Schneier on Security
A blog covering security and security technology.
March 1, 2006
More on Greek Wiretapping
Earlier this month I blogged about a wiretapping scandal in Greece.
Unknowns tapped the mobile phones of about 100 Greek politicians and offices, including the U.S. embassy in Athens and the Greek prime minister.
More details are emerging. It turns out that the "malicious code" was actually code designed into the system. It's eavesdropping code put into the system for the police.
The attackers managed to bypass the authorization mechanisms of the eavesdropping system, and activate the "lawful interception" module in the mobile network. They then redirected about 100 numbers to 14 shadow numbers they controlled. (Here are translations of some of the press conferences with technical details. And here are details of the system used.)
There is an important security lesson here. I have long argued that when you build surveillance mechanisms into communication systems, you invite the bad guys to use those mechanisms for their own purposes. That's exactly what happened here.
UPDATED TO ADD (3/2): From a reader: "I have an update. There is some news from the 'Hellenic Authority for the Information and Communication Security and Privacy' with a few facts and I got a rumor that there is a root backdoor in the telnetd of Ericssons AXE backdoor. (No, I can't confirm the rumor.)"
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.