Network Sites: B/OSS Conference & Expo Channel Partners Conference & Expo xchange magazine PHONE+ VON Conference & Expo VON
Billing and OSS World
Search
Weekly E-mail Newsletter 

  Home News Articles White Papers Webinars Resource Directory E-Books Blogs Subscriptions Media Kit Events Contacts

Carnivore: FBI’s Packet Sniffer May Have Loose Fangs

John L. Guerra
04/01/2002
Perhaps nothing has whetted the Internet user community’s fear of intrusion more than the FBI’s colorfully named “Carnivore” packet-sniffing software. The technology—which attaches to an ISP’s network and can scan the subject line and content of incoming and outgoing messages flowing through a circuit—has been around for several years. The federal government’s expanded authority to monitor e-mail and other communications puts the technology at the forefront of the debate on privacy and civil liberties. But Carnivore has larger implications for ISPs and other carriers because it contains flaws that bear noting.

Carnivore Has Technical Problems

The technology has systemic problems, according to a technical review of the software performed by IIT Research Institute (IITRI), of McLean, Va. The not-for-profit group researches and develops technology for private and government entities. The company performed a technical review of the Carnivore system for the FBI and published its results in November 2000. The FBI would not comment on whether the problems outlined in the IITRI report have been repaired, or which problems remain.

But the IITRI report is worth reading, because in addition to wireless service providers, many ISPs—big and small—may have to install the system to accommodate police who show up with court-issued wiretap orders. Several states have legislation in the works to adopt the framework of the USA PATRIOT Act—which has expanded the federal government’s power to obtain roving wiretaps, increased law enforcement’s right of access to cable subscriber customer information, and allowed the use of packet-sniffing devices to monitor e-mail and Internet traffic. (For more on the USA PATRIOT Act, see “Telcos Face Realities of Increased Police Powers,” Billing World & OSS Today, Dec. 2001). California Gov. Gray Davis this winter proposed boosting the state’s surveillance powers by mimicking the new USA PATRIOT Act.

The state versions would in effect give sheriff departments and municipal police forces (with a judge’s permission) the right to use Carnivore and similar eavesdropping equipment on smaller telcos and ISPs. Davis backed off from the more expansive provisions of his bill after complaints from civil liberties groups. State Assemblyman Carl Washington, D-Compton, also planned to drop a section of the bill that would have expanded law enforcement’s ability to monitor the e-mail correspondence of suspected criminals. But other states are moving to adopt the federal rules as their own.

Carnivore: How It Works

Carnivore is actually three distinct software packages—dubbed DragonWare—running on Microsoft Windows 2000 or NT. The first part, the Carnivore software component itself, is designed to intercept large volumes of e-mail and other packet communications. The other two software components, Packeteer (not associated with the company Packeteer) and CoolMiner, work together to display Carnivore’s output. Packeteer processes Carnivore’s raw output to reconstruct higher-level protocols from IP packets into readable e-mail and other messages, while CoolMiner develops statistical summaries and displays content information via an Internet browser.

Encrypted messages, protected for the most part by commercial encryption software, have to be cracked later by law enforcement agents with separate software. For information on Carnivore’s limitations, see “What Carnivore Can’t Do.”

Scanning Millions of E-Mails

The Carnivore package is designed to scan millions of e-mails per second. By adjusting filters and other parameters, it can be directed to scan only subject lines and headers of incoming or outgoing messages that are linked to a particular suspect or group of suspects. With the default settings, for instance, limited packets are accepted. By hitting a single button, the agent can put the software into full mode, and attempt to collect all TCP traffic. As more filters are selected and configured, the volume is reduced. Only selected ports might be targeted, and functions such as Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3) might be limited to certain user names.

Investigators can store suspect e-mails and data on removable drives or retrieve them through dial-up sessions.

The Carnivore architecture, according to the IITRI report, consists of a one-way tap into an Ethernet data stream, a general-purpose computer to filter and collect data, additional general-purpose computers to control the collection and examine the data, and a telephone link to a collection computer. The collection computer is installed without a keyboard or monitor so no one can see what’s being collected at the ISP. PCAnywhere, developed by Symantec, lets the other computers control the collection computer via the phone link. An electronic key protects the phone link; only computers with a matching key can connect to it.

The Carnivore software is loaded onto the collection computer, while Packeteer and CoolMiner are installed on the control computers. All computers are equipped with Iomega’s Jaz drives for removable data storage.

