Greek Wiretapping Scandal

Back in February, I wrote about a major wiretapping scandal in Greece. The Wall Street Journal has a really interesting article (link only good for a week, unfortunately) about it:

Behind the bugging operation were two pieces of sophisticated software, according to Ericsson. One was Ericsson's own, some basic elements of which came as a preinstalled feature of the network equipment. When enabled, the feature can be used for lawful interception by government authorities, which has become increasingly common since the Sept. 11 terror attacks. But to use the interception feature, operators like Vodafone would need to pay Ericsson millions of dollars to purchase the additional hardware, software and passwords that are required to activate it. Both companies say Vodafone hadn't done that in Greece at the time.

The second element was the rogue software that the eavesdroppers implanted in parts of Vodafone's network to achieve two things: activate the Ericsson-made interception feature and at the same time hide all traces that the feature was in use. Ericsson, which analyzed the software in conjunction with Greece's independent telecom watchdog, says it didn't design, develop or install the rogue software.

The software allowed the cellphone calls of the targeted individuals to be monitored via 14 prepaid cellphones, according to the government officials and telecom experts probing the matter. They say when calls to or from one of the more than 100 targeted phones were made, the rogue software enabled one of the interceptor phones to be connected also.

The interceptor phones likely enabled conversations to be secretly recorded elsewhere, the government said during a February 2006 news conference. At least some of the prepaid cellphones were activated between June and August 2004. Such cellphones, particularly when paid for in cash, typically are harder to trace than those acquired with a monthly subscription plan.

Vodafone claims it didn't know that even the basic elements of the legal interception software were included in the equipment it bought. Ericsson never informed the service provider's top managers in Greece that the features were included nor was there a "special briefing" to the relevant technical division, according to a Vodafone statement in March.

But Ericsson's top executive in Greece, Bill Zikou, claimed during parliamentary-committee testimony that his company had informed Vodafone about the feature via its sales force and instruction manuals.

Vodafone and Ericsson discovered something was amiss in late January 2005 when some Greek cellphone users started complaining about problems sending text messages. Vodafone asked Ericsson to look into the issue. Ericsson's technicians spent several weeks trying to figure out the problem, with help from the equipment maker's technical experts at its headquarters in Sweden. In early March of that year, Ericsson's technicians told Vodafone's technology director in Greece of their unusual discovery about the cause of the problems: software that appeared to be capable of illegally monitoring calls. It's unclear exactly how the rogue software caused the text-messaging problem.

Ericsson confirmed the software was able to monitor calls, and Vodafone soon discovered that the targeted phones included those used by some of the country's most important officials. On March 8, Mr. Koronias ordered that the illegal bugging program be shut down, in a move he has said was made to protect the privacy of its customers. He called the prime minister's office the next evening.

The head of Greece's intelligence service, Ioannis Korantis, said in testimony before the parliamentary committee last month that Vodafone's disabling of the software before authorities could investigate hampered their efforts. "From the moment that the software was shut down, the string broke that could have lead us to who was behind this," he said. Separately, he distanced his own agency from the bugging effort, saying it didn't have the technical know-how to effectively monitor cellphone calls.

Posted on June 22, 2006 at 1:25 PM • 24 Comments

Comments

AGJune 22, 2006 2:33 PM

I just don't understand. Why?

Wouldnt a real bad guy just send a letter? or an encrypted IM? or speak in an uncommon lang? or tell someone they trust and have that person travel to the other person and give them the message?

ShuraJune 22, 2006 3:19 PM

: The head of Greece's intelligence service, Ioannis Korantis, said in testimony before the parliamentary committee last month that Vodafone's disabling of the software before authorities could investigate hampered their efforts. "From the moment that the software was shut down, the string broke that could have lead us to who was behind this," he said.

Incompetence on Vodafone's part, or did they just play the role of the useful idiot by making it impossible to determine who's *actually* behind it? Does Mr. Korantis really have no idea? And for that matter, does he actually want the public to know who did it?

: Separately, he distanced his own agency from the bugging effort, saying it didn't have the technical know-how to effectively monitor cellphone calls.

Haha, good one.

betabugJune 22, 2006 3:24 PM

More shoving around the blame. Here in Greece we've heard this all so many times.

