On 2/3/06, coderman <coderman@gmail.com> wrote:

... the Cirpack switching system Vodafone uses is commonly available (to those steeped in EU telco at least). [see http://www.cirpack.com/products/hvs.shtml ]

i stand corrected. media reports have indicated Ericsson Mobile Softswitch was the software in question: http://www.ericsson.com/products/hp/Mobile_Core_pa.shtml pretty much any softswitch technology is vulnerable to this type of attack. see also: http://en.wikipedia.org/wiki/Softswitch , although some of this description is a bit misleading or applies to a particular architecture. note that some carriers, like Sprint, build their own softswitching systems in house. presumably these would be more resistant to tampering as the detailed information required to mount such an attack is protected via trade secret and non disclosure.

some additional details on this interesting tap,,, On 2/3/06, Tyler Durden <camera_lumina@hotmail.com> wrote:

...

...

if you knew what you were doing it would be straightforward to insert a promiscuous device on the LAN or add a process on the unix host used by the softswitch that listened for incoming calls from a given set of MIN's and one way conference these calls to a third party*. if you had access to a current version of the softswitch software itself for modification it would be even easier (most companies license sources and tailor or customize the software to run these switches so it's not quite as simple as a generic drop in replacement).

it took "a professional" to do this, sure, but the number of people skilled enough to pull this off is not a small number.

I actually strongly suspect Vodaphone cooperation in this.

"Seeding" a remote software upgrade to a switch like this is extremely difficult if you're coming in from another vendor's gear. Right now I believe they would've had to gain physical access and install the software in person, otherwise they'd have to go through the local Greek NOC.

looks like it was indeed an inside job (and of the vodafone tech's mysteriously committed suicide after the tapping was exposed? hmmm) basically they hooked their spyware into the CALEA like features which come standard in any commercial softswitch implementation and used it to capture and relay conversations to the pool of a dozen or so pre paid wireless phones. [note that CALEA isn't that complicated; it's simply a one way conference resource attached to a specific span/channel that is relayed to eve.] funny how vodafone is trying to avoid any responsibility by highlighting the fact an ericsson insider wrote the code, while conveniently failing to mention it was a vodafone tech who put it in place. :) http://www.ana.gr/anaweb/user/showplain?maindoc=4037837&maindocimg=4036819&service=10 """ The CEO of Vodafone Greece George Koronias told a Parliamentary investigation on Thursday that Vodafone had at no time purchased the software used to carry out the illegal phone taps through its digital systems, while stressing that the people responsible had to have extremely high technical expertise and a deep knowledge of Ericsson's programming environment. During his testimony, Koronias stressed that Vodafone had "not requested, not ordered and not received" the legal low-phone interception programme developed by Ericsson, which the phone-tappers had managed to activate in order to monitor the roughly 100 mobile phones that were under surveillance. He said that the low-phone interception programme was added to Ericsson systems at the request of its customers after the September 11 attacks, but underlined the costly service had not been purchased by Vodafone. Koronias also emphasised that the Greek mobile-phone provider had never been officially aware of the inactive low-phone interception software's presence in its systems, but only the supplier Ericsson. At the same time he pointed out that Vodafone, as a provider, would not be given access to the source code for the software. Ericsson did not provide this to its customers and the software was operated only Ericsson's authorised staff, he said. Asked who might have made the 'rogue' software, Koronias said that it would have to be someone with intimate knowledge of Ericsson's programming environment that could write directy in assembly language, which operators were not able to do. "The complexity of the programme points to someone with extremely high expertise," Koronias said, while clarifying that Vodafone's staff did not possess this level of skill. ... Regarding the death of Vodafone staff member Costas Tsalikidis, Koronias said that he had brought this to the attention of the ministers and the Supreme Court prosecutor, placing himself and the company at their disposal, because it had coincided with the discovery of the 'ghost' software and informing the government. In a re-opened investigation into Tsalikidis' death that is now underway, meanwhile, first-instance court prosecutor Ioannis Diotis on Thursday heard testimony from the coroner Giorgios Dilernia who examined the body at the time and the head of the coroners' service Philippos Koutsaftis. Dilernia said the 39-year-old's death had clearly been caused by hanging, while both coroners agreed on a verdict of suicide and said that disinterment of the body would not bring about any result. Tsalikidis was found hanged in March 2005, just days after the company discovered the 'ghost' software in its systems and informed the government. A police investigation at the time had attributed the death to suicide but this has been questioned by the family, especially in the light of later developments and the revelations about the phone-tapping scandal. """