[dave at farber.net: [IP] Greek cellular wiretapping scandal]

[coderman]

On 6/25/06, Eugen Leitl <eugen at leitl.org> wrote:
> ...
> The problem was discovered when some people had problems sending text
> messages; the link between the two issues is unclear.

all circuits busy!  oops.  the problem with one way conferences like
this is that you tie up significant switch resources (a "conference
resource" or other such name, in addition to the outbound spans
required for covert relay to destination).  the problems with text
messages probably occurred during peak usage periods when contention
for finite switch resources (provisioned _without_ clandestine
circuits in use :) hits service affecting limits.


> The bug itself wasn't simply a matter of turning on Lawful Intercept
> That software did exist in the switch, but everyone says it wasn't
> activated and Ericsson wasn't paid for it. (Aside: Greece does have a
> CALEA-like law, which means it should have been enabled.)

we are so familiar with license codes to activate functionality in
enterprise software i don't see why this is much of a point.  of
course there is CALEA like functionality.  the focus on CALEA is more
a bureaucratic aspect; the technical implementation of a one way
conference is trivial, the proper controls and administration for
CALEA implementation using such a technique is probably 10x to 100x
more effort to satisfy all the legal requirements and user friendly
feature richness.


>  ... In
> addition, the attack required some other software that activated the
> Lawful Intercept but hid its existence. In other words, it was a rootkit
> running on a phone switch.

bingo.  a very practical approach assuming you have the insider access
to implement.  maybe even hired a grey/black hat to code it (as SMB
mentioned the free reign hackers have enjoyed on telco neworks in the
past).


> I have more than a passing aquaintance with
> the complexity of phone switch software; doing that was *hard* for
> anyone, especially anyone not a switch developer.

it definitely appears to be the work of an Ericson telco coder working
in conjunction with the Vodafone tech to get the configuration and
deployment of the eavesdropping implemented.

the basic prerequisites:
- one telco coder who knows the API / state machine of the soft switch
to code to, either at an API level (sounds like it, as this was a
process working with the legitimate soft switch programs on a unix
host) but could be done at a network level (process monitoring and
injecting call process commands directly to switch hardware at a low
level - harder to do, but can be more stealthy)

- one technician who can supply the current switch configuration
(spans from towers / carriers, their signalling characteristics, etc)

- telco test configuration (a softswitch configuration as close to
target configuration as possible, a tsunami or other bulk call
generator / call test harness)

- time and money.

work out the proper configuration for identifying incoming calls of
interest, bridge to available one way conference, connect conference
outbound to pool of relay/destination cell phones.


>  Installing the rogue software
> quite likely involved "authorized access to Vodafone's networks".

that suicide looks really suspicious, doesn't it?


> ... the prepaid phones that could pick up the calls
>  were in contact via phone calls and text messages with various
>  overseas destinations, namely the U.S., including Laurel, Md.,

LOL, ROFFLE, etc.


> the U.K., Sweden and Australia, according to the ADAE preliminary
>  report. Some of these calls and messages were initiated and
>  received directly from the 14 interceptor phones and some were
>  relayed via a second group of at least three other prepaid phones
>  that also were in contact with the 14 interceptor phones.

the nature of this relay would be interesting to discover.  was this a
forwarded type relay (i.e. handset not active, forward to this
number?) or a store and forward, like voicemail, or what?


> Guess what's just to the east of Laurel, MD...  On the other hand,
> exposing links like that is clumsy -- could it be disinformation?

it was intentional, there's no way that was an accident.  perhaps it
was intentional so they could say of course we didn't do it because
we're not that stupid?  or perhaps it's all an elaborate ruse to make
us think in that direction, and clearly i shouldn't choose the cup in
front of me! ..  er,  back to the story:


> And one
> of the phones monitored was from the American embassy in Athens -- or is
> that the disinformation?  Or is NSA spying on the embassy?  You are in a
> maze of twisty little spooks, all different.

mission accomplished, too many contradictions and potential deceits
and distractions.  need to talk to someone with knowledge of the
activity (oh wait, that problem is neatly resolved by convenient
suicide)

oh well, speculation is more fun anyway...


> The attack was very sophisticated, and required a great deal of arcane
> knowledge.

not arcane, just highly specialized and complicated.  people do this
all the time all over the world for a living.  ho hum, soft switching
hasn't been rocket science since the 1990's :P


> Whoever did it had detailed knowledge of Ericsson switches,
> and probably a test lab with the proper Ericsson gear.  It strongly
> suggests that Ericsson and/or Vodafone insiders were involved -- my
> guess
> is both.

yup, agreed on all counts.  since the Vodafone insider is "expired"
perhaps the Ericsson / telco coder will surface with a additional
digging.  i'd bet on powerball before that outcome though...