From: firstname.lastname@example.org (John B. Nagle)
Subject: Exploitation of Timing Window (was: C [data lost] ack Sec [data lost]
Date: 29 Dec 88 19:44:58 GMT
Last week I wrote:
>> The moderator's idea can be beaten, but I don't have time to explain how
>>right now. Maybe next week.
The basic notion of call-back is that the receiver accepts a
call, identifies the caller, disconnects the call, and initiates a call
to a previously-determined number to establish a connection between
The fundamental insecurity of call-back derives from the assumption
that the call-back does in fact connect to the intended number. Ignoring
schemes involving tampering with the switching system, the main difficulty
comes from spoofing the call-back system into thinking that it is getting
dial tone from the CO when it is in fact receiving a call from the attacker.
The easy way of doing this involves holding the connection up while the
call-back system tries to disconnect and redial, and then spoofing it by
generating dial tone and perhaps other call-progress tones. This
can be defended against as the moderator suggests.
The attacker must then resort to an attack of the class
"exploitation of a window". The notion here is that the call-back
system can't tell the difference between a incoming call that arrives
at very close to the time that the call-back system goes off-hook, and
dial tone received from the CO because it went off-hook. So if you can
get the timing just right, it is possible to make a spoofing attack.
Getting the timing right is possible if both the call-back system
and telephone system offer repeatable timing. During hours of low load,
this is possible. The attacker does not have to guess right, but can
servo in on the correct value. If the attacker obtains a busy signal,
the time waited before dialing up the spoofed connection is too long.
If the attacker obtains a modem answer tone, the time waited is too
short. Thus a simple servoing algorithm will quickly center the
timing around the correct value. It's possible to exploit very narrow
timing windows using this technique, which is usually used to exploit
time-of-check/time-of-use bugs in operating systems.
While the attacker is adjusting the timing, the call-back system
is likely to notice that something is wrong, but once the timing is
properly adjusted, the call-back system can be spoofed successfully.
The timing adjustment attempts might precede by several days the actual
attack; this may be necessary if the call-back system only allows a small
number of failed attempts.
Defenses against this attack include using a different originate-only
line for call-back, randomizing the time between dial-in and call-back,
and, perhaps, the use of ground start trunks.
It's not clear that anyone would bother to do this complicated an attack
but it's possible.