When placed at an ISP, the control collection computer pulls all packets (as defined in the court order) on the Ethernet segment to which it is connected. It records packets and packet segments that match the Carnivore filter settings. Because it is a one-way, receive-only tap, Carnivore ostensibly cannot transmit data on the network, and the lack of an installed protocol stack ensures that Carnivore “cannot process any packets other than to filter and optionally record them,” the report states. “Carnivore can neither alter packets destined for other systems on the network nor initiate any packets.”

Functionality of Control Computers

Control computers are installed at law enforcement sites; the operator can access the collection computer via modem and set and change filter settings, start and stop collection, and retrieve collected information. The operator then uses CoolMiner and Packeteer to reconstruct collected IP packets to identify target activity. In pen register mode, law enforcement agents can see the sender and recipient e-mail addresses, and the IP addresses of computers involved with FTP and HTTP sessions. In the full-collection mode, the software displays the content of e-mail messages, HTTP pages, FTP sessions and more. All operators are anonymous to the system, using the word “administrator” to log in.

A GUI lets the operator start and stop collection, view collection statistics, and segment the output file. The advanced screen allows the operator to define the filters that determine what Carnivore collects.

Testing the System’s Functionality

The goal of the IITRI technicians, based on requests from the U.S. Department of Justice, was to determine:

• Whether court orders were translated correctly into commands for the Carnivore system, evidenced by interviews with FBI developers, field agents who have used the device, and ISPs that have hosted it.

• Whether the system’s architecture was secure, compared with commercially available products.

• The state of Carnivore source code, such as the functions that have been implemented and the limitations that have been built into it.

• System capabilities of Carnivore in collection, and of Packeteer and CoolMiner in post-collection.

Installation and ISP Security Concerns

IITRI technicians installed the Carnivore system in its IT lab, mimicking a typical installation at an ISP. They placed the tap on a subnetwork containing traffic from a “target.” The subnetwork provided both static and dynamic IP addressing of target and non-target users. The group of technicians tested both pen register and full-collection scenarios, as well as scenarios the FBI had not envisioned, to test the limits of the system’s capabilities.

They first took a look at how the human factor might come into play with the system, beginning with the agents in charge and those who install the device at the ISP.

According to IITRI, the FBI applies a “strict separation of responsibility” when using Carnivore. The agents in charge of the investigation, for instance, don’t install the software; that is left up to a separate team of technical agents. The technical agents log on as “administrator” and apply the filters to restrict collection to what the court order allows. The idea, IITRI says, is that technical agents “are motivated by FBI policy and procedures to ensure that collection adheres strictly to court orders and will be admissible in court as evidence.”

Employees of the involved ISP are an important aspect of the Carnivore implementation and subsequent operation, according to IITRI. ISPs might be able to supply the FBI or other law enforcement agencies with subscriber information without using the eavesdropping device. The ISP might be able to obtain the “target information” narrowly and precisely by setting up a clone e-mail account. If the ISP lacks the technology to retrieve the information sought in the court order, or if the FBI doesn’t want to reveal what the investigation is about, the Carnivore system may be the only method possible.

Carnivore is attached to the ISP by a read-only tap, which can cause a delay—though the delay is less than that caused by standard network equipment. “Situations may arise,” the report says, “where the ISP is asked to make changes to its operations to accommodate court-ordered surveillance. A change to operations carries some risk and must be approached and implemented with due caution.”

At that point, a technically trained FBI agent (TTA) explains the Carnivore functionalities to the ISP managers and calms any fears they may have that it will affect the ISP’s network. The TTA then takes responsibility for the installation. An employee of the FBI configures the software to meet the court order’s limitations. The agent inputs the address of the intercepted e-mail account into the appropriate field of the Carnivore input screen.

If the order specifies intercepting all traffic between a particular port of a specific Internet server and an IP address assigned to a particular target, the IITRI report says, the agent must enter the appropriate alphanumeric string into the appropriate field in the input screen to specify the server and that port, and the agent must also enter the appropriate values to specify the target IP address or to allow the hardware and software to determine the IP address assigned to the target in a particular session by dynamic host configuration protocol (DHCP) and RADIUS.

Evidence Chain of Custody

The agent then secures the ISP work area, and “substantial” precautions are taken to ensure that no ISP staff member has access to the unit—to prevent manipulation of the hardware to see the data as it is received. “If individuals, despite the precautions, could access the information released by Carnivore,” the report says, “they could reassemble it using readily available software to reveal its contents.”

