[IP] Greek cellular wiretapping scandal
Begin forwarded message:
From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>
Date: June 21, 2006 2:42:08 PM EDT
To: cryptography@xxxxxxxxxxxx
Subject: Greek cellular wiretapping scandal
The Greek cellular wiretapping scandal was the subject of a front-page
article in today's Wall Street Journal. (It's
http://online.wsj.com/article/SB115085571895085969.html?
mod=hps_us_pageone
for subscribers.) The broad outlines of the story are familiar to
anyone
who has been following the story -- a Lawful Intercept mechanism was
abused to send copies of certain calls to prepaid cell phone numbers --
but the details are interesting.
From a non-technical perspective, at least one death may be linked
to the
incident. A communications expert who was working on the switch
apparently
commited suicide, but this has been questioned by some. He
told his fiancée not long before he died that it had become "a
matter of life or death" that he leave [Vodafone]
The problem was discovered when some people had problems sending text
messages; the link between the two issues is unclear.
The bug itself wasn't simply a matter of turning on Lawful Intercept.
That software did exist in the switch, but everyone says it wasn't
activated and Ericsson wasn't paid for it. (Aside: Greece does have a
CALEA-like law, which means it should have been enabled.) Vodafone
denies
even knowing about such software, which strikes me as improbable. In
addition, the attack required some other software that activated the
Lawful Intercept but hid its existence. In other words, it was a rootkit
running on a phone switch. I have more than a passing aquaintance with
the complexity of phone switch software; doing that was *hard* for
anyone,
especially anyone not a switch developer. Installing the rogue software
quite likely involved "authorized access to Vodafone's networks".
Most suspicious, the prepaid phones that could pick up the calls
were in contact via phone calls and text messages with various
overseas destinations, namely the U.S., including Laurel, Md., the
U.K., Sweden and Australia, according to the ADAE preliminary
report. Some of these calls and messages were initiated and
received directly from the 14 interceptor phones and some were
relayed via a second group of at least three other prepaid phones
that also were in contact with the 14 interceptor phones.
Guess what's just to the east of Laurel, MD... On the other hand,
exposing links like that is clumsy -- could it be disinformation?
And one
of the phones monitored was from the American embassy in Athens -- or is
that the disinformation? Or is NSA spying on the embassy? You are in a
maze of twisty little spooks, all different.
The attack was very sophisticated, and required a great deal of arcane
knowledge. Whoever did it had detailed knowledge of Ericsson switches,
and probably a test lab with the proper Ericsson gear. It strongly
suggests that Ericsson and/or Vodafone insiders were involved -- my
guess
is both. But who did it, and why, remains obscure.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@xxxxxxxxxxxx
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/