Greek cellular wiretapping scandal

Steven M. Bellovin smb at cs.columbia.edu
Wed Jun 21 14:42:08 EDT 2006 

The Greek cellular wiretapping scandal was the subject of a front-page
article in today's Wall Street Journal.  (It's
http://online.wsj.com/article/SB115085571895085969.html?mod=hps_us_pageone
for subscribers.)  The broad outlines of the story are familiar to anyone
who has been following the story -- a Lawful Intercept mechanism was
abused to send copies of certain calls to prepaid cell phone numbers --
but the details are interesting.

>From a non-technical perspective, at least one death may be linked to the
incident.  A communications expert who was working on the switch apparently
commited suicide, but this has been questioned by some.  He

	told his fiancée not long before he died that it had become "a
	matter of life or death" that he leave [Vodafone]

The problem was discovered when some people had problems sending text
messages; the link between the two issues is unclear.

The bug itself wasn't simply a matter of turning on Lawful Intercept.
That software did exist in the switch, but everyone says it wasn't
activated and Ericsson wasn't paid for it. (Aside: Greece does have a
CALEA-like law, which means it should have been enabled.)  Vodafone denies
even knowing about such software, which strikes me as improbable.  In
addition, the attack required some other software that activated the
Lawful Intercept but hid its existence. In other words, it was a rootkit
running on a phone switch.  I have more than a passing aquaintance with
the complexity of phone switch software; doing that was *hard* for anyone,
especially anyone not a switch developer.  Installing the rogue software
quite likely involved "authorized access to Vodafone's networks".

Most suspicious, the prepaid phones that could pick up the calls

	were in contact via phone calls and text messages with various
	overseas destinations, namely the U.S., including Laurel, Md., the
	U.K., Sweden and Australia, according to the ADAE preliminary
	report. Some of these calls and messages were initiated and
	received directly from the 14 interceptor phones and some were
	relayed via a second group of at least three other prepaid phones
	that also were in contact with the 14 interceptor phones.

Guess what's just to the east of Laurel, MD...  On the other hand,
exposing links like that is clumsy -- could it be disinformation?  And one
of the phones monitored was from the American embassy in Athens -- or is
that the disinformation?  Or is NSA spying on the embassy?  You are in a
maze of twisty little spooks, all different.

The attack was very sophisticated, and required a great deal of arcane
knowledge.  Whoever did it had detailed knowledge of Ericsson switches,
and probably a test lab with the proper Ericsson gear.  It strongly
suggests that Ericsson and/or Vodafone insiders were involved -- my guess
is both.  But who did it, and why, remains obscure.


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list