From: “Dave Emery” <die@pig.die.com>
To: dm@amsterdam.lcs.mit.edu (David Mazieres)
Message Hash: 4049647609fd668c527936865f0220cbb850f67c71b838c5846c50887b3e636f
Message ID: <9601250411.AA16294@pig.die.com>
Reply To: <199601250030.TAA15203@amsterdam.lcs.mit.edu>
UTC Datetime: 1996-01-25 06:53:48 UTC
Raw Date: Thu, 25 Jan 1996 14:53:48 +0800
From: "Dave Emery" <die@pig.die.com>
Date: Thu, 25 Jan 1996 14:53:48 +0800
To: dm@amsterdam.lcs.mit.edu (David Mazieres)
Subject: Re: German home banking (fromn RISKS)
In-Reply-To: <199601250030.TAA15203@amsterdam.lcs.mit.edu>
Message-ID: <9601250411.AA16294@pig.die.com>
MIME-Version: 1.0
Content-Type: text/plain
>
> Was the person in the basement eavesdroping or actuall performing a
> man-in-the-middle attack?
>
Very much the easiest way of doing this is a classic man in the
middle attack with two vanilla off the shelf modems and a vanilla off
the shelf central office simulator. The modems would be tied more or
less back to back through two serial ports and software on a laptop in
the basement, one modem connected to the actual phone line to the central
office and the other connected to the local wires to the targets home
through the central office simulator. This way all traffic in both
directions would go through the modems and software on the laptop
allowing the connection to be taken over cleanly between packets, and
packets to be injected and deleted as needed. I beleive that it would
not be hard to make such a MITM decode the DTMF dialing from the target
and dial the same number on its outgoing modem thus enabling the
MITM to passively relay modem calls it wasn't interested in spoofing.
And incoming modem calls could be similarly handled.
While I might hasten to add that my interest is entirely
academic and I've never tried configuring such a thing, I'm quite sure
that standard off the shelf consumer modems and cheap and widely
available central office simulators could be configured to set up such a
MITM without requiring any special hardware, hardware modifications, or
modified modem firmware, or special programming expertise beyond that
required to operate modems through a serial port, And obviously the
cost of such a thing might well be kept under $1000 and perhaps under
$500 compared to the multiple tens or hundreds of thousands that the
specialized modem and protocol analyzer test equipment that can do this
sort of thing costs.
A slightly more realistic version with a sound card and some
simple coupling transformers available at Radio Shack (or free from an
old junk modem) would allow full simulation/cutover of the call progress tones
and wrong number announcements and so forth and might make such a device
rather difficult to detect for a casual non technical modem user.
While this is not 100% off the shelf hardware, the technical skills required
are rather low.
> Don't high speed modems transmit and receive on the same frequencies,
> using echo cancelation to decode the receive signals? Does that make
> it impossible to eavesdrop on high-speed (i.e. V32bis) modems?
That has been widely reported. In fact given a four wire
(directional) tap this is probably not true in many cases, in that
the inherent directionality (echo return loss) of the line gives enough
separation between the data going in one direction and the data going
in the other for successful separation. This is further enhanced by
the generally true fact that the line is idle in at least one direction
for most of the time, and the pattern of date transmitted on an
idle line under LAPM is predictable and can be subtracted out even if
the actual SNR is not good enough to reliably demodulate it.
As far as I know, the firmware to allow passive monitoring of V.32 and
V.34 data is not part of any standard modem firmware, but many
modems can passively monitor the lower speed transmissions.
>
> David
>
Dave Emery
die@die.com
Return to January 1996
Return to “stevenw@best.com (Steven Weller)”