reveal that the phone has been tapped. It’s just a few more keystrokes on that configuration computer to make sure that the outgoing links from the wiretapping agents go to each other instead of to the tapped parties.

As Ms. Wilson said in her interview, it’s a totally different technology, but unlike she implied, it’s a matter of a simple set of commands transmitted by a telephone technician. Sure, it’s supposed to be done only under a court order, but it’s so simple to do that a hacker or disgruntled employee could do it without any trouble at all. CO switches do, however, have lots of network security built into them to prevent hackers from doing exactly what I just described, but a national security letter from the Bush Administration gets around all that security pretty fast, and shazam! you’ve got yourself warrantless wiretapping.

Obviously, if you use a modem to connect to the Internet, it’s as simple as copying the data stream in the same way. But more and more people are connecting to the Internet via DSL and cable modem. Unfortunately, both are just as easily tapped as your phone lines are.

First, let’s talk DSL. DSL is usually installed by telephone companies, and they use the same DS1/DS3/OC-N network I just described. The difference is that the Internet optical backbone links are usually not run through standard network switches, they’re run through Ciscso routers. When I worked in telecommunications, our access equipment was being built with a remotely-configurable software router installed as well, and multiple time slots in the DS1s going into the equipment were allocated to the router data stream. Which means that the access equipment or the central office has a big, remotely configurable router that pulls the data out of the voice stream and into the Internet backbone. But because that router is remotely configurable (remote configuration saves the telecomm companies huge amounts of money – and simultaneously makes it easer to wiretap their customers), the data can be shunted to multiple locations just as easily as a phone conversation.

Cable modem-linked Internet is pretty similar except that the cable modem connects via a shared cable medium that runs encrypted IP data from the cable “head end” (roughly equivalent to the central office). However, most head ends receive their video data via uni-directional downlink satellites – they cannot transmit Internet data back up to the satellite even if they wanted to. So cable head ends are tied into the same Internet backbone optical links that the telephony central offices are, and generally via the same types of large data routers. Not only that, but since the cable companies usually lease their links to the backbone switches, from companies like Sprint, Verizon, AT&T, etc. instead of of owning their own optical fiber, people desiring to tap your data don’t even have to contact the cable company – it’s one stop shopping for wiretaps at the metropolitan central office run by your local phone company.

And don’t think that using voice over IP saves you in any way – your phone call is still going through a central office. About the only thing VoIP buys you is the option for encryption – but if you think the NSA or FBI can’t decrypt your conversation, I’ve got a bridge in Alaska to sell you.

Posted in: Uncategorized