Datatapping a Modern Modem Connection

8 October 1999

Date: Wed, 6 Oct 1999 23:32:55 -0400
From: Dave Emery <die@die.com>
To: "John A. Limpert" <johnl@radix.net>
Cc: Greg Broiles <gbroiles@netbox.com>,
Marcel Popescu <mdpopescu@geocities.com>, cypherpunks@cyberpass.net
Subject: Re: Unplugged! The biggest hack in history

On Mon, Oct 04, 1999 at 05:08:49AM -0400, John A. Limpert wrote:

> I've wondered how they wiretap a line with a pair of modern high speed
> modems. After reading the V.34 standard, it would seem to be very difficult
> to separate the two signals. It is hard enough when you have one of the
> transmitted signals. One possibility would be to tap both ends of the
> connection, record and compare the two signals. Maybe the trellis coding
> rules could be used to track and strip one of the signals.

The trick is to get some kind of directional access to the phone line. A tap which merely samples voltage across the pair of wires will yield an admixture of the two directions of transmission that is very hard to separate out. If one can also sample current flowing through the wires at the same time, one can isolate out one direction from the other with enough directivity to be able to demodulate the stronger of the two signals, especially if it is sending the idle LAPM flags pattern. Once one has trained on the stronger signal it becomes possible to exactly predict what it should be going into the wire and figure out the impulse response of the line between the stronger modem and the monitoring point. With this, it becomes possible to very precisely predict the contribution of the stronger modem to the composite signal and subtract it out, yielding the weaker signal.

I suspect that the reason the FBI used a nearby warehouse for their interception rather than just running a line to the local FBI office was precisely because they needed to access the current flowing down the wire by interposing their tap in line with the cable between the hacker's house and the CO. The same effect can be gotten by taking advantage of the hybrid on the line card of the CO switch and getting the switch to ship both directions of the line audio to the FBI office in digital format, but this probably requires the CALEA modifications to the switch which might not have been in place that long ago.

All of this means that datatapping a modern modem connection requires very good fidelity access to the phone wires carrying the signal or to the streams of 8 bit u-law encoded digital samples flowing in both directions in the switch and/or the telco network. Neither of these kinds of access is as simple as the standard kinds of access used for traditional legal and illegal voice wiretaps - an aligator clip tap and cheap cassette recorder just don't cut it.

On the other hand, given modern PC CPU floating point speeds, it should be possible to do the entire blind demodulation and protocol decoding on a fast off the shelf PC with a really good sound card. $70,000 isn't needed - it is all software and some very cheap hardware to measure current in the line as well as voltage.

One thing to remember is that modern modems use a derivitive of X.25 layer II protocol called LAPM and actually do retransmits on errored packets detected by the CRC-16 checksums so a monitoring protocol analyzer would have to deal with errors in *its* reception and errors in the communicating modems reception in order to reconstruct some approximation of the PPP or whatever ASCII stream that was flowing.

What is actually modulating the modem carrier is a scrambling sequence (for randomization, not security) generated by a shift register sequence with HDLC framed LAPM packets riding on top. The user data is encapulated in those packets along with signalling in the headers that allows error detection and retransmission and passing out of band information to control the connection and handle negotiation of line parameters.

Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18

From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cypherpunks@cyberpass.net
Subject: Re: Unplugged! The biggest hack in history
Date: Wed, 6 Oct 1999 05:55:56 (NZDT)

Vin McLellan <vin@shore.net> writes:

>>The Wall Street Journal reported:
>>>In early December 1994, Morris's "analog data-intercept device" finally
>>>arrived from the FBI's engineering department. It was a $70,000
>>>prototype that Morris calls "the magic box."

>Marcel Popescu wrote:

>>Er... someone please explain me, I'm lost here - is this a $70,000
>>MODEM?!?!?

>I think this is one of those wonderful confusions that occur when someone
>is trying to keep methods and technique secret.

Blind demodulation is hardly a secret. Why spend $70K when you can buy off-the-shelf hardware to do the same thing (for example

http://www.appsig.com/prods/m1520.html

with

http://www.appsig.com/prods/data.html

http://www.appsig.com/prods/elvira.html).

Peter.

Date: Thu, 07 Oct 1999 00:07:54 -0700
From: Lucky Green <shamrock@cypherpunks.to>
To: "John A. Limpert" <johnl@radix.net>,
Sean Roach <roach_s@mail.intplsrv.net>, cypherpunks@Algebra.COM
Subject: RE: Unplugged! The biggest hack in history

I am just catching the tail end of this thread, but why in the world would somebody in LE pay for a custom-built device to perform blind demod when you can buy off-the-shelf devices that perform blind demod on V.90 connections from Applied Signal?

--Lucky Green <shamrock@cypherpunks.to>