I highly doubt that Vodafone ran its systems without lawful interception ability. Not in this world.

Also I am not so sure that an attacker would have to set up an Ericsson system - sounds like a "security through obscurity" defense line. An attacker who gained a foot in could have bootstrapped this up step by step. Those systems are based on standard Sun Solaris after all.

For ADAE it is likely a relieve to claim that this level of expertise isn't available in Greece. But frankly when I met them I did not get the impression that they are the top hackers themselves. They likely just listen to what Vodafone and Ericsson tell them.

BenJune 22, 2006 4:39 PM

"Wouldnt a real bad guy just send a letter? or an encrypted IM? or speak in an uncommon lang? or tell someone they trust and have that person travel to the other person and give them the message?"

In this case, the targets of the eavesdropping were mainly not "bad guys". The list included government ministers, including the Prime Minister, other officials (some involved in the Olympics, I think), a handset used by Greek police protecting the US Embassy in Athens, as well as some guy with a family connection to a Middle Eastern terrorist.

The reason the US is a suspect in all this (apart from the fact that the "shadow" phones forwarding traffic were near the US Embassy, and SMS pointing to the NSA) is that it looks like whoever was listening in was concerned about the preparations for the Olympics - perhaps implying they were checking up to see that the Greeks weren't being lax. (Or planning an attack, of course, but this seems too sophisticated for terrorists, and of course nothing happened.)

On the other hand, if the NSA were setting up a network like this, you'd think they'd have made it a bit less incriminating when discovered. Sending text messages to the neighbourhood of NSA HQ, putting the phones around the US embassy - seems like it would be easy to avoid doing those things and still get the desired results. Hence the theory that the network was designed to look like a US operation if discovered, and is actually the work of someone else.

royJune 22, 2006 6:12 PM

It really doesn't matter if the NSA was behind it. If evidence points to them, they'll deny it. Or arrest the people who collected the evidence, charging them with leaking state secrets.

CarmudgeonJune 22, 2006 6:56 PM

"(National Security) Agency spokesman Don Weber said the 'NSA takes its legal responsibilities seriously and operates within the law.' "

That's it. I've got no other punch line.

Rob MayfieldJune 22, 2006 6:59 PM

@roy: or they'll call them terrorists and have them whisked away secretly to one of the 37 secret holding camps they have dotted around the globe, never to be seen again ...

Andre FucsJune 22, 2006 7:25 PM

"But to use the interception feature, operators like Vodafone would need to pay Ericsson millions of dollars to purchase the additional hardware, software and passwords that are required to activate it."

LOL. C'mon.... a mobile phone network switch without LEA!?!?!? It sounds like that in Greece they are using Trojan Mobiles. Instead of using LI facilities they put a person inside the mobile...

Good one. good one.

VickiJune 22, 2006 8:55 PM

As noted, that someone's phone is being tapped doesn't mean they're "real bad guys," and this particular attack was aimed at people who either knew the Greek government was recording some of their activities (it's possible that they record phone calls from some government phones, for example) or had no reason to expect the Greek police or government to be tapping their phones.

Also, a "real bad guy" might not trust the postal system either; the people delivering the mail can track who you're getting mail from, likely who you're sending it to, and probably read your letters. There isn't an unlimited supply of trusted-by-both-people couriers. As for speaking an uncommon language, first you and your co-conspirators have to learn one that nobody around you knows, without attracting attention in the process. Good luck being sure, in a cosmopolitan city, that the person across from you on the bus, or at the cafe across the street, doesn't also happen to speak your obscure language of choice.

Dimitris AndrakakisJune 23, 2006 2:12 AM

@Shura:

C'mon on, do you really thing that the EYP (Greek Information Bureau) has *this* kind of technical know-how ?

I seriously doubt that anyone except NSA, MI6, MOSSAD and 2-3 more agencies/armies/whatever in the world has it.

Christian KaiserJune 23, 2006 3:04 AM

@Dimitris:

"C'mon on, do you really thing that the EYP (Greek Information Bureau) has *this* kind of technical know-how ?"

No, but some Ericsson workers do have it. Which seems to be a valuable knowhow. Who knows they don't sell it?

Ch.

Clive RobinsonJune 23, 2006 5:18 AM

@Christian Kaiser

"but some Ericsson workers do have it."

