Colonel Saadad Ullah ordered Lashkar-e-Taiba’s technology team headed by one Javed, to design and execute communication plan for 26/11 terrorist attack on Mumbai. The obvious choice was Voice- Over-Internet-Protocol (VOIP) and Satellite Phones (Sat Phones). Interception of Sat phones during Kargil War by Indian Agencies is well known and it has caused reasonable suspicion on exploitation of Sat Phones, once within Indian territorial interception range. However at sea, only Sat Phones were feasible. Therefore the terrorists chose to stay outside 70-80 nautical miles away fromthe Indian coast during approach phase, and at closer distance Sat Phones were to be used as back-up. Therefore primary mode of communication was decided to be VOIP.
It was estimated that Indian agencies lacked the capability to intercept VOIP calls. A New Jersey based company Callphonex was identified for providing VOIP services. Advantage of using Callphonex was that it had worldwide coverage and also provided the functionality of virtual number (Virtual Number is a landline number which can be called to reach VOIP phone).
Javed’s counterpart in Lahore, Muhammad Ishfaq impersonated as Khadak Singh using e-mail ID ‘kharaktelco@yahoo.com’, and told Callphonex that he wanted to be there seller of Callphonex services in India. The ID proof of Iftikhar Ali (probably impersonated) based out of Peshwar was provided. On 27thOct 2008, payment of $250 was made to Callphonex using Money Gram from Anarkali, Pakistan. Just prior to final terrorist assault on 25th November 2008 another payment of $228 was made toop up and for activating virtual numbers of Austria and U.S. A Pakistani passport number KC092481 was used as proof of ID for Western Union Money Transfer.
On 26th November 2008, terrorists attacked the financial Capital of India and held it under siege for three days. VOIP provided the backbone communication channel between the handlers and terrorists. Thus, a serious question is being asked regarding the security implications of VOIP.
Six years have passed since this terrorist attack, but knee jerk reaction of Indian government as late as in 2013 to ban VOIP calls, indicates that the Govt still lacks capabilities to foil further terrorist attacks using VOIP as their communication backbone.
It is therefore necessary for decision makers including senior bureaucracy and political leadership to understand the technology along with its capabilities, advantages and limitations. The primary questions to be asked are:
(a) What is VOIP and how is it different from analogue communication?
(b) Can it be intercepted? If yes, how? Does law provide for it, or new legislation is required?Can &
should VOIP be banned?
(d) Has Information Communication Technology (ICT) moved forward since 2008, if yes, in which direction and what are the challenges?
VOIP TECHNOLOGY
Prior to nuclear attack on Hiroshima and Nagasaki, all communication channels were analogue and ‘connection-service’. This means that two points can communicate over wire, if and only if they are physically connected.
However one of the lessons of the nuclear attack was to establish connectionless service, which means that communication was to be designed to take place even if one or more physically connected nodes is are destroyed. DARPA created the Internet out of this requirement and communication was established without specific physical route, using Internet Protocol (IP).
In place of stream of current, packets are sent. If the route to the destination is found to be blocked or clogged, another route is found and packets are delivered. Another associate protocol called Transport Layer Protocol (TCP) ensures that all missed packets are fetched again. TCP also ensures that the contents of packets are correctly reassembled, i.e. image is reassembled as image and voice is reassembled as voice. To do this, there are 65535 ports to handle any application appropriately. They are similar to sea ports to handle bulk, containers, petroleum etc., more efficiently. All TCP ports up to 1064 have associated application. For example, Port 80 is for HTTP (primary web connectivity), while port 25 and 110 are associated with e-mail functions. Normally port numbers higher than 1024 are not fixed, however for VOIP, port 5060 and 5061 have been assigned. Please note VOIP communication uses one of the most complex protocol architectures and is not as simplistic as explained here; with the sole objective of interception, but it is to highlight that all such ports and Internet sessions related to VOIP can be easily identified. Therefore it is myth or perhaps lack of knowledge that either interception or blocking of VOIP communication is not possible.
