Thanks for considering this unusual request for help.
I am an attorney and I am looking for help cracking a codec used by a company called Global Tel Link. They provide inmate telephone service to inmates at our local jail. The security of the recording system is an issue in one my cases.
I don’t know anything about the black magic of phone systems (just a user), but I suspect their system is based on Asterisk. All calls are recorded by default in .wav format using what appears to be proprietary or modified ulaw codec.
The local rep for Global Tel Link is an arrogant prick who testified that their system is 100% secure and that the call recordings cannot be altered and pass their validation system (they use a player to play the recordings). My brother (a former programmer) has been able to insert static into the recordings and have the recording validate through some sort of digital witchcraft, but he has not been able to insert new audio into the recording and get it to validate.
The static alone proves the Global Tel Link guy is wrong, but I would love to be able to insert “the Global Tel Link guy is full of crap” into a recording and have it pass validation and play it in court.
Any ideas or suggestions would be greatly appreciated.
From my brother: "It’s a variant of cyclic redundancy check. It was original intended to detect inadvertently corrupted files. It was never intended to be used for authentication. "
From my brother: "I am pretty sure that the player uses the Audio Compression Manager (ACM) to decode the audio streams, because I found references to ACM functions in the executable file. I tried decoding the audio with every codec I could find that is compatible with Microsoft’s ACM without success. However, there were plenty of codecs mentioned in the documentation that I could not find downloads for. "
Can you provide a sample recording (that doesn’t contain any sensitive information)?
With luck, we can recognize the codec being used and should be able to alter a section of the audio.
While some checksum schemes make it almost impossible to alter the audio and retain the same checksum, it may be easy to just create a new checksum that matches the altered audio. If their system simply verifies that the file checksum is consistent with the audio content, you would be in luck.
You may be beyond this point IANAL and assumes you are in the US (some inflections in your writing make me think you might not be) but Request detailed technical documentation from GTL about their recording and validation system through legal discovery. You should be able to “simply ask” Then have your experts go over what they turn over and challenge them on the docs without anything fancy… “Security research” like this is a grey area and if you have to reverse engineer something what you find may be inadmissible depending on local laws.
Thanks for such a thoughtful and careful reply. I am in the US.
The recordings in question are actually public records and are already in evidence. I don’t want to mess with GTL’s software - that could get me into serious trouble as you point out. I just want to alter the recordings in a manner that will pass the existing GTL validation scheme. My brother has successfully done that with static, but for some reason (that I don’t fully understand - I honestly don’t really know how codecs work) he wants to figure out which codec they use in order to be able to splice new audio into the recording and allow it to validate.
The GTL rep is falsely claiming that is not possible to alter the recordings and have them pass validation. I’ve already disproven that, but it would be a lot more effective for a jury the hear “the GTL guys is wrong and this recording just passed the GTL validation system in front of your eyes, even though the recording has been altered” that for a jury to hear periods of static.
Stewart, I will see if I can do that, but I don’t think I can.
GTL sends the recordings on a disk along with their own player, which displays all kinds of metadata, including the numbers dialed. I will see if there is a way I can pare down to a recording or two that don’t have sensitive information.
It’s probably possible to get “static” by a replay attack, but what is replayed might not decrypt properly, or might only be able to repeat a short segment (20ms?)