Story of the Greek Wiretapping Scandal

I've blogged a few times about the Greek wiretapping scandal. A system to allow the police to eavesdrop on conversations was abused (surprise, surprise).

Anyway, there's a really good technical analysis in IEEE Spectrum this month.

On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months.

The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy. [See sidebar "CEOs, MPs, & a PM."]

The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the country's largest cellular service provider; Tsalikidis was in charge of network planning at the company. A connection seemed obvious. Given the list of people and their positions at the time of the tapping, we can only imagine the sensitive political and diplomatic discussions, high-stakes business deals, or even marital indiscretions that may have been routinely overheard and, quite possibly, recorded.

[...]

A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability to hackers and moles.

It's also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.

See also blog entries by Matt Blaze, Steve Bellovin, and John Markoff; they make some good security points.

EDITED TO ADD (10/22): More info:

The head of Vodafone Greece told the Government that as soon as it discovered the tapping software, it removed it and notified the authorities. However, the shutdown of the equipment prompted strong criticism of Vodafone because it had prevented the authorities from tracing the taps.

Posted on July 10, 2007 at 12:34 PM • 15 Comments

Comments

derfJuly 10, 2007 1:24 PM

We just don't have enough imagination in congress to keep this from happening. If law said that the head of any government agency and/or telecom corporation involved in illegal wiretapping be required to listen to every illegal recording made by them in a loop for the rest of their natural life, we just might see a bit less enthusiasm for CALEA and a little more support for privacy rights.

Carlo GrazianiJuly 10, 2007 3:05 PM

The list of targeted phone owners is rather heterogeneous -- senior national politicians, defense staff, a mayor, a US embassy staffer, antiglobalization activists, etc. It makes it harder to try and understand what they were after, probably a deliberate addition of noise to conceal a signal.

If I were playing "guess the noise terms", I'd say the antiglobalizers are beneath the notice of people capable of this attack. The embassy staffer seems wrong too -- if you were going to this level of effort, wouldn't you go after the Ambassador, the CIA station chief, etc.?

The Prime Minister and other senior government figures might make sense for some kind of International espionage operation, but what was to be gained here that was worth using up this kind of attack? That's not what this feels like to me -- more like a short-term high-risk high-gain thing. Someone laid out some serious money for an operation that couldn't be expected to last for more than a few months. How can political espionage against Greece justify the expenditure and risk?

I hope they catch who did it. I'd really like to know the whole story.

costaslJuly 10, 2007 3:12 PM

This is a very good description of the technical part of the story.
The real story, though, is not here, and it will never be told: the real question is, who knew about this, long before it came out.

It may look like a criminal act that was accidentally discovered, but this theory lacks a suspect and a motive: it is very hard to find a private, criminal attacker with the resources and the motives to do this.

A lot of people believe that this was an Olympic "semi-official" back door that somebody managed to keep open after the Olympics. The public outing was a clever way to "kill" any tapes that might exist, containing embarrassing conversations.

CristalJuly 10, 2007 3:43 PM

Wow, John Markoff is rephrasing the entire article and you're copying and pasting half of it as usual. Perhaps we should consider you both IT dinosaurs and make sure we categorize you for the future generations. That's a point.

Peter E RetepJuly 10, 2007 3:54 PM

" it is very hard to find a private, criminal attacker with the resources and the motives to do this."

Take away the word 'criminal', and it is quite easy.

Carlo GrazianiJuly 10, 2007 4:38 PM

Shall we start a pool? I'll take $1 of "Someone used the wiretaps to obtain inside information relating to a large government contract, and used that information to make a lot of money".

BryanJuly 10, 2007 4:41 PM

I imagine that virtually all of the numbers wiretapped were not public. Is this true? If so, then only someone with access to this information could put it together. This means someone in the phone company or in law enforcement most likely was an instigator or co-opted.

I also wonder how many of the tappees made international calls. If they all did, then it becomes much more likely that someone in another country was behind it. (Think NSA :-)

NobodyJuly 10, 2007 7:26 PM

@Bryan

"I also wonder how many of the tappees made international calls. If they all did, then it becomes much more likely that someone in another country was behind it. (Think NSA :-)"

Perhaps I'm missing the point here but I thought the article said that the tap was an attack on calls made from mobiles in range of certain cells in Greece i.e. a localised attack. In this scenario it matters little whether the caller being tapped dials out to a local or international number.

My understanding of NSA tapping is that it cannot typically be tracked back to individuals in foreign countries; that does not fit in my understanding of the way that the NSA works.

