The Communications Assistance for Law Enforcement Act requires networks to provide interfaces that allow government to intercept data transmissions, just as they have long been able to tap telephone systems. But an IBM security researcher said criminals also could use the systems to wiretap the Internet.
Tom Cross, manager of IBM Internet Security System’s X-Force Advanced Research Team, examined the lawful intercept architecture used by Cisco Systems in its networking products and found six vulnerabilities.
“Each one by itself probably isn’t serious,” he said at the Black Hat Federal Briefings in Washington earlier this month, but taken together, they could let bad guys eavesdrop on Internet traffic.

Cross said he was not picking on Cisco. He chose that company’s system because it is the only one that has been made public. International telecommunications standards do not include wiretap capabilities in their protocols, and as a result, the lawful intercept architectures from each vendor are proprietary. But Cisco published its architecture in 2004.

“As far as I know, they are the only company that has done this,” Cross said.

Read more here.