More on Greek Wiretapping

Earlier this month I blogged about a wiretapping scandal in Greece.

Unknowns tapped the mobile phones of about 100 Greek politicians and offices, including the U.S. embassy in Athens and the Greek prime minister.

Details are sketchy, but it seems that a piece of malicious code was discovered by Ericsson technicians in Vodafone's mobile phone software. The code tapped into the conference call system. It "conference called" phone calls to 14 prepaid mobile phones where the calls were recorded.

More details are emerging. It turns out that the "malicious code" was actually code designed into the system. It's eavesdropping code put into the system for the police.

The attackers managed to bypass the authorization mechanisms of the eavesdropping system, and activate the "lawful interception" module in the mobile network. They then redirected about 100 numbers to 14 shadow numbers they controlled. (Here are translations of some of the press conferences with technical details. And here are details of the system used.)

There is an important security lesson here. I have long argued that when you build surveillance mechanisms into communication systems, you invite the bad guys to use those mechanisms for their own purposes. That's exactly what happened here.

UPDATED TO ADD (3/2): From a reader: "I have an update. There is some news from the 'Hellenic Authority for the Information and Communication Security and Privacy' with a few facts and I got a rumor that there is a root backdoor in the telnetd of Ericssons AXE backdoor. (No, I can't confirm the rumor.)"

Posted on March 1, 2006 at 8:04 AM • 14 Comments

Comments

Dimitris AndrakakisMarch 1, 2006 9:06 AM

The technical commitee that examines the issue concluded that the "intruders" must have had physical access --there was no way this could have been done remotely. So it's an insider thing.

Link (in Greek, unfortunately, but you can translate at systran.otenet.gr):
http://www.enet.gr/online/online_hprint.jsp?...

Andre LePlumeMarch 1, 2006 9:09 AM

@Dimitris:

Thanks for that additional info.

This underlines the point that "law enforcement" backdoors invite insider abuse.

Chris SMarch 1, 2006 9:18 AM

Although it is partly an insider attack, keep in mind that those avenues are always open...

In the original Latin...

"Nihil tam munitum quod non expugnari pecuna possit" --Cicero

or "No fortress is so strong it cannot be taken by money" ...

You can always buy an insider for the physical access part. If you are ingenious enough, you only need to buy the insider once, and if you are really ingenious, the insider doesn't even know what they enabled.

In this case, without the lawful intercept system, the damage an insider could have done would have been much more limited.

FloMarch 1, 2006 10:05 AM

So, Vodaphone detected this abuse of their mandated lawful intercept backdoor through 'routine' software controls. That's an interesting explanation -- and raises some questions of its own.

But I'm more interested in:

Who were the attackers/evesdroppers?
Is it known what the evesdroppers heard?
Have there been arrests?

RoyMarch 1, 2006 11:46 AM

When the police can coerce a communication service into giving them a backdoor, they will also force them to prevent an audit trail. Why? Because the police will want to spy without the impediments of warrants. When they find somebody dirty, then they can dummy up some evidence to show the judge to get the warrant, then use the warrant-supported surveillance in court to convict the dirty guy.

Our FBI calls their own illegal unwarranted surveillance 'intel', as opposed to 'evidence', which they can use in court.

Because there is no audit trail, the system is open to anyone who learns how to get in.

Our judiciary subscribes to the idiotic premise that the police cannot uphold the law without breaking it first. I submit that this is the root of all evil.

mozMarch 1, 2006 3:28 PM

@Dimitris Andrakakis

I call bull. This could definitely be done without physical access. Telephone exchanges are esentially large computers. Everything is remotely accessible. Doing so without insider knowledge would be difficult, but not nearly impossible depending on the level of security of the network. The one thing which would often be done with local access would be the installation/activation of the lawful interception software.

Please note also, that the papers given by Bruce do not describe the monitoring system. They describe the monitoring _management_ system. That would be a physically separate computer. The claim that the software was installed secretly wouldn't really match with an extra HP workstation suddenly appearing.

It is possible that the standard switch software used in Greece has the needed MML commands, but the IMS its self wasn't installed. The intercepts would have been configured manually. Note, that the Ericsson architecture described in the documents means that if there wasn't a central IMS, the attackers had access to every individual switch in the network (10s accross different cities) or at least several (required just to monitor subscribers moving around Athens).

I do not understand the bit about the interception only being active when the phones were calling. How do you know the phone is calling if there isn't an interception set up? Maybe it just means "if nobody was calling, then they weren't monitoring the call" which is kind of obvious.

