die@hydra.UUCP (Dave Emery) (02/28/85)
An increasingly popular technique for protecting dial-in ports from the ravages of hackers and other more sinister system penetrators is dial back operation wherein a legitimate user initiates a call to the system he desires to connect with, types in his user ID and perhaps a password, disconnects and waits for the system to call him back at a prearranged number. It is assumed that a penetrator will not be able to specify the dial back number (which is carefully protected), and so even if he is able to guess a user-name/password pair he cannot penetrate the system because he cannot do anything meaningful except type in a user-name and password when he is connected to the system. If he has a correct pair it is assumed the worst that could happen is a spurious call to some legitimate user which will do no harm and might even result in a security investigation. Many installations depend on dial-back operation of modems for their principle protection against penetration via their dial up ports on the incorrect presumption that there is no way a penetrator could get connected to the modem on the call back call unless he was able to tap directly into the line being called back. Alas, this assumption is not always true - compromises in the design of modems and the telephone network unfortunately make it all too possible for a clever penetrator to get connected to the call back call and fool the modem into thinking that it had in fact dialed the legitimate user. The problem areas are as follows: Caller control central offices Many older telephone central office switches implement caller control in which the release of the connection from a calling telephone to a called telephone is exclusively controlled by the originating telephone. This means that if the penetrator simply failed to hang up a call to a modem on such a central office after he typed the legitimate user's user-name and password, the modem would be unable to hang up the connection. Almost all modems would simply go on-hook in this situation and not notice that the connection had not been broken. If the same line was used to dial out on as the call came in on, when the modem went to dial out to call the legitimate user back the it might not notice (there is no standard way of doing so electrically) that the penetrator was still connected on the line. This means that the modem might attempt to dial and then wait for an answerback tone from the far end modem. If the penetrator was kind enough to supply the answerback tone from his modem after he heard the system modem dial, he could make a connection and penetrate the system. Of course some modems incorporate dial tone detectors and ringback detectors and in fact wait for dial tone before dialing, and ringback after dialing but fooling those with a recording of dial tone (or a dial tone generator chip) should pose little problem. Trying to call out on a ringing line Some modems are dumb enough to pick up a ringing line and attempt to make a call out on it. This fact could be used by a system penetrator to break dial back security even on joint control or called party control central offices. A penetrator would merely have to dial in on the dial-out line (which would work even if it was a separate line as long as the penetrator was able to obtain it's number), just as the modem was about to dial out. The same technique of waiting for dialing to complete and then supplying answerback tone could be used - and of course the same technique of supplying dial tone to a modem which waited for it would work here too. Calling the dial-out line would work especially well in cases where the software controlling the modem either disabled auto-answer during the period between dial-in and dial-back (and thus allowed the line to ring with no action being taken) or allowed the modem to answer the line (auto-answer enabled) and paid no attention to whether the line was already connected when it tried to dial out on it. The ring window However, even carefully written software can be fooled by the ring window problem. Many central offices actually will connect an incoming call to a line if the line goes off hook just as the call comes in without first having put the 20 hz. ringing voltage on the line to make it ring. The ring voltage in many telephone central offices is supplied asynchronously every 6 seconds to every line on which there is an incoming call that has not been answered, so if an incoming call reaches a line just an instant after the end of the ring period and the line clairvointly responds by going off hook it may never see any ring voltage. This means that a modem that picks up the line to dial out just as our penetrator dials in may not see any ring voltage and may therefore have no way of knowing that it is connected to an incoming call rather than the call originating circuitry of the switch. And even if the switch always rings before connecting an incoming call, most modems have a window just as they are going off hook to originate a call when they will ignore transients (such as ringing voltage) on the assumption that they originate from the going-off-hook process. [The author is aware that some central offices reverse battery (the polarity of the voltage on the line) in the answer condition to distinguish it from the originate condition, but as this is by no means universal few if any modems take advantage of the information so supplied] In Summary It is thus impossible to say with any certainty that when a modem goes off hook and tries to dial out on a line which can accept incoming calls it really is connected to the switch and actually making an outgoing call. And because it is relatively easy for a system penetrator to