ROYA SKNS, AA1

t

ONTEPRVC POLM

Aulh4w to S C 01**s

BEST CIT

AVAILABLE COPY AUO I iB ~~~

4100,;REMFHNIT EXECUTIVE, asamany or otc-rENcE - ~

D47* 1

RSUMIr=

ROYAL SIGNALS AND RADAR ESTABLISHMENT

Report 88006

Title: ON THE PRIVACY PROBLEMS INVOLVED IN ALLOWING ACCESSTO COMPUTERS VIA THE PUBLIC TELEPHONE SYSTEM

Author: S C Giess

Date: April 1988

SUMMARY

This report discusses some privacy problems involved inallowing access to computers over the Public SwitchedTelephone Network (PSTN).

The relevant aspects of current land-line PSTN and cellularradio operations are described and the weaknesses of theaccess controls of current computer systems are discussed.Possible solutions that would allow access under a limitedset of conditions are described.

Acoessiom For

DTIC US Lo Unannmod4

Copyr igh .ustileaUnC

Controller HMSO London1988 Distribution/

Availability CodesAvaff1 and/orDist Special

1[/

Contents

i Introduction

2 Public Switched Telephone Network

3 Evesdropping and radio links in thecommunications chain

4 Modems and their operation

5 Current methods of access control

6 Possible courses of action

7 Are all the techniques always applicable?

8 Conclusions

Reference

ii

1 Introduction

The increasing use of computers for data transfer andmanipulation has lead to a desire for greater access to theservices provided on central computers from remote points. Abig stimulus has come from the widescale use of personalcomputers for word processing, electronic mail and theinteractive database systems such as Prestel. Communicationsbetween the central systems and personal computers areusually carried out by means of interface devices calledmodems. These are attached to the computers at both ends anduse the Public Switched Telephone Network (PSTN) to conveythe data.

This use of the PSTN for remote access is flexible but it canentail certain risks. In particular, ANYBODY who knows thetelephone number of a computer service can attempt to accessit using a modem even if unauthorised to do so. This has leadto the rise of the "hacker" phenomenon; people trying toaccess computers they should not, usually treating the mattermore as a challenge than anything else. These people wouldmerely be a nuisance if that was all that they tried to do.However there are some whose actions, whether by design or byaccident, seriously compromise both computer systems and thedata held on them.

Commercial and University organisations often acquiesce,albeit reluctantly, to this state of affairs. Clearly thespecial role of Government and its institutions imposes agreater need to protect the integrity of its computer-baseddata systems. One way to achieve this protection would be toforbid the accessing of Government data over PSTNconnections. Such an approach may be over restrictive asordinary telephone calls concerning Government matters arepermitted, subject to the usual restrictions on content. Itis therefore reasonable to see whether a suitable form ofaccess control can be devised which would allow authorisedcomputerised access, over the PSTN, to Government data thatconformed to the same restrictions. This would allowGovernment institutions to take full advantage of theprogress in these aspects of Information Technology.

This paper discusses those possible methods of access controlwhich are appropriate for modem connected users of computersystems which carry only UNCLASSIFIED data. The needs ofsecure computing are not dealt with here.

This study was initiated with the goal of developing a systemfor use at RSRE which would allow appropriate off-site accessto those computers linked to the RSRE Data Network. This is adistributed communications system provided by the NetworkServices section of the Central Information Services

-_ - - . -- - . n m m mmum~mn m l m N N en

1

Division. However the issues raised during the study are, ingeneral, applicable to other organisations.

First, as an aid to understanding the problems involved, theoperation of the present land-line PSTN is considered. Thenthe implications of the rapidly increasing use of thecellular radio telephone links are examined, and an outlinegiven of the operation of modems. Next the current accesscontrol methods used on central computer systems areconsidered along with the ways hackers exploit theweaknesses of all these links in the data transfer chain.7inally, possible solutions to the problem are suggested asthe basis for an experimental investigation at RSRE. Theseare reported elsewhere [11.

