in Meddling, X-Geek

Why is the Defense Department snooping on my phone?

Update Nov 9 11:00 AM. Mystery solved! Sprint is apparently squatting on the DoD addresses, using them for their internal phone network. Sprint understandably wants to firewall these phones from the wild and wooly Internet, so it NATs the phone traffic from these supposedly-private IPs to the phone’s public IP address. SIP packets have the internal IP embedded in them, however, and aren’t easily NATted. This address slipped through Sprint’s firewall, causing me alarm (fortunately undue alarm!)

Break out your tinfoil hats because this will blow your mind.

I found something quite disturbing today while trying to get my Virgin Mobile LG Optimus V phone talking completely through Voice-Over-IP (VoIP). For reasons not entirely clear yet, I discovered that voice packets from my phone are being routed to an IP address belonging to the Department of Defense.

Some background

I had long been a “dumb phone” kind of guy when it comes to mobile phones but finally bit the bullet and got an Android phone from Virgin Mobile when the right plan came along. I am also a VoIP enthusiast and have been sending phone calls over the Internet for almost ten years now. I’m also a cheapskate, so naturally when I got my Android phone one of the first things I wanted to do was to figure out how to make calls with it completely over VoIP – using my unlimited data plan instead of burning my limited voice minutes. That’s what hackers do, you know.

There’s a Google Voice app on my Droid phone and, while it can be used to make VoIP calls, I have my own VoIP system (remember, I’m a hacker) at home and want to make my phone an extension of my home system. That way I can do tricks like answer any calls to my home number while I’m away and other fun stuff.

I went hunting for a suitable (read: free) VoIP client to use on my phone and I found one called SIPdroid. SIPdroid is an open-source SIP (VoIP) client which seemed to work well with my home phone system during the testing I did inside my network.

Having gotten SIPdroid working inside my network, I decided to try getting it working from outside my network. Now, the right way to do this is to create a VPN, however I want to use the easy way to work out the kinks before tightening up my security. I decided a good compromise would be to limit my firewall’s access to the network my phone is on:

iptables -t nat -A prerouting_wan -p udp -s 66.87.0.0/16 –dport 5060 -j DNAT –
-to 192.168.3.1:5060
iptables -A forwarding_wan -p udp -s 66.87.0.0/16 –dport 5060 -d 192.16
8.3.1 -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -s 66.87.0.0/16 –dport 10000:20000 -j
DNAT –to 192.168.3.1
iptables -A forwarding_wan -p udp -s 66.87.0.0/16 –dport 10000:20000 -d
192.168.3.1 -j ACCEPT

This limits incoming SIP traffic to the Sprint network (66.87.0.0/16) (Virgin Mobile is an MVNO and leases Sprint’s network). These settings open my network just enough to allow me to test things.

Now, I fire up SIPdroid thinking I’ve got the same clear path between my phone and my home server that I did when calling from my internal network. To my puzzlement, the phone call comes through but the voice packets did not. I double-check my iptables rules to make sure I didn’t mistype them. Finally, I’m positive that any packets bound to or from my phone should be passing through my firewall.

A shocking surprise

I fire up tcpdump again and set a filter for SIP packets. Here’s when I notice something very, very odd:

10:37:30.327768 IP user-dfefefe.cable.mindspring.com.15450 > 28.191.58.169.21000: UDP, length 172
10:37:30.347775 IP user-dfefefe.cable.mindspring.com.15450 > 28.191.58.169.21000: UDP, length 172
10:37:30.367912 IP user-dfefefe.cable.mindspring.com.15450 > 28.191.58.169.21000: UDP, length 172

My PBX is not sending packets to my phone (66.87.x.x). It’s sending to a completely different IP address. Curious, I look up who owns the IP address:

#
# Query terms are ambiguous. The query is assumed to be:
# “n 28.191.58.169”
#
# Use “?” to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=28.191.58.169?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 28.0.0.0 – 28.255.255.255
CIDR: 28.0.0.0/8
OriginAS:
NetName: DNIC-NET-028
NetHandle: NET-28-0-0-0-1
Parent:
NetType: Direct Allocation
RegDate: 1996-03-11
Updated: 2009-03-23
Ref: http://whois.arin.net/rest/net/NET-28-0-0-0-1

OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
RegDate:
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/DNIC

OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-800-365-3642
OrgTechEmail: registra@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/REGIS10-ARIN

OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-800-365-3642
OrgAbuseEmail: registra@nic.mil
OrgAbuseRef: http://whois.arin.net/rest/poc/REGIS10-ARIN

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-614-692-2708
OrgTechEmail: HOSTMASTER@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/MIL-HSTMST-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

The Department of Defense? Holy shit!! My SIPdroid phone app is passing my packets to the U.S. Government?!? What the hell is going on here???

