⟦3807077ae⟧

TextFile

Date: Thursday, 24 July 1986  06:22-MDT
From: die%frog.UUCP at BRL.ARPA (Dave Emery, Software)
Re:   Security and dialbacks

In article <906@hoptoad.uucp> gnu@hoptoad.UUCP writes: >Here are the
two messages I have archived on the subject...

>[I believe the definitive article in that discussion was by Lauren
>Weinstein, vortex!lauren; perhaps he has a copy.

What follows is the original article that started the discussion. I do
not know whether it qualifies as the "definitive article" as I think I
remember Lauren and I both posted further comments.
							    - Dave

		** ARTICLE FOLLOWS **

----------------------------------------------------------------------

An increasingly popular technique for protecting dial-in ports from
the ravages of hackers and other more sinister system penetrators is
dial back operation wherein a legitimate user initiates a call to the
system he desires to connect with, types in his user ID and perhaps a
password, disconnects and waits for the system to call him back at a
prearranged number. It is assumed that a penetrator will not be able
to specify the dial back number (which is carefully protected), and so
even if he is able to guess a user-name/password pair he cannot
penetrate the system because he cannot do anything meaningful except
type in a user-name and password when he is connected to the system.
If he has a correct pair it is assumed the worst that could happen is
a spurious call to some legitimate user which will do no harm and
might even result in a security investigation.

Many installations depend on dial-back operation of modems for their
principle protection against penetration via their dial up ports on
the incorrect presumption that there is no way a penetrator could get
connected to the modem on the call back call unless he was able to tap
directly into the line being called back. Alas, this assumption is not
always true - compromises in the design of modems and the telephone
network unfortunately make it all too possible for a clever penetrator
to get connected to the call back call and fool the modem into
thinking that it had in fact dialed the legitimate user.

	The problem areas are as follows:

		Caller control central offices

Many older telephone central office switches implement caller control
in which the release of the connection from a calling telephone to a
called telephone is exclusively controlled by the originating
telephone. This means that if the penetrator simply failed to hang up
a call to a modem on such a central office after he typed the
legitimate user's user-name and password, the modem would be unable to
hang up the connection.

Almost all modems would simply go on-hook in this situation and not
notice that the connection had not been broken. If the same line was
used to dial out on as the call came in on, when the modem went to
dial out to call the legitimate user back the it might not notice
(there is no standard way of doing so electrically) that the
penetrator was still connected on the line. This means that the modem
might attempt to dial and then wait for an answerback tone from the
far end modem. If the penetrator was kind enough to supply the
answerback tone from his modem after he heard the system modem dial,
he could make a connection and penetrate the system. Of course some
modems incorporate dial tone detectors and ringback detectors and in
fact wait for dial tone before dialing, and ringback after dialing but
fooling those with a recording of dial tone (or a dial tone generator
chip) should pose little problem.


		Trying to call out on a ringing line

Some modems are dumb enough to pick up a ringing line and attempt to
make a call out on it. This fact could be used by a system penetrator
to break dial back security even on joint control or called party
control central offices. A penetrator would merely have to dial in on
the dial-out line (which would work even if it was a separate line as
long as the penetrator was able to obtain it's number), just as the
modem was about to dial out. The same technique of waiting for dialing
to complete and then supplying answerback tone could be used - and of
course the same technique of supplying dial tone to a modem which
waited for it would work here too.

Calling the dial-out line would work especially well in cases where
the software controlling the modem either disabled auto-answer during
the period between dial-in and dial-back (and thus allowed the line to
ring with no action being taken) or allowed the modem to answer the
line (auto-answer enabled) and paid no attention to whether the line
was already connected when it tried to dial out on it.


		The ring window

However, even carefully written software can be fooled by the ring
window problem. Many central offices actually will connect an incoming
call to a line if the line goes off hook just as the call comes in
without first having put the 20 hz. ringing voltage on the line to
make it ring. The ring voltage in many telephone central offices is
supplied asynchronously every 6 seconds to every line on which there
is an incoming call that has not been answered, so if an incoming call
reaches a line just an instant after the end of the ring period and
the line clairvointly responds by going off hook it may never see any
ring voltage.