2 Public Switched Telephone Network

How easy is it to intercept and impersonate calls on theBritish Telecom (BT) or Mercury telephone systems ? Most ofthe telephone links provided by these companies are overland-lines. Some are via microwave links and, more recently,some use optical fibres. An intercept on the physical linkswould involve gaining access to the companies' equipment inorder to attach wire taps. Usually this would be conspicuous.The micro-wave links would require quite a sophisticatedreceiving system to decode the traffic because of thecomplexity of the coding systems used to convey the data:pulse amplitude modulation; pulse code modulation etc. Alsothe very directional nature of the links limits thelocalities where such eavesdropping equipment would work.

One may conclude that the interception of ordinary telephonetraffic is non-trivial and liable to be noticed; it isunlikely that most hackers would resort to such methodsunless they worked for the telephone companies or hadcontacts within them. Of course, what is non-trivial for aschool-boy may be comparatively easy for an appropriatelyequipped and staffed commercial organisation.

However the actual operation of the BT system, at theordinary telephone user's level, has weaknesses which can beeasily exploited using simple equipment. They allow hackersto impersonate the BT control signals to an unwary user andthereby "capture" calls. The most pertinent point about theoperation of the PSTN is that, nationally, British Telecomoperates a "caller release" mechanism for terminating calls.

The operation of "caller release" is best explained by anexample. Let us assume that subscriber A calls subscriber B.The connection is made, they converse and then they bothreplace their receivers at the end of their conversation.Both would be able to make new calls virtually straight away.However, if at the end of their conversation subscriber A

2

(the caller) does not replace his receiver but B does, thenB, on lifting his receiver again, finds that he is stillconnected to A; they could continue their conversation ifthey wished. There is no way that B can clear his line inorder to make another call until A releases the line byputting his receiver down.

It follows that anybody dialling into a modem which answersthe call can prevent that modem from having a clear line todial out merely by not replacing his receiver, thus causing adenial of service.

r Whilst the above is true for all public exchanges it is notnecessarily so for private exchanges attached to the publicnetwork. These multi-line exchanges often implement "firstparty" release. In this scheme if A calls B via a privateexchange and B puts his receiver down but A does not then B,upon lifting his receiver to make a call, finds that he has aclear line. The exchange has routed his outward call onto adifferent PSTN line. Even if the exchange has only oneincoming line the action of B replacing his receiver stillbreaks the direct connection with A. This time A cannot holdonto B's internal exchange line. Clearly a first partyrelease exchange would give a desirable layer of protectionin any access control system.

BT have advised that it is possible to provide ordinarypublic telephone lines which are incoming only or outgoingonly by making appropriate changes at the local exchange.Configuring lines in this manner would provide a solution tothe caller release problem for those access control systemsthat use different telephone lines for incoming and outgoingcalls. Such a course of action is obviously not applicable toaccess control systems that only use a single telephone line.However, as discussed below, there are other problems to beaddressed as well; so other safeguards still need to betaken.

3 Evesdropping and radio links in the communications chain

Conversations over the public telephone system are not securebecause of the possibilities of crossed lines as well astelephone taps. The probabilities of these occurrences inpractice are small and even then the only information passedshould be of little value if security directives have beenfollowed correctly.

If however the information overheard was not that between twopeople but was instead the logon sequence to a computersystem then the damage could be greater in that a usernameand password have been disclosed. At present most usernamesand passwords are static, ie they do not not change over longperiods of time, typically many months, until explicitly

3

altered by the user. Under these circumstances theeavesdropper would be able to gain repeated access to thatparticular computer system should he know the telephonenumber of its remote access facility. The problem would becompounded if the legitimate user had logged-on to a furthersystem, a not uncommon occurrence, during the time he wasbeing overheard as now two systems would be cnmpromised.

The advent of the cellular radio telephone service and thedomestic use of cordless telephones, coupled with the rapidlyexpanding use of micro-computers for electronic mail display,have greatly increased the possibilites for eavesdropping.Imagine the situation where, faced with a tight schedule,somebody wishes to read his electronic mail whilst travellingin a car between meetings. This may be done by a small lap-top computer and modem connected to a cellular radiotelephone, a quite plausible situation. However in logging onto the electronic mail system, whether directly or by callback the user has broadcast his username and password ( aswell as ALL the messages ) to anybody who cares to li.ten.Similarly the use of a cordless telephone, perhaps as a meansof accessing the BT system without having to be close to awall mounted telephone socket, carries the same eavesdroppingrisks.