I fire up Wireshark to take a look at the SIP conversation. When making a call from SIPdroid, the app redirects the conversation to the DoD’s server (my MAC/IP’s changed here):

No. Time Source Destination Protocol Info
18 1.717795 66.87.x.x 192.168.3.1 SIP Request: ACK sip:3xxx@maestro.markturner.net

Frame 18 (401 bytes on wire, 401 bytes captured)
Ethernet II, Src: Cisco-Li_ef:01:02(de:ad:be:ef:01:02), Dst: AppleCom_ef:02:03 (de:ad:be:ef:02:03)
Internet Protocol, Src: 66.87.x.x (66.87.x.x), Dst: 192.168.3.1 (192.168.3.1)
User Datagram Protocol, Src Port: 48780 (48780), Dst Port: sip (5060)
Source port: 48780 (48780)
Destination port: sip (5060)
Length: 363
Checksum: 0x8cf2 [validation disabled]
Session Initiation Protocol
Request-Line: ACK sip:3xxx@maestro.markturner.net SIP/2.0
Method: ACK
Request-URI: sip:3xxx@maestro.markturner.net
[Resent Packet: False]
[Request Frame: 9]
[Response Time (ms): 260]
Message Header
Via: SIP/2.0/UDP 28.191.58.169:43488;rport;branch=z9hG4bK64444
Max-Forwards: 70
To: ;tag=as064a198d
From: ;tag=z9hG4bK56563304
Call-ID: 374319500332@28.191.58.169
CSeq: 1 ACK
User-Agent: Sipdroid/2.4 beta/VM670
Content-Length: 0

I poke through the settings pages of SIPdroid, looking for any entry which might have specified this IP as a proxy. Nothing in the settings indicates this proxy (well, nothing that is visible, anyway).

SIPdroid is an open-source SIP client, meaning all the source code is available to anyone for study. This is makes it difficult to hide unexpected … uh, “features” like this. However, like most smartphone owners, I installed SIPdroid in binary form. Could this IP be hidden in the SIPdroid code somewhere? If not the code, the binary? The SHA checksum on the SIPdroid 2.4 download page matches the one I generate on the downloaded file, so it’s possible the file’s been altered but highly unlikely.

So … if this IP address isn’t part of SIPdroid, this raises the uncomfortable question: could the entire phone be subject to this snooping?

Further thoughts

So, do I think the U.S. gummint is spying on me personally? Hardly! I’m a pretty open, peaceful, patriotic, civic-minded guy. Because my home phone calls are VoIP and travel the Internet unprotected, they are already easy pickings to anyone with the audacity and technical ability to collect them. Because of my military background I have a better idea than most of what surveillance can be done and I’m not at all worried about myself.

No, I think this backdoor might have been put in to catch others. Regardless, it is pretty disturbing to think the Department of Defense would feel empowered to spy on Americans in this way, as this scheme can’t help but do.

Doing a little Googling on this particular institution returns a few more disturbing stories. This same center is apparently guilty of hacking into Mark Zuckerberg’s Facebook account, according to the Christian Science Monitor:

So who is behind the Zuckerberg hack? Theories abound. Over at the Guardian, Charles Arthur concludes that the hacker must be the same person who edited a Wikipedia entry on Social business. (Arthur’s reasoning is pretty sound, but his explanation is long and byzantine and almost impossible to summarize. Read it in full here.) From that Wikipedia entry, Arthur produces an IP address: 131.74.110.168.

And that IP address is apparently registered to the US Department of Defense office in Williamsburg, Virginia. “In other words: this might be someone in the military,” Arthur writes.

I’ve discovered from more Internet searches that others have also reported visits from computers at the DoD center. The “Obama Hustle” blog:

The above information was generated by software that I have which has the ability to trace IP Addresses. The IP Address belongs to the DoD i.e. the Department of Defense. More importantly, the IP Address is related to a section of the DoD called, the “Network Information Center in Columbus OH.

I can understand the DoD investigating Terrorists, Subversives, Anti American Activities and so on as it relates to the protection of our nation, but not the spying on “Free Speech” as expressed in my blog “The Obama Hustle”

Here’s another instance:

I keep PeerBlock running pretty much all the time, mostly because I think it’s creepy that my university wants to always monitor what I’m doing. Today, it started logging an entry from “DoD Network Information Center” every few seconds. Is this really the Department of Defense and should I be worried? I’m sure I left out some pertinent information in this post, so just let me know and I’ll try to provide it.

… and another one:

Yah, except the problem is it was happening to several people at the same time.

Anyhow, 800-357-4231 option 1 is the phone number given for the JTFGNO – the DoD IT department.

He starts to give me the email, saying “India Hotel At… oh, you’re a civilian… IH@” haha.

but anyhow, for those interested, averaging 4 ports per second:
first attack:
2007-01-04 05:55:30;DoD Network Information Center;192.168.136.200:3015;29.0.0.205:411;TCP;Blocked
That ended at:
2007-01-04 06:20:55;DoD Network Information Center;192.168.136.200:1908;29.0.0.205:411;TCP;Blocked
Next attack:
2007-01-04 11:00:40;DoD Network Information Center;192.168.136.200:1482;6.18.0.176:411;TCP;Blocked
ended at:
2007-01-04 12:23:44;DoD Network Information Center;192.168.136.200:4475;6.18.0.176:411;TCP;Blocked
ARIN reports the second one was from Yuma, maybe someone got a trojan?

