Modems raise a number of security concerns because they create links between your computer and the outside world. Modems can be used by individuals inside your organization to remove confidential information. Modems can be used by people outside your organization to gain unauthorized access to your computer. If your modems can be reprogrammed or otherwise subverted, they can be used to trick your users into revealing their passwords. And, finally, an attacker can eavesdrop on a modem communication.
Today, modems remain a popular tool for breaking into large corporate networks. The reason is simple: while corporations closely monitor their network connections, modems are largely unguarded. In many organizations, there is no good way to prevent users from putting modems on their desktop computers and running "remote access" software.
So what can be done? To maximize security, modems should be provided by the organization and administered in a secure fashion.
The first step is to protect the modems themselves. Be sure they are located in a physically secure location, so that no unauthorized individual can access them. This protection is to prevent the modems from being altered or rewired. Some modems can have altered microcode or passwords loaded into them by someone with appropriate access, and you want to prevent such occurrences. You might make a note of the configuration switches (if any) on the modem, and periodically check them to be certain they remain unchanged.
Many modems sold these days allow remote configuration and testing. This capability makes changes simpler for personnel who manage several remote locations. It also makes abusing your modems simpler for an attacker. Therefore, be certain that such features, if present in your modems, are disabled.
The next most important aspect of protecting your modems is to protect their telephone numbers. Treat the telephone numbers for your modems the same as you treat your passwords: don't publicize them to anyone other than those who have a need to know. Making the telephone numbers for your modems widely known increases the chances that somebody might try to use them to break into your system. We'll describe some approaches in later sections.
Unfortunately, you cannot keep the telephone numbers of your modems absolutely secret. After all, people do need to call them. And even if you were extremely careful with the numbers, an attacker could always discover the modem numbers by dialing every telephone number in your exchange. For this reason, simple secrecy isn't a solution; your modems need more stringent protection.
Most sites set up their modems and telephone lines so that they can both initiate and receive calls. Under older versions of UNIX , you could not use a modem for both purposes. Many vendors developed their own mechanisms to allow modems to be used bidirectionally.
Having modems be able to initiate and receive calls may seem like an economical way to make the most use of your modems and phone lines. However, the feature introduces a variety of significant security risks:
Your system will therefore be more secure if you use separate modems for inbound and outbound traffic.
You may further wish to routinely monitor the configuration of your telephone lines to check for the following conditions:
In many areas, you can purchase an additional telephone service called Caller-ID. As its name implies, Caller-ID identifies the phone number of each incoming telephone call. The phone number is usually displayed on a small box next to the telephone when the phone starts ringing. (Note that this feature may not be available to you if you own your own PBX or switch.)
The telephone company sells Caller-ID on the virtues of its privacy and security: by knowing the phone number of an incoming call, you can make the decision as to whether or not you wish to answer it.
Caller-ID can also be used with computers. Several modem makers now support Caller-ID directly. With one of these modems, you can program the modem to send the telephone number of the calling instrument to the computer. You can then write custom software to limit incoming calls to a specified list of phone numbers, or to only allow certain users to use certain phones.
The telephone company's Integrated Services Digital Network ( ISDN ) digital phone service also provides the phone number of the caller through a similar service called Automatic Number Identification ( ANI ). This service is available to many corporate 800-number subscribers. ISDN offers yet another service called Restricted Calling Groups, which allows you to specify a list of phone numbers that are allowed to call your telephone number. All other callers are blocked.
Advanced telephone services such as these are only as secure as the underlying telephone network infrastructure: if an attacker managed to break into the telephone company's computers, that attacker could reprogram them to display incorrect numbers on the Caller-ID display, or to bypass Restricted Calling Groups. Although there are no officially acknowledged cases of such attacks, the possibility exists, and many credible but "informal" accounts of such incidents have been recounted.
Modems that are not adaptive are very susceptible to eavesdropping and wiretapping. Non-adaptive modems include data modems that are slower than 9600 baud and most fax modems. The conversations between these modems can be recorded with a high-quality audio tape and played into a matching unit at a later point in time, or the telephone line can simply be bridged and fed into a separate surveillance modem. Cellular telephone modems are even easier to tap, as their communications are broadcast and readily intercepted by anyone.
Adaptive modems are less susceptible to eavesdropping with ordinary equipment, although even their communications may be intercepted using moderately sophisticated techniques.
How common is electronic eavesdropping? No one can say with certainty. As Whitfield Diffie points out, for electronic eavesdropping to be effective, the target must be unaware of its existence or take no precautions. Unfortunately, such a scenario is often the case.
There are basically four different places where a telephone conversation can be tapped:
Who might be tapping your telephone lines? Here are some possibilities:
There are several measures that you can take against electronic eavesdropping, with varying degrees of effectiveness: