Re: [PEN-TEST] OT - How secure is an ISDN line?

[Dragos Ruiu <dr () KYX NET>]

Uhm... the answer is ... it's very easy to tap an ISDN phone line.
The equipment _used_ to be expensive. Look up a HP, PT500,
PT502 (I managed this product for a brief period at the very
beginning of it's life) or PT300 or PT302. Manufactured in
Edmonton, AB.  I believe the product was obsoleted a while
back, but I saw old ones for sale in Akihabara a few years
back :-).. Complete man in the middle Q.93x switch emulation
was one of the standard demo scripts coded in Forth as I
recall.  Fancier versions of the scripts were products. And
they were able to extract the B channels off PRI/BRI to
either analog, or digital serial, or record them to disk.

Many pieces of equipment exist to extract the B channel
to a pots analog line. Getting a shadowing 56K modem is
then your problem. More likely easier to record digitally
and post process in sw. I agree with the first poster, ISDN
is not more or less secure than the Plain Old Telephone System
(POTS).

cheers,
--dr

On Fri, 20 Oct 2000, Peter Van Epp wrote:
> > On Thu, Oct 19, 2000 at 03:38:40PM -0400, JLJ wrote:
> > > ISDN is as secure as a phone call, no more or less.  If you can access the
> > > wire anywhere along the route and have equipment you can snoop the line,
> > > just like you can a phone call.  I don't really think it's sa,"Noo send much
> > > of anything in the clear anymore...
> >
> > I have to disagree on this, while you can plug a phone (with a few
> > simple adjustments, comenly called a beige box) into an analogue
> > phone anywhere along the line and using either a linemans handset,
> > or a datatap (available from the many exchange&mart spy shops in the
> > uk). It was always my understanding that it was far more difficult
> > to intercept a digital connection rather than a analogue connection
> > that said, as long as they are using a 56k connection it sould be
> > pretty difficult to intercept anyway, of course you could slow the
> > connection down ( by way of line noise eiugh to force it into an
> > much more intercept friendly mode of none error correcting 4800/9600.
>
>       I think you are discussing analog modems while the original poster was
> discussing ISDN. If you can get the tap on the line I expect ISDN is the
> easier of the pair to decode (at least with V90 analog modems) since the data
> is digital and non encrypted (well, the modem isn't encrypted either, but see
> below). That means if you can recover the clocking and data on the ISDN line
> (which test sets will do) then you should be able to recover the data. Neither
> this nor getting the appropriate access is trivial but it is possible for
> a determined attacker. As stated end to end encryption is the best bet.
>       The 56K modem case is hard because the DSP on either end is listening
> to the incoming signal by subtracting its outgoing signal from the signal on
> the line to recover the incoming data. As a man-in-the middle attacker you
> lack the information about what either modem is currently sending to know
> what to subtract from the signal on the line to recover the other side. If
> anyone knows of a test set to do this I'd be interested in a reference because
> we are having 56K modem problems and would love to be able to tap a monitor
> modem on to a B channel of a PRI when it isn't one of the participating modems.
> I suspect such a thing isn't possible due to lack of information, but I'd
> love to be wrong :-).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
--
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net