Conclusion

At this point, I don’t really know what this means. I can think of no legitimate reason for my phones SIPdroid traffic to be sent to the Department of Defense. It looks mighty damn suspicious to me.

I will continue to research this and post a follow up when I gather more information. Comments/feedback are welcome.

Update 1 3:06 PM: Traceroutes go quiet quickly on this IP
Update 2 9:42 PM: Why I don’t think Sprint is camping out on this IP as part of a non-routable network.

Update Nov 9 10:41 AM: Mystery solved! It does appear that Sprint is indeed borrowing the DoD IP address. The IP is assigned to my phone and leaked out through Sprint’s NAT process through the SIP packets.

19 Comments

  1. I have that same phone, so I can probably safely assume that my VoIP packets are also passing through the DoD. I’m using the Google Voice client.

  2. Is your theory that Time-Warner is routing all SIP traffic through the DoD?

  3. No. This traffic is going over my phone’s 3G network and returning via Time Warner from the mystery IP address. This same routing does not (apparently) occur when I make a VoIP call from my home PBX over my cable modem.

    My phone is for some reason routing the call to the IP. I don’t know if it’s SIPdroid doing that or something else on my phone. SIPdroid’s source code doesn’t appear to be the issue, at least to my untrained eye.

  4. Are you sure you were on 3G and not on wifi when you made the call?

  5. My guess is that Sprint is somehow assigning a DoD IP address to your phone, and then NAT’ing it to the 68.x.x.x block. Your SIP client is then using your phone’s local IP (before being NAT’ed), which happens to be the DoD IP address.

    This scenario would make some sense since Sprint provides the DoD with some network services.

  6. Have you tried firing up nmap and scanning that IP range for anything interesting? Somebody on HN suggested that the carrier might have leased some of this allocation from DoD, and that it might be used purely for their internal network. If the carrier is using this space, a tip off might be if you find some hosts with SCTP active…

  7. You may want to distance yourself from the article you linked from “The Obama Hustle”. AFAICT, nobody is trying to “spy” on him. They simply made an HTTP request to his *public* website. I bet he’s not so upset when Google “spies” on him to include him in search results.

  8. I used to see something similar on T-Mobile. I think they may have “fixed” it, though…no wait, they didn’t (although, like yours, mine used to also be a DoD address. After all, if the gov’t can’t spy on domestic communications, what’s to stop a strategic ally from doing so, eh?


    IP: 25.50.2XX.XXX
    Decimal: 422772370
    Hostname: 25.50.2XX.XXX
    ISP: DINSA, Ministry of Defence
    Organization: DINSA, Ministry of Defence
    Services: None detected
    Type: Unknown
    Assignment: Static IP

  9. I forgot to point out — going to a site like whatismyip doesn’t work, it just shows an IP associated with TMobile. However, since I’m running a Debian variant (Maemo 5), I can simply:

    Nokia-N900:~# ifconfig
    gprs0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:25.51.xxx.xxx P-t-P:25.51.xxx.xxx Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MTU:1400 Metric:1
    RX packets:58 errors:0 dropped:0 overruns:0 frame:0
    TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:10
    RX bytes:11994 (11.7 KiB) TX bytes:14939 (14.5 KiB)

  10. I’m on sprint. I’ve noticed on the 4g network I can’t ever connect back to it (e.g. FTP server on phone).

    When I connect to a home SSH server, the connected address shows a 66.86.xx.xx sprint IP address. HOWEVER, the phone’s IP address, as shown on the phone, is a 21.84.xx.xx. I did a lookup on it and

    ISP: DoD Network Information Center
    Organization: DoD Network Information Center

    So I guess all of my traffic is going thru there.

  11. I don’t know what IP my phone has, but the fact that voice traffic appears from a DoD IP address while the rest of the phone’s traffic appears from an entirely different IP address makes me skeptical that Sprint is using the DoD IP as a private address.

  12. “I don’t know what IP my phone has, but the fact that voice traffic appears from a DoD IP address while the rest of the phone’s traffic appears from an entirely different IP address makes me skeptical that Sprint is using the DoD IP as a private address.”

    Yeah this is odd… why NAT a public IP to another public IP unless you want to mingle the data. Possibly (hopefully) they want all traffic to route thru there and only do special handling if it’s iDEN related?

  13. Mark, on your android phone dial *#*#INFO#*#* and without pressing [SEND] a menu should pop up. On my Nexus 1 I then go into the “Phone information” menu and under “GSM disconnects:” it shows me my IP address. I’m on T-Mobile and the IP falls under UK Ministry of Defence.

  14. Aha! The IP is assigned to my phone’s GSM interface, so it looks like it’s benign after all.

    That did the tip, Amatus!

Comments are closed.