Actually many many people have the information and the know how, you don't actually think that Ericsson directly employed the people who wrote the intercept software do you?

Or that the people who wrote the software only wrote it for Ericsson switches?

Without going into the whys and where fores of SS7 and the other very standard telcom systems, making an intercept "probe" is actually not that difficult. There are a large number of "probes" you can buy off the shelff from people like Agilent etc, copies of the binnary software would not be difficult to obtain duplicate or reverse engineer.

Also a simple hint, most switches can put calls on hold, and run conference calls to your mobile. Just how difficult do you think it would be to cobble something together around this inbuilt functionality alone?

You also need to be aware that something like 80% of UK phone calls are now carried via VoIP in one form or another often via "Telco Grade" Linux based systems.

I suspect the reason people are being a bit coy about things is that there is intercept software out there that can turn your mobile phone into a bug on demand amongst other things...

I likewise suspect that the people doing the intercept redirection used the software as a smoke screen as it appears to implicate "experts" in the telco or switch provider.

As somebody has pointed out Sun boxes are used for most of the telco stuff (perceived reliability etc) and they are most likley to be running Solaris 8 or earlier (most telcos did not like 9 and 10 has not been around long enough).

Also for business reasons these Sun boxes are usually fairly well issolated from any public networks. All the ones I have worked on if you have to do anything on them youy have to go through managment software (like PowerBroker) that records every keystroke etc you do. So I imagine there is an audit trail a mile wide unless the person had console access and 99% of these servers are run headless...

However that being said, the telcos do not employ there own staff to work on this stuff it is usually contracted out to either the switch provider or one of their affiliates. A year or so ago I was at a major site in the U.S. and guess what, the only real telco employees where off site some 50Km away, everybody including the Security staff where "outsource" staff...

So how difficult would it be to place one or more Squirrels?

IF you want to secure your Mobile phone calls go have a look at,

http://www.tripleton.com/products.htm

and get one of their secure phones, they have been passed by the UK Gov Security People as being acceptable for use.

NotBuyingItJune 23, 2006 7:34 AM

"But to use the interception feature, operators like Vodafone would need to pay Ericsson millions of dollars to purchase the additional hardware, software and passwords that are required to activate it."

Given that a simple hack made use of the feature, it is obvious that this is completely false. Either Vodafone is trying to feign stupidity, or a dark little secret of Ericsson marketing has been uncovered.

Regarding technical feasibility of the hack itself, I'm with Clive Robinson. It is feasible without needing to be in cahoots with the NSA, Mossad or any spook of choice - just a number of inept systems administrators, some buyable employee or ex-employee having completed a 3 or 4 day course in Sweden and a couple of contracting jobs in Vodafone would be needed.

The technical know-how angle is just somebody playing dumb.

JungsonnJune 23, 2006 7:57 AM

For the record:

Our (intelligence/secret service) "AIVD" which it is called in the Netherlands, have tapped a few journalists in last months.

For the first time in our history a judge has ruled against our secret service. They did this illegally. Pretty amazing judge if i may say. :)

Checks and BalancesJune 25, 2006 2:51 PM

Jungsonn wrote:
>Our (intelligence/secret service) "AIVD" which it is called in the Netherlands, have tapped a few journalists in last months.
>
>For the first time in our history a judge has ruled against our secret service. They did this illegally. Pretty amazing judge if i may say. :)>

Out of curiosity I googled on this and found this description of the situation in the Netherlands:
http://encyclopedia.vestigatio.com/...
"[AIVD's] methods and authorities include telephone and internet taps authorized by the minister of internal affairs (as opposed to a court order)"

"Before September 11th the Netherlands had the largest absolute number of wiretaps in the world, more even than the US (although international calls to and from the US never needed any court order to be intercepted and were not included in the figures). To this day it is a widely held belief that requests for wiretaps by the AIVD are always granted."


What's interesting about this to me as a US citizen is the mechanism by which there is some check-and-balance on a non-warranted wiretap. (AIVD wiretaps don't go through a court, but get approved by the Ministry of Internal Affairs, of which they are a part.)

hahahaJune 26, 2006 1:52 AM

So the Greek telco/govt didn't want to pay the exhorbitant license fee and hacked the OS instead.