Given what we've heard so far, which seems quite skillful, I wonder what they would have found if they did locate the phones? A secure room with a high speed internet connection? Data being uploaded to zombies in a different country?

CollinMarch 1, 2006 4:02 PM

...another case to show the usefulness of end-to-end encryption of (mobile) communication... these people are just insane to allow a prime minister and other officials to use normal mobile phone equipment...

RogerMarch 1, 2006 11:19 PM

@moz:

Interesting analysis, thanks.

"...if they did locate the phones? A secure room with a high speed internet connection?"

Perhaps going out over WPA2 encrypted 802.11g over a 20 dBi flat panel antenna mounted sideways, to give +/-45° vertically and 10° horizontally. With the antenna mounted on a rotatable shaft, and the moment the burglar alarm triggers, a solenoid switches off and a falling weight rotates the mast to a random direction. The GSM modems, 802.11 base and glue logic are sitting in a cheap fire-resisting safe lying on its back (antenna cables and power running out the bolt-down holes), and seconds later the thermite turns it all to slag.

betabugMarch 2, 2006 2:35 AM

I've heard some rumors about telnetd on Ericssons AXE platform having a backdoor, something like the old "service accounts"... see my link for details.

The newspaper "Ta Nea" says that "maximum 10 people at Ericsson and Vodafone" had access to the systems.

Tryed to post a trackback, but all I get is "You are pinging trackbacks too quickly. Please try again later." even though I haven't sent a trackback here in weeks.

Dimitris AndrakakisMarch 2, 2006 3:44 AM

@moz:

I'm by no means a security expert, much less a telco one. This is a conclusion from the Authority for the Information and Communication Security and Privacy.

AnonymousMay 3, 2006 2:07 PM

Dear Sir,

I want to know Mr Bruce Schneier.

Why? He has been my hero since i started to know about cryptography. And now, i am writing on cryptography as my project. I need his technical assistance, it's a lot of of units this project work, and i want to score an "A"

My name is Nathan O. Justice

Gisle VanemMarch 14, 2009 1:46 PM

I used to work at LM Ericsson AB Oy in Finland in 1900-91. I never saw proof of what's being claimed above, but it would not surprise me one bit. Ericsson is an evil company with deep connections to the russian intelligence (FSB or the former KGB). I vividly remember there where stories floating around that backdoors where built in the AXE system. This was almost 20 years ago. I dare not think of what they are up to today.

Clive RobinsonMarch 15, 2009 3:09 AM

@ Gisle Vanem,

"Ericsson is an evil company with deep connections to the russian intelligence (FSB or the former KGB)."

Perhaps perhaps not. The same could be said of their connections to the US, UK and Sweedish intelegence services.

Historicaly Finland has always had a very very uneasy time with Russia and the West.

The Fin's know that the only reason they where not invaded like other European nations boardering Russia was luck and being meeker than a mouse in a cattery.

All through the cold war they had to the South just across the Gulf of Finland Estonian to remind them of what could happen at a moments notice...

And to the North Norway, with the Nazi occupation during the second world war still fresh in most of the populations mind.

As I said in my comments to Bruce's previous blog on this particular subject 90% of the software required to do this sort of evesdroping is part of the normal functionality of a telco switch. All that was required is a little code to hook it all together.

The reason I did not bother posting to this blog at the time is I could see that the report was a bit of a "white wash job" by the three main parties involved as they "wiped the egg of their faces" and started to "close the stable door".

My guess as to why it was discovered would have been either a billing anomaly (read Cliford Stoll's cookoo book to see what that leads to) or a routine software update not functioning because of the unexpected hooks etc in the code from the illicit code.

The people who wrote the illicit code where/are human and cannot see into the future. Therefore although they could test their code did not cause problems with Ericsson code current at the time they had no way of knowing what future code would do.

This tends to sugest two things.

1, The three main parties where not complicit in what went on.

2, The person or persons who wrote the illicit code where very well resoursed. Or had fairly intermate access to Ericsson's switch code development.

With regards the latter point it would not be beyond the resources of many intel agencies or even a free lancer to get into the Ericsson development team, the do employ a large number of contractors of various nationalities.

As I have pointed out in comments on other of Bruce's blog pages in the past "crackers" have evolved past the "ego food" stage and become "guns for hire". Criminals and Intel organisations (GO & NGO) usually have large amounts of "hush money" available to finance such things. And to be honest the amount of money required by a free lancer would be just a drop in the ocean of large marketing organisations expense account.

If you want to find out a little more about NGO Intel organisations you could start by looking at Kroll Associates.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..