The risk exists because these radio systems do not employ anyform of scrambling. ANYBODY with a simple FM radio receivercan tune in and listen. Appropriate receivers can be boughtfrom many electronic hobby outlets.

A prohibition on the sale of such receivers would not be asatisfactory solution because the receivers use widelyavailable components and could be assembled by people withlittle technical experience.

Perhaps the greatest risk with these radio systems comes fromignorance. Many people who avail themselves of them are notyet aware of their vulnerability to evesdropping, even forordinary conversations. The users may be under the ( false )impression that because the systems are "approved" thenprivacy is being guaranteed by BT and the other cellularoperators to the same level as holds for present land lines.Certainly the suppliers of the systems have not publicisedthe problem of evesdropping. Moreover because of the recentnature of the phenomenon, there has not been time for suchinformation, perhaps in the form of court cases involving theevesdropping of telephone calls, to be brought to thepublic's attention.

It is to be hoped that the next generation of both cellulartelephones and cordless telephones will be more secure.

4

4 Modems and their operation

Modems are currently the key to the remote access ofcomputers. The primary purpose of a modem ( Modulator-Demodulator ) is to enable two pieces of equipment (usually acomputer and a terminal) designed to communicate by a directserial binary connection to be able to do so overcommunication lines of limited bandwidth which do notsupport D.C. signal levels. These communication lines arenormally ordinary telephone circuits but can also be mobileradio links.

The signalling is achieved by converting the binary levelsfrom the computer equipment ( often to the RS232C or nearlyequivalent V24/28 standard ) into tones of differentfrequencies, a method known as frequency shift keying . Thereare other encoding techniques, for example phase coding.

Over time two main groupings of signalling standards haveevolved: those of the CCITT, used in Europe and elsewhere,and those from Bell Telephone, used in North America, Japanand some other parts of the world.

One consequence of the adoption of these standards is thatmodems are readily available and inexpensive. Moreover, theycan be purchased with the sure knowledge that the modems usedby both large and small computer systems will respondidentically. This state of affairs is good for the legitmateusers, but it can also be described as a hackers delight inthat he can easily purchase a low cost modem and so be in aposition to mount an attack on the computer systems.

Early modems were not equipped to initiate telephone callsor answer incoming calls automatically. However, recentadvances in integrated circuit design coupled with therelaxation of the rules concerning equipment that can beattached to the public telephone system, has meant thatnearly all modems are now supplied with these functions asstandard. Such modems are equipped with simple circuits todetect the presence of the usual telephone signallinginformation such as the dialling tone and the ringing tone.

Unfortunately this signalling information can be relativelyeasily imitated. This is because modems have to be able tocope with what can be quite significant variations in signallevels and dialling tone frequencies, depending on theparticular exchange to which a subscriber may be connectedand the quality of the line between the subscriber and theexchange.

5

-. -r

5 Current methods of modem access control

Modems are used in commercial/university environments toenable remote, often 24 hour, access to computer resources.They are usually attached to large systems where their usemay not be monitored in any great detail. There may be manytens or hundreds attached to any one system; so individualmonitoring by operators is impractical. In these systemsaccess control is enforced by the usual methods of username-password identifiers associated with authorised users.

A typical access sequence would be as follows: the user dialsthe telephone number of the modem attached to the computer;once connected the computer system prompts the user for hisusername and password; if these are valid then the user isimmediately allowed to use the computer resources. It shouldbe noted that some access control procedures are capable oflimiting remote access "privilege" to specific authorisedusers for their use only between specific times.

In a sens: the computer access control routine has littleother information to do otherwise; it does not know andcannot know the telephone number of the caller because of thedial-in nature of the access. It can neither tell whether thecall is from a "legitimate" place nor give any infcrmation onlocations if any hacking activity is detected. It should benoted that this state of affairs is likely to change in thelong term as a consequence of the gradual change over todigital System "X" telephone exchanges and digital links tosubscribers.