The TTA does not receive any information Carnivore gleans, to ensure that evidence chain of custody is maintained. Instead, a case agent using Packeteer and CoolMiner retrieves the information in real time from Carnivore, or waits for the Jaz drives to be delivered. The case agent then carries out a second round of “minimization” (filtering) on a PC. The agent determines which information is relevant and deletes the rest. No copies of the irrelevant information are supposed to be kept. If the information has been encrypted, the agent can either attempt to decrypt it, or ask FBI headquarters for help with the decryption.

“There are no checks of which IITRI is aware to monitor the extent of this second minimization,” the report says. “The disk is not tamper-proof. None of the information in the original disk is entered into the database.”

Lack of Access Control

The system doesn’t eliminate the risk of intentional or unintentional unauthorized acquisition of the seized traffic by FBI personnel—that’s up to the FBI. But the software fails to record and audit which agents gained access to the material, because agents can sign on as “administrator.”

IITRI also tested the stability of Packeteer and CoolMiner. Technicians ran scenarios on the software and found that a “few software bugs” caused some of the collected data to go unreported.

Some of the other weaknesses in the system include:

• Carnivore did not collect any fields other than TO or FROM, but in some trials failed to collect that information. Packeteer misclassified POP3 messages as SMTP and caused CoolMiner to display the wrong information.

• Time stamps for collected packets appeared to be incorrect, possibly because of conversion from Microsoft internal date format to the standard Unix format in CoolMiner, and possibly the conversion between Greenwich Mean Time and local time.

• Carnivore did not recover to a collecting state after a power failure. During the restart procedure, an interface error in connecting to the Ethernet card occurred, and data collected before the power failure occurred was lost. Carnivore does not write collected data on to a disk until a block size of data is collected, a user activates the “next file” feature, or Carnivore is stopped.

• Both MAC address and DHCP ports are required data entries for the filter to have Carnivore collect communication from a specific DHCP-configured IP address. Data entered into the startup IP field was totally ignored by Carnivore. A DHCP exchange was always required for Carnivore to collect from a specific dynamic IP address.

• If the search text string is in the e-mail header (part of the subject), then CoolMiner displays the message properly. If the search text string is only in the body of the message, it does not display the message. CoolMiner displays the collected packets as TCP packets of an unknown application.

• Packeteer failed to assemble all of the packets together for an entire FTP session, because not all packets were collected. In turn, CoolMiner could not provide the result of correct collection.

The Last Word?

The FBI has not said whether it has fixed the problems outlined in the report. The terrorist attacks in September certainly increased the urgency of implementing packet-sniffing, or eavesdropping devices for the Internet. The report recommends using Carnivore instead of commercial applications because it can read more voluminous batches of e-mail and other data.

But it’s far from perfect for the task. It can be countered with simple, public-domain encryption, has a limited ability to process Internet e-mail accounts, and cannot collect well in high-traffic environments. “The FBI has found that when collecting a steady flow of packets, Carnivore can handle up to 60 Mbps without dropping packets if writing its collected data to a high-speed hard drive disk,” the report says. “If writing to the Jaz disk, the rate drops to 15 Mbps, and if writing to Zip disk, the rate drops to 5 Mbps.”

Undoubtedly, the FBI has tried to make improvements since the report came out more than a year ago. But the bureau has been less than open about such matters; in their eyes, Carnivore may be one of the most powerful assets in its eavesdropping arsenal—despite its limitations.

The industry will see more of the device because of other developments. For instance, the wireless industry has openly declared Carnivore a logical answer to the requirements of E-911, determining the location of wireless users. The locating function would help find people in medical distress; but recent events underscore its importance of finding terrorists using wireless handsets to plan or coordinate an attack.

The wireless industry also sees it as an attractive way to help carriers satisfy requirements under the Communications Assistance Law Enforcement Act (CALEA). That law mandates that carriers give law enforcement authorities a way to tap into all kinds of packet communication, including broadband, PCS, cellular communications and SMS. CALEA requires telecommunications companies to install devices, servers and other network elements that make it easier for law enforcement agencies to tap into those modes of communication. For the most part, carriers are finding the mandate expensive and time-consuming. Carnivore could supply the standards and technology to meet those requirements more easily.

    Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
    RSS Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines

    Read Comments [0]

    Post a Comment

    Email Email this article Comment Add a comment
    Print Printer version Reprints Order reprints
    RSS RSS Feed Bookmark Bookmark article

    Tags


    Similar Articles

    Most Popular



    Subscribe to Billing & OSS World Magazine
    First Name Last Name
    E-mail

    Sponsored LinksB/OSS Magazine Announcements
    All material on this site Copyright © 2010 Virgo Publishing, LLC. All rights reserved.
    Privacy Statement | Legal Page | Contact