Greek cellular wiretapping scandal
Steven M. Bellovin
smb at cs.columbia.edu
Wed Jun 21 02:42:08 PDT 2006
The Greek cellular wiretapping scandal was the subject of a front-page
article in today's Wall Street Journal. (It's
http://online.wsj.com/article/SB115085571895085969.html?
mod=hps_us_pageone
for subscribers.) The broad outlines of the story are familiar to
anyone
who has been following the story -- a Lawful Intercept mechanism was
abused to send copies of certain calls to prepaid cell phone numbers --
but the details are interesting.
>From a non-technical perspective, at least one death may be linked
>to the
incident. A communications expert who was working on the switch
apparently
commited suicide, but this has been questioned by some. He
told his fiancie not long before he died that it had become "a
matter of life or death" that he leave [Vodafone]
The problem was discovered when some people had problems sending text
messages; the link between the two issues is unclear.
The bug itself wasn't simply a matter of turning on Lawful Intercept.
That software did exist in the switch, but everyone says it wasn't
activated and Ericsson wasn't paid for it. (Aside: Greece does have a
CALEA-like law, which means it should have been enabled.) Vodafone
denies
even knowing about such software, which strikes me as improbable. In
addition, the attack required some other software that activated the
Lawful Intercept but hid its existence. In other words, it was a rootkit
running on a phone switch. I have more than a passing aquaintance with
the complexity of phone switch software; doing that was *hard* for
anyone,
especially anyone not a switch developer. Installing the rogue software
quite likely involved "authorized access to Vodafone's networks".
Most suspicious, the prepaid phones that could pick up the calls
were in contact via phone calls and text messages with various
overseas destinations, namely the U.S., including Laurel, Md., the
U.K., Sweden and Australia, according to the ADAE preliminary
report. Some of these calls and messages were initiated and
received directly from the 14 interceptor phones and some were
relayed via a second group of at least three other prepaid phones
that also were in contact with the 14 interceptor phones.
Guess what's just to the east of Laurel, MD... On the other hand,
exposing links like that is clumsy -- could it be disinformation?
And one
of the phones monitored was from the American embassy in Athens -- or is
that the disinformation? Or is NSA spying on the embassy? You are in a
maze of twisty little spooks, all different.
The attack was very sophisticated, and required a great deal of arcane
knowledge. Whoever did it had detailed knowledge of Ericsson switches,
and probably a test lab with the proper Ericsson gear. It strongly
suggests that Ericsson and/or Vodafone insiders were involved -- my
guess
is both. But who did it, and why, remains obscure.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at metzdowd.com
-------------------------------------
You are subscribed as eugen at leitl.org
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
More information about the cypherpunks-legacy
mailing list