Some systems may make no distinction between users who areusing locally connected terminals and those using remoteterminals. Clearly then the use of modems merely allowshackers to get the same access as if they had physical accessto local terminals. It is apparent that such systems are onlyas well protected as their normal procedures allow: once ahacker has the telephone number of the modem and a validusername-password then he can do as much as the legitimateuser is allowed to do.

The problem of authenticating users is not new. what haschanged is that hackers no longer require physical access tolocal, directly-connected terminals: hence systems are opento attack from many more people, who are no longer physicallyobservable.

One answer to this problem that has been adopted by somecomputer systems is as follows: remote ac'cess to the systemis restricted by only allowing a user to contact it from apre-designated telephone number unique to the user. This isimplemented in the following way. A user would still dial

6

into the system on the modem's telephone number and be askedfor a usetname and password. If these are valid the computersystem responds by telling the user to hang up and thencalling the user back on the user's pre-determined number.This may be the user's home number or branch office number,whatever has been pre-agreed. The user answers the call andis asked again for identification and then, if correct, he isallowed to use the system. This approach has the advantagethat even if a hacker knows a valid username-password he isonly able to get the system to call the legitimate user back,thereby alerting the user to the hacker's intrusion.

Unfortunately this control policy is susceptable to acombination of modem weakness and system design. Some accesscontrol systems which employ this approach may use the SAMEmodem that accepted the incoming logon call to make theoutgoing call. The use of caller release means that all ahacker has to do is to make the initial call, give theappropriate identifiers and then NOT break the link whenrequested by the computer. If now the hacker sends a diallingtone down the line the computer's modem will almost certainlyassume that the line is clear and proceed to initiate thedialling. Of course the dialling sequence is not noted at theexchange. When it finishes, the hacker merely provides aringing tone followed by the answer tone and the computermodem will think that it has been connected to the legitimateuser. Of course it is actually still talking to the hacker.At this point the operating system of the computer may, onthe strength of the logon validation step on dial-in, givethe hacker full access to its resources with no furtherchecks.

A partial solution to this line capture problem is to makethe call back to the user on a different modem connected to adifferent telephone line, an approach used by the MOTOROLAResponse system and others. As is discussed later, even thisis not foolproof. If a hacker can discover the outgoingtelephone number he can arrange to dial into this modem justas it is about to dial out and fool it in the same way.

6 Possible courses of action

A) The modem access control system must ask for user-passwordidentification both on dial-in and dial-back

Initial thoughts have concerned the feasibility of creating ahacker resistant access control system covering externaltelephone access to those site computer facilities connectedto RSRE's data network.

The methods proposed are based upon the idea of limiting thelocation of people wishing to access these systems by meansof pre-arranged telephone numbers. ( Note: We cannot

7

guarantee this completely; some users may take advantage ofthe ability of the cellular systems and some PABXs, to re-route calls automatically, as a way of gaining locationflexibility on a single dial-back number system with all therisks of being overheard. )

Briefly the system would operate as follows: A prospectiveuser would call a specific site number. The access controlsystem would then ask for a username and password. If thesewere valid then the control system would tell the user tobreak the call and await a call back on the telephone numberprearranged for him ( his home number say ). The user wouldonly be able to gain access to computer resources after theaccess control system .iad rung him back to the prearrangedtelephone number and AFTER further validation.

Now weaknesses have been identified in this separate linedial-back approach caused by the operation of the publictelephone network. In particular it is possible to dial intcthe modem that is dialling out and, providing the timing iscorrec', fool the outward dialling modem into believing thatit has made a valid call to a legitimate user. This meansthat a potential hacker could call repeatedly into theoutward modem until he makes a hit within the time window andgains full access to whatever computer resource thelegitimate caller ( who made the inward call resulting in thedial out attempt ) is allowed to use. A possible solution tothis problem is to attach the modem to a private exchangewhich implements first party release. This means that we haveto rely upon the correct operation of this exchange for ourprotection.