But the implementation was buggy, and the manufacturer found them out.

So they denied everything, and claimed that someone else had done it to spy on *them*.

Do I get a prize?

RogerJune 28, 2006 7:31 PM

@hahahha:
I'd say you're pretty close on the ball.

The strongest argument against US involvement is that pretty well everyone who has looked into it believes that NSA has the ability to intercept and cryptanalyse GSM calls straight off the air, without leaving any fingerprints at all. Another factor is that they have an almost religious belief in protecting the "fragility of sources", and every form of interception that has ever been revealed has had been very strongly protected against capture or accidental compromise, i.e. they don't operate out of "safe houses" in the target city, they operate from warships cruising off the coast.

Looking at technical ability (focused on software only attack, so any developed country, and many developing ones, could do this), and type of targets (US embassy, Greek government, Islamic extremists) obvious candidates include Serbia, Turkey, perhaps Albania, and Greece itself, but I wouldn't rule out any Balkan state.

The hint that insider access was involved, and that Kostas Tsalikides (the Vodafone engineer who committed suicide) was a Greek citizen, combined with the remarkable _apparent_ ineptitude in tracing the operation, pushes Greece itself to the top of that list.

MikeJune 30, 2006 2:08 AM

This reminds me of a MI6 so-called British 'intelligence' kidnapping job in Greece, involving illegal interrogation of Pakistani 'terror suspects', and the lie of the 'free British press', that were ordered by U.K. goverment not to name a top MI6 officer; so we will name this MI6 bastard: his name is Nicholas Andrew Langman. By the way, thiis mi6 goon's photo appeared in Greek newspaper Elethoyphia newspaper recently, and we have lots of photocopies to leave around places.

ichJuly 9, 2006 2:06 AM

Well, it was only discovered since there was a bug that disturbed text messages...

So the other hacked Ericsson systems that are somewhat less buggy still are operating?

justmeJune 25, 2007 10:32 AM

Ill keep it sort:

Vodaphone bought Panaphone
Panaphone owned by a Greek guy called
Socratis Kokalis. (Mysteriously rich guy)

At the time the Greek Government judges were persecuting him for some crimes.
Never found out what happened with his cases. Mysteriously everyone went quiet about him. Did Vodaphone bought the Panaphone with the bug preinstalled?

And I wonder. If I was the only engineer working in Panaphone / Vodaphone who knew about the bug, what would I do if everything was about to be revealed? Personally I would be ready to face the consequences. But probably some others would like me to suicide.

justmeJune 25, 2007 10:33 AM

Ill keep it sort:

Vodaphone bought Panaphone
Panaphone owned by a Greek guy called
Socratis Kokalis. (Mysteriously rich guy)

At the time the Greek Government judges were persecuting him for some crimes.
Never found out what happened with his cases. Mysteriously everyone went quiet about him. Did Vodaphone bought the Panaphone with the bug preinstalled?

And I wonder. If I was the only engineer working in Panaphone / Vodaphone who knew about the bug, what would I do if everything was about to be revealed? Personally I would be ready to face the consequences. But probably some others would like me to suicide.

CritoAugust 14, 2007 7:19 AM

The apparent suicide is what cinched it for me. That's SOP for US/British intelligence when a low-level agent is about to be uncovered. They always commit suicide or have some kind of mysterious accident. Where do you think the mobsters learned it from? From working with the intelligence community during WWII to eliminate Nazi infiltrators.

The Greek intelligence community does not operate in that manner. And quite frankly, they couldn't afford to lose that kind of expertise. The guy might have disappeared and had his name changed, but they don't "whack" their own.

e-engineerFebruary 4, 2008 11:18 PM

The telco engineering job no longer seems to be what it used to. I must confess that there has been a bit of a co-incidence with some of the elements of this article.

1) Running through that strictly confidential IMS_USER_MANUAL is a picture of a GUI making reference to a machine (prsm07) that I christened and setup for Ericsson 10 years ago! How did that document end up on the internet?

2) In early 2006 I was talking to Bill Zikou about transferring to Ericsson Athens when his face appeared on local TV (delayed N.E.T. TV played in Australia) almost spraying my morning coffee (just like the movies)!

