Vodafone Greece rogue phone taps: details at last
Still-undiscovered perpetrators maintained unauthorised and undetected phone taps on a hundred or so senior political figures using the Vodafone Greece network in Athens between August 2004 and January 2005. Courtesy of an exhaustive report by IEEE Spectrum, technical details have finally emerged of how this was accomplished.
Apparently, the Ericsson AXE switches used in switching centres were compromised and unauthorised code was installed that made use of legitimate tapping modules whilst bypassing the normal monitoring and logging that would take place when a legal tap is set up. As is common in such cases, a set of apparently unrelated circumstances, rather than a single event, facilitated this. Firstly, probably to facilitate legal tapping, call content data is decrypted on entering a switching centre and re-encrypted as it leaves again, but passes through the switch in clear, rendering the data accessible to the attackers. Secondly, to allow service continuity, the code of AXE switches can be patched on the fly without requiring a reboot. This permitted the attackers to install their code without disturbing the normal operation of the switching centre. Thirdly, the Ericsson AXE tapping system uses two separate components: a tapping module that performs the data manipulations (RES) and a separate user interface (IMS) that authorises legal taps. Vodafone had at that time not licensed the IMS, but a software upgrade in early 2003 included the RES, providing thereby the capacity to tap even though Vodafone was not using it.
This then was the playing field for the events that followed. Some time in August 2004 rogue software was patched onto AXEs in four switching centres. Nothing untoward was noticed by Vodafone until 24th January 2005, when alerts started being raised due to undelivered text messages. These were apparently investigated, but five weeks passed before Ericsson could positively report back to Vodafone that illicit software had been installed.
The code was cleverly stealthed, even to the extent of manipulating the process lists of the switch to hide itself and using its own memory allocation to store the phone numbers being tapped rather than using the standard list space. It also contained a backdoor, which was cleverly hidden by rewriting the switch command interpreter to cause innocuous commands followed by a string of spaces to stop transaction logging silently and permit tapping commands to be executed. The only apparent mistake the perpetrators made was to introduce a bug in their last update. It was this that triggered the error that led to the alarm being raised on January 24th.
As IEEE Spectrum have pointed out, the PLEX language used on the AXE is not exactly mainstream, so there is a strong suggestion of insider participation in this affair, not least because software development for the switch was sub-contracted to a company based in Athens. However, we will probably never now see the whole picture, as a succession of forensic errors effectively eliminated the possibility of tracing the criminals or indeed of developing a complete technical picture of events. These included failure to trace the target phones to which the tap data was sent; immediate deactivation of the software on discovery, thereby alerting the perpetrators; premature deletion of the illicit software; loss of transaction logs as a result of upgrading exchange management servers while the investigation was still in progress, and destruction of visitor sign-in books for the relevant period.
Although this is apparently the first of its kind recorded, the possibility of such an incident is not restricted to the mobile infrastructure. Landline networks, and increasingly so as core systems move to IP telephony, are potentially just as susceptible.
- The Athens Affair, report by IEEE Spectrum