Update Nov 9 11:00 AM. Mystery solved! Sprint is apparently squatting on the DoD addresses, using them for their internal phone network. Sprint understandably wants to firewall these phones from the wild and wooly Internet, so it NATs the phone traffic from these supposedly-private IPs to the phone’s public IP address. SIP packets have the internal IP embedded in them, however, and aren’t easily NATted. This address slipped through Sprint’s firewall, causing me alarm (fortunately undue alarm!)
Break out your tinfoil hats because this will blow your mind.
I found something quite disturbing today while trying to get my Virgin Mobile LG Optimus V phone talking completely through Voice-Over-IP (VoIP). For reasons not entirely clear yet, I discovered that voice packets from my phone are being routed to an IP address belonging to the Department of Defense.
I had long been a “dumb phone” kind of guy when it comes to mobile phones but finally bit the bullet and got an Android phone from Virgin Mobile when the right plan came along. I am also a VoIP enthusiast and have been sending phone calls over the Internet for almost ten years now. I’m also a cheapskate, so naturally when I got my Android phone one of the first things I wanted to do was to figure out how to make calls with it completely over VoIP – using my unlimited data plan instead of burning my limited voice minutes. That’s what hackers do, you know.
There’s a Google Voice app on my Droid phone and, while it can be used to make VoIP calls, I have my own VoIP system (remember, I’m a hacker) at home and want to make my phone an extension of my home system. That way I can do tricks like answer any calls to my home number while I’m away and other fun stuff.
I went hunting for a suitable (read: free) VoIP client to use on my phone and I found one called SIPdroid. SIPdroid is an open-source SIP (VoIP) client which seemed to work well with my home phone system during the testing I did inside my network.
Having gotten SIPdroid working inside my network, I decided to try getting it working from outside my network. Now, the right way to do this is to create a VPN, however I want to use the easy way to work out the kinks before tightening up my security. I decided a good compromise would be to limit my firewall’s access to the network my phone is on:
iptables -t nat -A prerouting_wan -p udp -s 18.104.22.168/16 –dport 5060 -j DNAT –
iptables -A forwarding_wan -p udp -s 22.214.171.124/16 –dport 5060 -d 192.16
8.3.1 -j ACCEPT
iptables -t nat -A prerouting_wan -p udp -s 126.96.36.199/16 –dport 10000:20000 -j
DNAT –to 192.168.3.1
iptables -A forwarding_wan -p udp -s 188.8.131.52/16 –dport 10000:20000 -d
192.168.3.1 -j ACCEPT
This limits incoming SIP traffic to the Sprint network (184.108.40.206/16) (Virgin Mobile is an MVNO and leases Sprint’s network). These settings open my network just enough to allow me to test things.
Now, I fire up SIPdroid thinking I’ve got the same clear path between my phone and my home server that I did when calling from my internal network. To my puzzlement, the phone call comes through but the voice packets did not. I double-check my iptables rules to make sure I didn’t mistype them. Finally, I’m positive that any packets bound to or from my phone should be passing through my firewall.
A shocking surprise
I fire up tcpdump again and set a filter for SIP packets. Here’s when I notice something very, very odd:
10:37:30.327768 IP user-dfefefe.cable.mindspring.com.15450 > 220.127.116.11.21000: UDP, length 172
10:37:30.347775 IP user-dfefefe.cable.mindspring.com.15450 > 18.104.22.168.21000: UDP, length 172
10:37:30.367912 IP user-dfefefe.cable.mindspring.com.15450 > 22.214.171.124.21000: UDP, length 172
My PBX is not sending packets to my phone (66.87.x.x). It’s sending to a completely different IP address. Curious, I look up who owns the IP address:
# Query terms are ambiguous. The query is assumed to be:
# “n 126.96.36.199”
# Use “?” to get help.
# The following results may also be obtained via:
NetRange: 188.8.131.52 – 184.108.40.206
NetType: Direct Allocation
OrgName: DoD Network Information Center
Address: 3990 E. Broad Street
OrgTechName: Network DoD
# available at: https://www.arin.net/whois_tou.html
The Department of Defense? Holy shit!! My SIPdroid phone app is passing my packets to the U.S. Government?!? What the hell is going on here???
I fire up Wireshark to take a look at the SIP conversation. When making a call from SIPdroid, the app redirects the conversation to the DoD’s server (my MAC/IP’s changed here):
No. Time Source Destination Protocol Info
18 1.717795 66.87.x.x 192.168.3.1 SIP Request: ACK sip:email@example.com
Frame 18 (401 bytes on wire, 401 bytes captured)
Ethernet II, Src: Cisco-Li_ef:01:02(de:ad:be:ef:01:02), Dst: AppleCom_ef:02:03 (de:ad:be:ef:02:03)
Internet Protocol, Src: 66.87.x.x (66.87.x.x), Dst: 192.168.3.1 (192.168.3.1)
User Datagram Protocol, Src Port: 48780 (48780), Dst Port: sip (5060)
Source port: 48780 (48780)
Destination port: sip (5060)
Checksum: 0x8cf2 [validation disabled]
Session Initiation Protocol
Request-Line: ACK sip:firstname.lastname@example.org SIP/2.0
[Resent Packet: False]
[Request Frame: 9]
[Response Time (ms): 260]
Via: SIP/2.0/UDP 220.127.116.11:43488;rport;branch=z9hG4bK64444
CSeq: 1 ACK
User-Agent: Sipdroid/2.4 beta/VM670
I poke through the settings pages of SIPdroid, looking for any entry which might have specified this IP as a proxy. Nothing in the settings indicates this proxy (well, nothing that is visible, anyway).
