Telephony 101, aka Wiretapping is Easy if You’re the Phone Company

Today, NPR had an interview with a telephony editor who implied that wiretapping at the phone company was hard to do.  Unfortunately, that’s just not true.

Today, NPR’s All Things Considered interviewed Carol Wilson, editor-at-large for Telephony Magazine.  In general, I felt that Ms. Wilson did a good job of explaining, in non-technical terms, how the phone network works.  But something that she said at the end of the interview would have left an impression that was just plain wrong.  So I emailed NPR a letter.  The interview is available here.

Toward the end of today’s interview of Carol Wilson, Editor at Large for Telephony Magazine, Melissa Block asked how the phone company performed wiretapping.  Ms. Wilson responded that colleting the content of the phone call was “dramatically different” and “a whole different technology” that was “implemented in a very different way” from how phone calls are logged for billing purposes.  While this is true, the emphasis Ms. Wilson put on her statement implied that wiretapping was technically difficult to perform.  As someone who designed telephony electronics for 6 years, I can say that is not the case.

The very same system that sets up a phone call from New York to Las Angeles can just as easily be set up to transmit the content to one, two, or a dozen different phone numbers simultaneously.  And because such wiretapping is performed by the phone company itself, there is no way to detect that the phone call was being listened to and/or recorded by the police, FBI, or NSA.  As Ms. Wilson says, such wiretapping is only supposed to be done under authority of a court order, but technologically, the only thing preventing the NSA, or a hacker even, from listening in on any conversation is the phone company’s network security.

Now, since I actually wanted my letter to be read on the air, I intentionally kept the detail to a minimum.  But I feel the need to explain a little better how the telephone network actually operates.

When you pick up your phone, you send a signal to a piece of electronics known as “access equipment.” Access equipment does exactly what you’d think - it provides the customers access to the telephone network via line cards that are designed to ring your phone, convert the incoming communications from bits into analog signals that the phone speaker makes into sound, and to convert the microphone-created analog signal into outgoing digital bits.

Most access equipment communicates to the main telephone network switch over a DS1 or T1 (T1 is the physical cabling while DS1 is the signalling protocol used over the T1 cable).  DS1s can carry up to 24 independent telephone connections simultaneously, and each connection is composed of 64 kbps voice data.  With a little overhead added to make sure the electronics stay synchronized to the network switch, the total bit rate of the T1 is 1.544 Mbps, going in both directions at the same time (aka “full duplex").

Now, the network switch is huge.  It’s designed to switch hundreds, thousands, or even tens of thousands of phone calls simultaneously.  It does this with what’s called a “time slot interchanger.” Remember how I said that each DS1 had 24 channels?  Each channel is a “time slot,” and a time slot interchanger (TSI) moves the voice data from one time slot to another time slot.  When combined with a “crossbar switch” that can connect any one of hundreds of DS1s to any other DS1, the TSI connects your phone call through the network switch on its way from you to whomever you’re calling.  Switches know which DS1 to connect to by storing information about where each DS1 is going physically (DS1 #376-390 might go to Kansas City, for example).  [NOTE:  DS1s are ususally congregated by groups of 28 into DS3s within metropolitan areas, and DS3s are usually combined into OC-12, OC-48, or OC-192 links between major metropolitan areas, but we’re interested in what happens on a DS1 level for this discussion.]

As Ms. Wilson said, the network switch (also known as a “central office switch") also is responsible for setting up a link into the long-distance provider’s billing network.  As you dial the phone number, that number is sent to the billing computers and they keep track of the duration of the call, the called number, and the calling number (ie who gets the bill).  That billing network is just complex enough to ensure that the phone companies bill the right people, so its technology is pretty wimpy.  Nowhere near powerful enough to tap into the content of the phone conversation itself.

But the TSI in the central office (CO) switch is more than capable of performing that wiretap.  As we all know from the music downloading problems, digital data is easily copied.  That is just as true with a phone conversation as it is with a song.  CO switches can be configured by the phone company to copy the data from a phone conversation to multiple time slots on multiple DS1s.  Which means that the 64 kpbs voice data you’re creating as you talk into your phone can be copied to your local police department, FBI headquarters, the local NSA listening post, and the cell phones in the surveillance van up the street.  Literally, any phone conversation can be copied and transmitted to any other phone number on the planet, and because it’s been tapped by the phone company, there won’t be any tell-tale clicks (like you used to hear when your younger sibling picked up the phone to eavesdrop on your phone calls) to reveal that the phone has been tapped.

As Ms. Wilson said, it’s a totally different technology, but unlike she implied, it’s a matter of a simple set of commands transmitted by a telephone technician.  Sure, it’s supposed to be done only under a court order, but it’s so simple to do that a hacker could do it without any trouble at all.  CO switches do, however, have a LOT of network security built into them to prevent hackers from doing exactly what I described, but a national security letter from the Bush Administration gets around all that security pretty fast, and shazam! you’ve got yourself warrantless wiretapping.

Modern access equipment designed for corporations, however, often have multiple DS1s or even a DS3 connection to the CO switch.  These kinds of systems have TSIs and small crossbar switches built into them as well, and they are usually remotely configurable using the Web.  Not all access equipment is programmed to permit wiretapping at a local level, but it’s often a simple matter of a software upgrade from the equipment’s manufacturer to get that feature.  And with a web interface for configuration, well, we all know how secure some webpages aren’t.

That’s it for Telephony 101.  Class dismissed.