[smb at cs.columbia.edu: serious threat models]

[coderman]

> ... Many top Greek officials, including the Prime Minister, and
> the U.S. embassy had their mobile phones tapped.  What makes this
> interesting is how it was done: software was installed on the switch
> that diverted calls to a prepaid phone.  Think about who could manage
> that.

not too hard, actually.  softswitching makes this kind of hi jinx
relatively easy, and the Cirpack switching system Vodafone uses is
commonly available (to those steeped in EU telco at least).
[see http://www.cirpack.com/products/hvs.shtml ]

i test systems like this from excel/lucent that use a unix host
controller communicating with one or more switch chassis full of
blades for spans of T1/E1, SS7, etc.  they send well defined packets
over ethernet to configure switch spans and perform call handling. 
it's an ugly binary protocol, like most are, but easily manipulated.

if you knew what you were doing it would be straightforward to insert
a promiscuous device on the LAN or add a process on the unix host used
by the softswitch that listened for incoming calls from a given set of
MIN's and one way conference these calls to a third party*.  if you
had access to a current version of the softswitch software itself for
modification it would be even easier (most companies license sources
and tailor or customize the software to run these switches so it's not
quite as simple as a generic drop in replacement).

it took "a professional" to do this, sure, but the number of people
skilled enough to pull this off is not a small number.

* the pre paid phones were probably vodafone as well, so that transit
for the conference'd calls was all on the same network and would thus
avoid using circuits from other carriers which would need to be
accounted for. (that is to say, it would be much easier to hide these
conferences as long as they stayed in network, rather than tying up
spans to external carriers which would probably trigger accounting
discrepancies)