top | item 45076034

(no title)

dvno42 | 6 months ago

So what was the actual point of compromise? Was it a CALEA supporting software vendor? My guess is a common MD (Mediator device) vendor was targeted that was used by many carriers but that's speculation on my part.

Context for others, there's a small number of software vendors that make these MD devices that handle initiating a capture of a flow (a wiretapping request) and managing the chain of custody for a pcap. MDs usually sends an SNMP poll to a router/switch to start a (r)span port and the MD device slurps up all data and saves it.

Anyway, what I'm curious about is if it's the MDs that were taken over and if it was one manufacturer but I'm not seeing much technical info on all these reports.

Here's some context for "LI" for those interested: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9...

discuss

michael1999|6 months ago

The simple answer is that CALEA requires all traffic to be effectively in plain text. Once you impose that constraint, any decent router exploit gives you everything.

aftbit|6 months ago

Most protocols that I use day-to-day are secure against simple passive interception. Either SSH or TLS encrypts just about every packet that leaves my network. This got much better with DNS over HTTPS (or TLS before that). Of course these protocols are sometimes susceptible to downgrade attacks, man in the middle compromises, etc, but none of that would be available to someone who was running a pcap without modifying the traffic streams.

So how would a simple MD attack affect me? Any sort of CALEA attack on a higher protocol layer (e.g. compromising Gmail at Google instead of capturing their traffic) would make sense, but not a pcap.

michael1999|6 months ago

That’s what makes CALEA so toxic. Any covered comms must be effectively-plain-text, or it doesn’t work. Once you impose a plain-text architecture, a mass-breach is inevitable.

dvno42|6 months ago

Definitely, I would hope these kinds of systems become less useful with more encryption. I imagine, these kinds of collections I mentioned above are just one of many angles used in an investigation with this particular angle being for correlation and supporting evidence against a request to bookface, cloudflare, etc.

edit these network devices probably also carry voip/voice trunks from enterprise and possibly carriers such as VZW. No telling if those are encrypted or not. If China is able to tap that using these CALEA systems, I could see how that would be a big deal for stealing IP/secrets.

shrubble|6 months ago

As far as I know, all telecommunications companies in the USA do not encrypt phone calls in the core of their networks; they may have TLS to/from the customers to the SBC (session border controller, a firewall/terminating point for customers), but once it’s past that point, it’s all sent in the clear.

esseph|6 months ago

SMS TOTP

Header decryption data (protocol, source, target)

Any phone calls

Etc.

EE84M3i|6 months ago

I thought this campaign targeted telephony networks (SMS, voice), not IP networks?

esseph|6 months ago

No, ISPs, many (most) of which are traditional telcos.