Internet Security Systems - AlertCon(TM)

My talk at the upcoming Blackhat DC conference

Posted by Tom Cross on January 14, 2010 at 6:59 PM EST.

I'm giving a talk at Blackhat DC the first week of February and I thought I’d explain a bit about what I plan to cover. Many network equipment manufacturers have incorporated interfaces into Internet routers and switches that are designed to facilitate legally authorized wiretapping by law enforcement. If these interfaces are not well-protected there is a risk that they could be hijacked by third parties and used to perform surveillance without authorization. Because of this risk, the security of lawful intercept systems is of obvious public interest.

Cisco has published the core architecture of its lawful intercept technology in an Internet Draft and a number of public configuration guides. This is good for two reasons. First, it enables the general public to see and understand how wiretapping is performed with Cisco routers. Second, it allows the security community to peer-review their approach to protecting this interface from attack.

That peer-review is the basic purpose of my Blackhat talk and the associated paper. I plan to review Cisco’s architecture for lawful intercept and explain the approach a bad guy would take to getting access without authorization. I’ll identify several aspects of the design and implementation of the Lawful Intercept (LI) and Simple Network Management Protocol Version 3 (SNMPv3) protocols that can be exploited to gain access to the interface, and provide recommendations for mitigating those vulnerabilities in design, implementation, and deployment. 
 
There is a lot of discussion going on right now in policy circles about different approaches for ensuring the security and resiliency of various kinds of critical infrastructures. The public certainly has an interest in knowing that systems like electronic voting machines and lawful intercept interfaces are properly protected. I think a consensus exists within the security community that one the best ways to improve security is through peer-review of architectures and implementations.

Cisco did the right thing when they decided to publish their architecture for lawful intercept so that we can study it and peer-review it. Although I identify some weaknesses in my talk, at the end of the day, we can have greater confidence in Cisco’s approach because it’s a known quantity and because it has had the benefit of analysis like this. There is a lot of technology out there that the public depends on that is more difficult to peer-review, and those shadows are where our greatest vulnerabilities lie.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.