Since such protection may not be guaranteed, it is proposedto add extra protection by requiring further username-password identification when the call back connection ismade. If this second password proves to be invalid ( perhapsafter two tries ) then no connection should be allowed: alsothe use of that username can be suspended until the user canbe asked in person whether he was ac-tually making the call.This would provide warning of potential hacker activity. Ofcourse the reason could be innocuous, a spike of interferenceon the telephone line, but at least it would be investigated.

Dynamic passwords can be used to enhance protection. Adynamic password is one that is different for each accessattempt. Often they are algorithmic: the computer presentsthe caller with a number on initial contact and the callerhas to respond with another number that is derived from thecomputers number by a pre-arranged secret algorithm. Forexample if the algorithm was to multiply the initial numberby four and add one then the correct reply to the computersprompt of 3 is 13. The other mechanism for dynamic passwordimplementation consists of a prearranged list of passwords.The entries on this list are used in strict sequence, once

8

and once only, for each access attempt -- this is the, so-

called, one time pad method.

B) The use of data encipherment

The pcssible counter-measures discussed so far have assumedthat tne hacKers could NOT overhear any communicationstraffic to and from these computers. All the hackers wereconsidered able to do was to call into modem ports oncomputer systems, possibly exploiting weaknesses in theoperation of the landline telephone service. Hence theprecautions have concentrated on access control mechanisms.

However if a hacker CAN overhear a lgon sequence then,provided he knows the appropriate telephone number, he may beable to gain access in a manner that would appear legitimate.Obviously a dynamic password would stop the casual listenerfrom gaining access by mere imitation. Should the legitimateuser, whose traffic is being overheard, use the initialcomputer as a stepping stone to further computer systems vianetworks such as ethernets or the various commercial/privatenetworks, then more usernames and passwords would berevealed. So more systems would be compromised. This couldthreaten other systems on these networks whose operatingsystems do not provide all the necessary user isolation.

One solution to these problems is to encipher the trafficbetween the user and the computer systems. Scramblingtechniques require special equipment as well as proceduresfor key management and distribution. One can argue that thecost in both money, and time administering such methods aresuch that they should only be used for information thatmerits it. If it were used then it would be reasonable toemploy only that level of encipherment which would beyond themeans of amateurs to break, so keeping costs down andsimplifying key handling procedures. Such an encipheringsystem should have the following properties:

i) It should comprise an add on unit, inserted between themodem port of the computer and the modem. The plain textoutput of the user's micro would be enciphered and passedonto the modem. The enciphered traffic from the host computerw~uld be deciphered and passed onto the user's micro.

ii) The interfaces would be to V24/V28 ( ie RS232 ) standardfor ease and flexibility of use.

iii) The unit should be able to handle full duplex traffic ata speed of 9600 bps, so allowing not only for the split baudrate modems ( ie 9600 into the modem but 300, say, down thetelephone line ) but also for the new range of 9EI0 bpsthrouihput modems.

9

iv) The unit should not pack the data into blocks, since thiscould lead to buffering problems. It could also beunnecessarily time consuming considering the short nature ofmany commands issued as part of a typical interactive sessionwith computers.

v) If possible the unit should derive its power from themodem, since most modems provide a limited supply, merely forflexibility.

vi) The unit should be sealed, perhaps in epoxy resin, so asto reduce the chances of successful tampering.

vii) The host computer could implement the algorithms insoftware so as to avoid having too many hardware units in oneplace.

viii) Each unit would have a different in-built passworduniquely related to the individual username.

ix) The unit would be provided with a method of switchingbetween clear ( no enciphering ) operation and cipheredoperation.

A possible log on sequence would be as follows:

First the user would ensure that the unit is set to clear.The user would then dial the desired system and be asked fora username. This he would provide. Next he is asked for thepassword, but before it is sent he changes over to cipheredoperation. If the computer system accepts the password thenit calls the user back on the prearranged telephone number.The system then asks again for a username and password butthis time they are different and enciphered. If they arevalid then the session proceeds all in enciphered mode.

