On 6/25/06, Eugen Leitl <eugen@leitl.org> wrote:
... The problem was discovered when some people had problems sending text messages; the link between the two issues is unclear.
all circuits busy! oops. the problem with one way conferences like this is that you tie up significant switch resources (a "conference resource" or other such name, in addition to the outbound spans required for covert relay to destination). the problems with text messages probably occurred during peak usage periods when contention for finite switch resources (provisioned _without_ clandestine circuits in use :) hits service affecting limits.
The bug itself wasn't simply a matter of turning on Lawful Intercept That software did exist in the switch, but everyone says it wasn't activated and Ericsson wasn't paid for it. (Aside: Greece does have a CALEA-like law, which means it should have been enabled.)
we are so familiar with license codes to activate functionality in enterprise software i don't see why this is much of a point. of course there is CALEA like functionality. the focus on CALEA is more a bureaucratic aspect; the technical implementation of a one way conference is trivial, the proper controls and administration for CALEA implementation using such a technique is probably 10x to 100x more effort to satisfy all the legal requirements and user friendly feature richness.
... In addition, the attack required some other software that activated the Lawful Intercept but hid its existence. In other words, it was a rootkit running on a phone switch.
bingo. a very practical approach assuming you have the insider access to implement. maybe even hired a grey/black hat to code it (as SMB mentioned the free reign hackers have enjoyed on telco neworks in the past).
I have more than a passing aquaintance with the complexity of phone switch software; doing that was *hard* for anyone, especially anyone not a switch developer.
it definitely appears to be the work of an Ericson telco coder working in conjunction with the Vodafone tech to get the configuration and deployment of the eavesdropping implemented. the basic prerequisites: - one telco coder who knows the API / state machine of the soft switch to code to, either at an API level (sounds like it, as this was a process working with the legitimate soft switch programs on a unix host) but could be done at a network level (process monitoring and injecting call process commands directly to switch hardware at a low level - harder to do, but can be more stealthy) - one technician who can supply the current switch configuration (spans from towers / carriers, their signalling characteristics, etc) - telco test configuration (a softswitch configuration as close to target configuration as possible, a tsunami or other bulk call generator / call test harness) - time and money. work out the proper configuration for identifying incoming calls of interest, bridge to available one way conference, connect conference outbound to pool of relay/destination cell phones.
Installing the rogue software quite likely involved "authorized access to Vodafone's networks".
that suicide looks really suspicious, doesn't it?
... the prepaid phones that could pick up the calls were in contact via phone calls and text messages with various overseas destinations, namely the U.S., including Laurel, Md.,
LOL, ROFFLE, etc.
the U.K., Sweden and Australia, according to the ADAE preliminary report. Some of these calls and messages were initiated and received directly from the 14 interceptor phones and some were relayed via a second group of at least three other prepaid phones that also were in contact with the 14 interceptor phones.
the nature of this relay would be interesting to discover. was this a forwarded type relay (i.e. handset not active, forward to this number?) or a store and forward, like voicemail, or what?
Guess what's just to the east of Laurel, MD... On the other hand, exposing links like that is clumsy -- could it be disinformation?
it was intentional, there's no way that was an accident. perhaps it was intentional so they could say of course we didn't do it because we're not that stupid? or perhaps it's all an elaborate ruse to make us think in that direction, and clearly i shouldn't choose the cup in front of me! .. er, back to the story:
And one of the phones monitored was from the American embassy in Athens -- or is that the disinformation? Or is NSA spying on the embassy? You are in a maze of twisty little spooks, all different.
mission accomplished, too many contradictions and potential deceits and distractions. need to talk to someone with knowledge of the activity (oh wait, that problem is neatly resolved by convenient suicide) oh well, speculation is more fun anyway...
The attack was very sophisticated, and required a great deal of arcane knowledge.
not arcane, just highly specialized and complicated. people do this all the time all over the world for a living. ho hum, soft switching hasn't been rocket science since the 1990's :P
Whoever did it had detailed knowledge of Ericsson switches, and probably a test lab with the proper Ericsson gear. It strongly suggests that Ericsson and/or Vodafone insiders were involved -- my guess is both.
yup, agreed on all counts. since the Vodafone insider is "expired" perhaps the Ericsson / telco coder will surface with a additional digging. i'd bet on powerball before that outcome though...