The Greek cellular wiretapping scandal was the subject of a front-page article in today's Wall Street Journal. (It's http://online.wsj.com/article/SB115085571895085969.html? mod=hps_us_pageone for subscribers.) The broad outlines of the story are familiar to anyone who has been following the story -- a Lawful Intercept mechanism was abused to send copies of certain calls to prepaid cell phone numbers -- but the details are interesting.
From a non-technical perspective, at least one death may be linked to the incident. A communications expert who was working on the switch apparently commited suicide, but this has been questioned by some. He
told his fiancie not long before he died that it had become "a matter of life or death" that he leave [Vodafone] The problem was discovered when some people had problems sending text messages; the link between the two issues is unclear. The bug itself wasn't simply a matter of turning on Lawful Intercept. That software did exist in the switch, but everyone says it wasn't activated and Ericsson wasn't paid for it. (Aside: Greece does have a CALEA-like law, which means it should have been enabled.) Vodafone denies even knowing about such software, which strikes me as improbable. In addition, the attack required some other software that activated the Lawful Intercept but hid its existence. In other words, it was a rootkit running on a phone switch. I have more than a passing aquaintance with the complexity of phone switch software; doing that was *hard* for anyone, especially anyone not a switch developer. Installing the rogue software quite likely involved "authorized access to Vodafone's networks". Most suspicious, the prepaid phones that could pick up the calls were in contact via phone calls and text messages with various overseas destinations, namely the U.S., including Laurel, Md., the U.K., Sweden and Australia, according to the ADAE preliminary report. Some of these calls and messages were initiated and received directly from the 14 interceptor phones and some were relayed via a second group of at least three other prepaid phones that also were in contact with the 14 interceptor phones. Guess what's just to the east of Laurel, MD... On the other hand, exposing links like that is clumsy -- could it be disinformation? And one of the phones monitored was from the American embassy in Athens -- or is that the disinformation? Or is NSA spying on the embassy? You are in a maze of twisty little spooks, all different. The attack was very sophisticated, and required a great deal of arcane knowledge. Whoever did it had detailed knowledge of Ericsson switches, and probably a test lab with the proper Ericsson gear. It strongly suggests that Ericsson and/or Vodafone insiders were involved -- my guess is both. But who did it, and why, remains obscure. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ------------------------------------- You are subscribed as eugen@leitl.org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]