fool the tone detecting circuitry in a modem into believing that it is seeing dial tone, ringback and so forth until he supplies answerback tone and connects and penetrates system security should not depend on this sort of dial-back. Some Recommendations Dial back using the same line used to dial in is not very secure and cannot be made completely secure with conventional modems. Use of dithered (random) time delays between dial in and dial back combined with allowing the modem to answer during the wait period (with provisions made for recognizing the fact that this wasn't the originated call - perhaps by checking to see if the modem is in originate or answer mode) will substantially reduce this window of vulnerability but nothing can completely eliminate it. Obviously if one happens to be connected to an older caller control switch, using the same line for dial in and dial out isn't secure at all. It is easy to experimentally determine this, so it ought to be possible to avoid such situations. Dial back using a separate line (or line and modem) for dialing out is much better, provided that either the dial out line is sterile (not readily tracable by a penetrator to the target system) or that it is a one way line that cannot accept incoming calls at all. Unfortunately the later technique is far superior to the former in most organizations as concealing the telephone number of dial out lines for long periods involves considerable risk. The author has not tried to order a dial out only telephone line, so he is unaware of what special charges might be made for this service or even if it is available. A final word of warning In years past it was possible to access telephone company test and verification trunks in some areas of the country by using mf tones from so called "blue boxes". These test trunks connect to special ports on telephone switches that allow a test connection to be made to a line that doesn't disconnect when the line hangs up. These test connections could be used to fool a dial out modem, even one on a dial out only line (since the telephone company needs a way to test it, they usually supply test connections to it even if the customer can't receive calls). Access to verification and test ports and trunks has been tightened (they are a kind of dial-a-wiretap so it ought to be pretty difficult) but in any as in any system there is always the danger that someone, through stupidity or ignorance if not mendacity will allow a system penetrator to use one long enough to do his damage.
jmsellens@watmath.UUCP (John M Sellens) (03/01/85)
Dave Emery's article is very informative and raises a number of good points.
If I may add my 2 cents worth:
Perhaps part/all (although "all" would be too much to hope for) of the risk
associated with the dial-out line can be alleviated in one of two ways.
1 - always use a local line to call out. By this I mean an extension line
on your internal PBX, and dial 9 for an outside line. The specific
outside line would be harder (hopefully) for the cracker to determine,
and perhaps PBX's are smarter at avoiding such line collisions.
2 - Use call forwarding on the outgoing line. Have all incoming calls on
the outgoing line forwarded to the incoming line. This has the
advantage that even small organizations can use it and it's simple.
Thanks Dave!
Johnjcp@brl-tgr.ARPA (Joe Pistritto <jcp>) (03/01/85)
It occurs to me that a really good way to protect a dial-out line from an autodialer is to order the line as a conventional line with call forwarding, and to call forward the line to another modem. In this way, the call will automagically forward to a different modem, eliminating the possibility of hacking during the time window between dialing and call pickup. -JCP-
jre@amdahl.UUCP (Joe Eykholt) (03/05/85)
> > It occurs to me that a really good way to protect a dial-out > line from an autodialer is to order the line as a conventional line > with call forwarding, and to call forward the line to another modem. > In this way, the call will automagically forward to a different modem, > eliminating the possibility of hacking during the time window between > dialing and call pickup. > > -JCP- This sounds like a good solution. One possible way around this may be to call-forward another phone to the outgoing modem. I suspect that many exchanges will not call-forward a call that has already been forwarded once (to avoid forwarding forever). To further clarify by example: We have three lines A, B, and C. Line A is the autodialer line that will be used to call out on. It is forwarded to line B, to avoid callers when it is trying to dial out. Line C is some phone in the attacker's control. The attacker forwards line C to line A, and then calls line C from yet another phone. The call is forwarded only from C to A, not from C to A to B. -- Joe Eykholt [Opinions expressed by me are not necessarily held by any other entity.]
dwl@hou4b.UUCP (D Levenson) (03/06/85)
Multiple-hop call forwarding IS permitted, at least it is in the local ESS / ESSX switches with which I have dealt here in NJ. What prevents endless forwarding in the case of circular forwarding is as follows: If line A forwards its incoming calls to line B, then A will appear busy to other incoming calls, for the duration of any call it has forwarded to B. In other words, if you dial A's number and the call is forwarded to B, then if you or anyone else dials A's number, a busy signal will be returned if your call to B via A is still in progress. A circular forward loop can only be established between telephones served by physically separate central offices. In this case, any call dialed to any member of the circular list will hunt once around and reach a busy signal! Dave Levenson ATT-IS, Holmdel