The initial contact has to be in clear so as to allow thecomputer to select the appropriate deciphering key. It alsogives the user a chance to recover from any setup errors hemay have made in the choice of baud rate, parity etc.

7 Are ALL the techniques ALWAYS applicable ?

A range of techniques have been discussed that would reducethe vulnerability of computers to hacking : separate dial-back lines, dynamic passwords and encipherment. Eachtechnique has its different strengths and weaknesses as wellas capital and administrative costs. We have seen that theuse of all of them in a system will give the greatestprotection. However, other considerations may outweigh theuse of some of them.

10

For example a system manager may not want either to bear thecost of dial-back calls or to apportion them for operationalreasons. He might wish to have a system that was dial-inonly.

Other system managers may consider that, for the informationstored on their systems, the problems of key management forencrypted links outweigh the privacy benefits.

In the end the final judgment as to the appropriate mix oftechniques rests with the system manager based upon hisknowledge of the particular data stored on the system and theaccess style needed for the users of the system.

8 Conclusions

It has been shown that it is possible to devise accesscontrol methods which provide protection against the classof hacker who can exploit the weaknesses of the presenttelephone system. These methods use the techniques of (i)separate dial-back lines (ii) dynamic passwords and (iii)encipherment; even so, they will not give completeprotection. Furthermore the proliferation of usernames andpasswords, static or dynamic, raises the problem that thelegitimate user may find that he has too much to remember andso try to simplify the choices, thereby weakening theprotection.

A potential problem has been identified arising fromeavesdropping if remote access is attempted over links whichinvolve the use of cordless telephones or the new cellularradio telephone system. This problem is likely to get worsebecause of rapid growth in the use of such systems. It willbe exacerbated if users deliberately use th? cellular systemsin preference to land-line systems purely for their abilityto re-route calls automatically.

One short term solution to the radio link problem would be toprohibit its use for remote access purposes. More generally,however we consider that some form of encryption is desirablein order to provide protection against radio links beingunknowingly used. Furthermore such a solution would alsodefeat most of the existing land line hacker problems.

Reference

(1] Giess S.C., " Experiments into the control of access tocomputer resources via the Public Telephone System", RSREMemorandum No. 4155

11

DOCUMNT CONTROL SHEET

UNCLASSIFIEDOverall security classif;cati on o4 sheet ..... L... ....... ........................................ ... ...

(As far as Possible this sheet should contain only unclassified informal ion, If it is necessary Ic en'er

classified information. the box concerned must be marked to indicate the classificatlon eg (P) (V) c- (i ,

1. ORIC Reference (if known) 2. Originator's Reference 3. Agency Reference u Repor Secv- i.REPORT 88006 U/C Cla,

5. Originatcr's Code (if 6. Originator (Corporate Author) Name and Locationknownl

77840C Royal Signals and Radar EstablishmentSt Andrews Road, Malvern, Worcs. WR14 3PS

5a. Sccnsorng Aqe,cv' ba. Sponsoring Agency (Contract Authority) Nape and Locai-Code (if known)

7. Title

C,1; THE PP:VACY PROBLEYS !NV:LVEE IN ALLOW:IG ACCESS T CVFL:TEFS VA T HPLB" C TELEPH,'" .. SYSTEM

7a. Title in Foreige Language (in Ire case of translations)

It. Presenfe at (fsr conlerence ,acers) Title. Place and date of conference

E. Autlhor 1 Surname. initials 9(a) A.utor 2 9(b) Authors 3,4... 10. Date 'c:. r'.

Giess, S.C. 198B.04

11. Contract Numter 12. Period 13. Project 14 Other Re'e-ence

15. Distribution statement

Descriptors (or keywords)

continue on secarate ,iece of raver

AbstractThis report discusses some privacy problemsc involved in al'owing access tocomputers over the Public Switched Telephone Network (PSTNl.

The relevant aspects of current land-line PSTN and cellular radio operationsare described and the weaknesses of the access controls of current comlptersystems are discussed. Possible solutions that would allow access under alimited set of conditions are described.

S80/48