Thus, the obvious question is that, could VOIP communication during 26/11 terrorists attack be blocked? The answer is affirmative. The agencies were aware that VOIP was being used, even if they lacked the ability to intercept, they could have just blocked the Internet connectivity to all three sites under siege. This would have blocked guidance and motivation by terrorists’ masters from Pakistan. Mere blocking of port 5060 would have stopped VOIP communication, while rest of the Internet would have continued to be operational, if that was the operational requirement. Allowing the terrorists to communicate during siege had prolonged the anti-terrorist operation causing deeper psychological scars in the memories of Indians. It willstay as a mystery as why such a simple action was not taken.
SHOULD VOIP BE BANNED?
Without going into many technical details, it is simpler to say that in VOIP architecture the role of VOIP server ends with the establishment of a call. Once digital signalling between two VOIP points is established, both end points start direct communication. In the Internet scheme of things, the IP address of both interacting parties gets revealed, generally at TCP port 5060. Using IP geo-location services, physical location of both the end points can be found out.
Now let’s raise the bar and assume that terrorists, instead of using any vendor, decide to establish an open source VOIP server on cloud (cloud computing is a fast emerging field, where IT services can be hired on the go, like you buy an air ticket and not the aircraft) and redesign it to use unusual port.
Technically, it is very much possible. But there is another trace which cannot be overcome. Since voice packets per-force have to arrive in the same sequence as they had left their place of origin, a virtual connection service is required to be established over the connectionless environment of the Internet. To achieve this, flag of QoS is set to 1 (Quality of Service), so that routers give priority to these packets and also remember the next router used by previous packet. Not many other services use QoS flag set to 1. In case any packet stream uses port number other than 5060 or 5061, it must be analysed and to be assumed that it is VOIP communication. If QoS Flag is forced and not set, then VOIP communication will be garbled.
VOIP communication is used extensively by business communities because it provides much cheaper communication. It is part of Unified Communication platform where voice, video, presence and messaging are provided in a comprehensive form. The bandwidth requirements are very low and international calls can be literally free. Therefore any ban on VOIP by Indian government will increase the cost of operation by companies and thereby making them less competitive. Therefore the option of banning VOIP does not exist. The only option is to understand the technology and counter it with technology.
Most of the commercial VOIP service providers use Session Border Controllers to protect VOIP servers from hack attack. These are perfect points of lawful interception because system administrators can make such settings to intercept any call without the knowledge of both parties
In fact, had terrorists in 26/11 attack not used VOIP for communication there would have been no voice recording. Indian investigating agencies could get the complete voice recording of theterrorists and their masters in Pakistan just because they used VOIP and according to internal policy such communication got recorded and later retrieved.
The next obvious question is the statutory provisions for lawful interception of VOIP communication. The present modus operandi of Indian Law Enforcement Agencies to use Telegraph Act for tapping, is without the force of law. The correct law is Section 69 of the Information Technology Act 2000. The relevant regulations have been published by the government with adequate safeguards. Therefore, there is no need of new law but agencies must smoothen out the process for using Sections 69 of IT Act instead of Telegraph Act.
The emerging challenges include cloud computing, which lacks any governance model. Encryption technology is also growing reasonably fast and government must keep pace. Lack of scientists with overlapping knowledge in mathematics and computer science can be harmful for our national security. Similarly “Social- Media” concepts need to be understood and used appropriately for statecraft. The challenges of technology must be countered through technology and not by any sledgehammer approach. This requires specialised knowledge and multi-disciplinary approach. Therefore to control and manage future cyber challenges, intelligence and law enforcement agencies need be techno- leaders.
Use of Voice-Over-Internet- Protocol or any other technological tools by the terrorists can only be met by staying ahead of the technology curve. The axiom of Electronic Warfare, “It is not possible to stop spiral of Counter EW therefore objective must be to impose high cost on enemy, while spending least”, is equally applicable in cyberspace. The author , Commander Mukesh Saini (Retd.) is a former National Information Security Coordinator of the Government of Indi