This means that a modem that picks up the line to dial out just as our
penetrator dials in may not see any ring voltage and may therefore
have no way of knowing that it is connected to an incoming call rather
than the call originating circuitry of the switch. And even if the
switch always rings before connecting an incoming call, most modems
have a window just as they are going off hook to originate a call when
they will ignore transients (such as ringing voltage) on the
assumption that they originate from the going-off-hook process. [The
author is aware that some central offices reverse battery (the
polarity of the voltage on the line) in the answer condition to
distinguish it from the originate condition, but as this is by no
means universal few if any modems take advantage of the information
supplied]


		In Summary

It is thus impossible to say with any certainty that when a modem goes
off hook and tries to dial out on a line which can accept incoming
calls it really is connected to the switch and actually making an
outgoing call. And because it is relatively easy for a system
penetrator to fool the tone detecting circuitry in a modem into
believing that it is seeing dial tone, ringback and so forth until he
supplies answerback tone and connects and penetrates system security
should not depend on this sort of dial-back.


		Some Recommendations

Dial back using the same line used to dial in is not very secure and
cannot be made completely secure with conventional modems. Use of
dithered (random) time delays between dial in and dial back combined
with allowing the modem to answer during the wait period (with
provisions made for recognizing the fact that this wasn't the
originated call -perhaps by checking to see if the modem is in
originate or answer mode) will substantially reduce this window of
vulnerability but nothing can completely eliminate it.

Obviously if one happens to be connected to an older caller control
switch, using the same line for dial in and dial out isn't secure at
all. It is easy to experimentally determine this, so it ought to be
possible to avoid such situations.

Dial back using a separate line (or line and modem) for dialing out is
much better, provided that either the dial out line is sterile (not
readily tracable by a penetrator to the target system) or that it is a
one way line that cannot accept incoming calls at all. Unfortunately
the later technique is far superior to the former in most
organizations as concealing the telephone number of dial out lines for
long periods involves considerable risk. The author has not tried to
order a dial out only telephone line, so he is unaware of what special
charges might be made for this service or even if it is available.

		A final word of warning

In years past it was possible to access telephone company test and
verification trunks in some areas of the country by using mf tones
from so called "blue boxes". These test trunks connect to special
ports on telephone switches that allow a test connection to be made to
a line that doesn't disconnect when the line hangs up. These test
connections could be used to fool a dial out modem, even one on a dial
out only line (since the telephone company needs a way to test it,
they usually supply test connections to it even if the customer can't
receive calls).

Access to verification and test ports and trunks has been tightened
(they are a kind of dial-a-wiretap so it ought to be pretty difficult)
but in any as in any system there is always the danger that someone,
through stupidity or ignorance if not mendacity will allow a system
penetrator access to one.

		** Some more recent comments **

Since posting this I have had several people suggest use of PBX lines
that can dial out but not be dialed into or outward WATS lines that
also cannot be dialed. Several people have also suggested use of call
forwarding to forward incoming calls on the dial out line to the
security office. [ This may not work too well in areas served by
certain ESS's which ring the number from which calls are being
forwarded once anyway in case someone forgot to cancel forwarding.
Forwarding is also subject to being cancelled at random times by
central office software reboots]

And since posting this I actually tried making some measurements of
how wide the incoming call window is for the modems we use for dial in
at CRDS. It appears to be at least 2-3 seconds for US Robotics Courier
2400 baud modems. I found I could defeat same-line-for-dial-out
dialback quite handily in a few dozen tries no matter what tricks I
played with timing and watching modem status in the dial back login
software. I eventually concluded that short of reprogramming the micro
in the modem to be smarter about monitoring line state, there was
little I could do at the login (getty) level to provide much security
for same line dialback.

Since it usually took a few tries to break in, it is possible to
provide some slight security improvement by sharply limiting the
number of unsucessful callbacks per user per day so that a hacker with
only a couple of passwords would have to try over a significant period
of time.

Note that dialback on a dedicated dial-out only line is somewhat
secure.


	  David I. Emery
	  Charles River Data Systems 617-626-1102
	  983 Concord St., Framingham, MA 01701.
          uucp: decvax!frog!die
DataMuseum.dk

DKUUG/EUUG Conference tapes

⟦3807077ae⟧ TextFile

Derivation

TextFile