Supposing the Greek authorities and Vodafone had responded brilliantly by tracking the tapped calls back to source. Imagine the embarrasment to the American government and the NSA of being caught like this. It just doesn't sound right to me.

I'd place my bet on a criminal conspiracy with some inside help.

Or perhaps I'm just naive.

Bruce SchneierJuly 10, 2007 8:17 PM

"Wow, John Markoff is rephrasing the entire article and you're copying and pasting half of it as usual. Perhaps we should consider you both IT dinosaurs and make sure we categorize you for the future generations. That's a point."

Perhaps. In general, I write some original material, comment on some things, and simply quote a lot more. I figure that it's better to get the information out there than wait until I have time to say something profound. And if someone else has already said the profound things, I'd rather credit him than say them another way.

Steven CherryJuly 11, 2007 9:22 AM

As the editor at Spectrum who worked on the final drafts of the article, can I recommend that Cristal check out wc, or the wordcount feature of his or her favorite word processor? I thought Markoff did a good job of summarizing the article in fewer than 600 words. Bruce quoted about 240.

The original article weighs in at about 6000 words, had two technical diagrams, a timeline, and snapshots of some of the key players. Our press release on the story was almost as long as Markoff's piece which brought us readers who might otherwise not have seen it. My only gripe is his calling us a journal, when we're a general-interest geeky magazine, appealing to many of the same readers as SciAm, Tech Review, Discover, and Wired.

To hit a substantive point for a moment:

"The embassy staffer seems wrong too -- if you were going to this level of effort, wouldn't you go after the Ambassador, the CIA station chief, etc.?"

My understanding is that those people weren't using Vodafone phones, or perhaps had hard-to-find anonymous or prepaid accounts. But I agree with the larger point that there seems to be been some noise deliberately thrown into the list. These guys, whoever they were, had an almost Moriarty-like level of competence.

AnonymousJuly 11, 2007 9:22 AM

There's an implicit story here about software modularity. According to the authors, the taps could be put in place because the switches had the code for performing the actual duplication and diversion of call streams but not the the code for doing authorized taps (which would have included logging to detect unauthorized taps). So the criminals could just roll their own log-free versions. Think of how many other pieces of software and hardware have been shipped over the years in versions with extra functions nominally "disabled" -- and the usual short time until someone figures out how to enable the extra-cost bits for free...

(There's also an implicit suggestion that having the monitoring system in place might have prevented the undetectable tapping. Given the thorough access the attackers had, this seems unlikely, but having the monitoring system in place would have imposed a choke point that made things more difficult.)

guvn'rJuly 11, 2007 12:32 PM

@Carlo Graziani, "wouldn't you go after [...] the CIA station chief, etc.?"

might some of the more interesting covert intel operatives would be billeted in apparently lowl-level uninteresting jobs?

Not a conspiracy theoristJuly 11, 2007 4:39 PM

What's interesting about threats from telecom insiders is that tapping isn't even needed.

Consider the example of Israeli-based Amdocs, which does the billing for many telecom providers in America and other countries. They have at their fingertips the list of who calls who in America.

Fox News (!) did an interesting 4-part report in 11/01 about allegations of Israeli spying inside the US. (Some Israeli Amdocs employees were detained in the post-9/11 investigation.)

The Fox report also covers the possible mis-use of Amdocs' data by organized crime.

http://www.youtube.com/watch?v=JWpWc_suPWo
http://en.wikipedia.org/wiki/Amdocs

jhon doeJuly 14, 2007 3:18 AM

Dear Mr. schneier,

i would like to point the attention on the "strange" suicide(d) of Adamo Bove, head of security at Telecom Italia Mobile, the country's largest telecommunications company. After the wiretapping scandal that have involved Giuliano Tavaroli (Chief of security),Fabio Ghioni (Chief of the tiger team) and Emanuele Cipriani (Private investigator) . Mr Bove left his car on a freeway in Naples and "jumped" from a overpass and fell for thirty meters, where was found dead. Mr Bove helped he Milan magistrates identify and reconstruct the mobile phone traffic during the kidnapping of Abu Omar in Milan on February 17, 2003 . It was this crucial investigative work that led to arrest warrants for 26 American agents and many of their Italian secret service members accomplices.

here's some interesting information about this case

http://www.eurotrib.com/?...

http://www.beppegrillo.it/eng/2006/08/...

MoeJuly 15, 2007 6:45 PM

"The embassy staffer seems wrong too -- if you were going to this level of effort, wouldn't you go after the Ambassador, the CIA station chief, etc.?"

Not if the CIA station chief is the one you're working for...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..