3) I have worked with Ericsson twice, the first time I ended it in 1998 when coming back from holidays to discover that one of our staff members had been knocked off (strangled to death)!

The first time I worked with Ericsson in 1997 it was a very process and procedure driven organisation with copious amounts of documentation to describe pretty much everything. In Australia, Ericsson had a CMM level of 2. During this period the manufacturing of phones and circuit boards became too expensive forcing the local factories to be closed and work either outsourced or sent to China, however software and services remained strong. My induction took roughly 2 months.

The second time I worked with Ericsson in 2006 I saw people with old skills trying to relive the old ways and blend in with the furniture. While I was away from Ericsson I modernised my skills (AGILE, SOA, opensource, etc). The new Ericsson was using Windows 2000 server on low specification PCs to do software development. And it gets worse – staff were bringing in their personal copies of windows 2003 server to meet 3PP requirements just to move forward. I could not convince Ericsson to use Linux, I struggled to introduce VMWARE (it ran like a dog), and was forced to use old unsupported Sun Microsystems hardware – including the original IMS development machine (which I reformatted of course). The only induction for new staff was to throw them in the deep end.

If I were to give Ericsson a CMM rating it would be minus five. Perhaps I am a bit hard as the cost of supporting the old way is now too expensive. However these issues were not technical but more managerial as other aspects besides software development were lacking. For example, security was explained to us but its practice was often ignored with an I-don't want-to-know-about-it attitude by managers. This led to practices like developers setting up IP tunnels over the internet between two Ericsson buildings to access test equipment that was not allowed to be connected to the local area network - sometimes we found the test servers had been hacked and filled with pornographic content. Once when working back late (and the only time I worked through the entire night) in a supposedly secured Ericsson building I could hear someone violently bashing the door on the floor I worked on (level 37) at 3am in the morning. I was very fortunate he didn't get through the last line of defence and that he did not hide in the toilets which were outside. I could not report this to anyone – was someone going to knock me off that night? The final confirmation of this apathy came from someone I know who does not work in IT (he works in law enforcement) told me that he found an Ericsson pass that looked recent which he actually bothered to take to Ericsson direct and in his words "they didn’t even seem to care".

In the Human Resources aspect I saw individuals with extremely lucrative contracts, I saw people who literally did nothing, I saw bullying, personal abuse, and a huge staff turnaround. My line manager as it turned out was friends with the underworld owner of the largest brothel in Australia and boasted about having flown on his private jet. I found it rather unusual that he send his secretary to request my username and password before I left which was against Ericsson policy which he knew – of course I refused. I thought all this was very un-Ericsson until I came across The Ericsson Group website which exposes a significant amount of corruption in the company.

This dysfunction in Ericsson I feel is causing the vulnerable weakness to security. This dysfunction was deliberately done as it allowed certain senior players to manoeuvre themselves for building stronger personal empires. Ericsson I found is very unlike the old days, even Bill Zikou who is now CEO of Ericsson Australia remarked on how much better organised they were in his region in Europe. A clue to who was responsible for creating this dysfunction in Ericsson Australia can be found in a quote used by our technically challenged (no formal engineering qualifications) but very street smart Oracle DBA who kept on surviving even after introducing so many show stoppers and even after crashing the customers live mobile phone network service – he used to say quite regularly and loudly "I'm not Jewish but I wish I was". Definitely not a normal place to work in, but if you think of the rewards of taking control of systems that allow you to listen in to big business and politics then you begin to attract a different breed of worker.

mpeimpiiiJuly 18, 2009 3:22 AM

A rather "late but never" update of March 2009 about the Vodafone Greece fine of wiretapping scandal.

The Hellenic Authority for Communication Security and Privacy (ADAE) is an authority with administrative independency in Greece. ADAE is responsible to submit its decisions to the Minister of Justice. At the end of every year, all the activities performed and the actions taken by ADAE are submitted to the President of the Parliament, the Minister of Justice and the Greek parliament.

ADAE (adae.gr) legally decided to charge a fine of 76 milion Euro to Vodafone Greece for the wiretapping scandal, however the Council of State (www.ste.gr) decided to cancel ADAE's fine leaving Vodafone Greece unpunished in the bigger political wiretapping scandal of Greek modern history.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..