SIPdroid is an open-source SIP client, meaning all the source code is available to anyone for study. This is makes it difficult to hide unexpected … uh, “features” like this. However, like most smartphone owners, I installed SIPdroid in binary form. Could this IP be hidden in the SIPdroid code somewhere? If not the code, the binary? The SHA checksum on the SIPdroid 2.4 download page matches the one I generate on the downloaded file, so it’s possible the file’s been altered but highly unlikely.
So … if this IP address isn’t part of SIPdroid, this raises the uncomfortable question: could the entire phone be subject to this snooping?
So, do I think the U.S. gummint is spying on me personally? Hardly! I’m a pretty open, peaceful, patriotic, civic-minded guy. Because my home phone calls are VoIP and travel the Internet unprotected, they are already easy pickings to anyone with the audacity and technical ability to collect them. Because of my military background I have a better idea than most of what surveillance can be done and I’m not at all worried about myself.
No, I think this backdoor might have been put in to catch others. Regardless, it is pretty disturbing to think the Department of Defense would feel empowered to spy on Americans in this way, as this scheme can’t help but do.
Doing a little Googling on this particular institution returns a few more disturbing stories. This same center is apparently guilty of hacking into Mark Zuckerberg’s Facebook account, according to the Christian Science Monitor:
So who is behind the Zuckerberg hack? Theories abound. Over at the Guardian, Charles Arthur concludes that the hacker must be the same person who edited a Wikipedia entry on Social business. (Arthur’s reasoning is pretty sound, but his explanation is long and byzantine and almost impossible to summarize. Read it in full here.) From that Wikipedia entry, Arthur produces an IP address: 18.104.22.168.
And that IP address is apparently registered to the US Department of Defense office in Williamsburg, Virginia. “In other words: this might be someone in the military,” Arthur writes.
I’ve discovered from more Internet searches that others have also reported visits from computers at the DoD center. The “Obama Hustle” blog:
The above information was generated by software that I have which has the ability to trace IP Addresses. The IP Address belongs to the DoD i.e. the Department of Defense. More importantly, the IP Address is related to a section of the DoD called, the “Network Information Center in Columbus OH.
I can understand the DoD investigating Terrorists, Subversives, Anti American Activities and so on as it relates to the protection of our nation, but not the spying on “Free Speech” as expressed in my blog “The Obama Hustle”
Here’s another instance:
I keep PeerBlock running pretty much all the time, mostly because I think it’s creepy that my university wants to always monitor what I’m doing. Today, it started logging an entry from “DoD Network Information Center” every few seconds. Is this really the Department of Defense and should I be worried? I’m sure I left out some pertinent information in this post, so just let me know and I’ll try to provide it.
… and another one:
Yah, except the problem is it was happening to several people at the same time.
Anyhow, 800-357-4231 option 1 is the phone number given for the JTFGNO – the DoD IT department.
He starts to give me the email, saying “India Hotel At… oh, you’re a civilian… IH@” haha.
but anyhow, for those interested, averaging 4 ports per second:
2007-01-04 05:55:30;DoD Network Information Center;192.168.136.200:3015;22.214.171.124:411;TCP;Blocked
That ended at:
2007-01-04 06:20:55;DoD Network Information Center;192.168.136.200:1908;126.96.36.199:411;TCP;Blocked
2007-01-04 11:00:40;DoD Network Information Center;192.168.136.200:1482;188.8.131.52:411;TCP;Blocked
2007-01-04 12:23:44;DoD Network Information Center;192.168.136.200:4475;184.108.40.206:411;TCP;Blocked
ARIN reports the second one was from Yuma, maybe someone got a trojan?
At this point, I don’t really know what this means. I can think of no legitimate reason for my phones SIPdroid traffic to be sent to the Department of Defense. It looks mighty damn suspicious to me.
I will continue to research this and post a follow up when I gather more information. Comments/feedback are welcome.
Update 1 3:06 PM: Traceroutes go quiet quickly on this IP
Update 2 9:42 PM: Why I don’t think Sprint is camping out on this IP as part of a non-routable network.
Update Nov 9 10:41 AM: Mystery solved! It does appear that Sprint is indeed borrowing the DoD IP address. The IP is assigned to my phone and leaked out through Sprint’s NAT process through the SIP packets.