Saturday, February 04, 2006

Tapping the Greek PM's Phone

The government of Greece is quite mad today, the Independent and others report. It seems that someone hacked into Vodafone Greece's network and tapped the cell phone calls of about a hundred people, including the Prime Minister, several cabinet ministers, and even a U.S. embassy employee, for about a year.

Of course, cell phones are made to be tapped. It's part of the design, especially in the network. The air interface is encrypted so that random eavesdroppers with a radio can't listen in, but when you run the back end network, it's no problem, in theory. Cell phone operators spend millions of dollars complying with government regulations that, in many (most?) countries require the operators to be able to tap phone calls when the government requests it. (In the U.S., it was widely understood, until recently, that the government had to have a warrant to conduct such a tap.)

The news here is that a hacker managed to get control of the network to do this, rather than the government requesting it. Worse, Vodafone simply killed the taps when they found them, without requesting help from the authorities in tracking down the perpetrators. The various media accounts conflict on when Vodafone actually informed the government that the phones had been tapped, but it may have been quite recently, and Vodafone found and killed the taps last March.

Designing the networks to make the tapping doable is actually a lot of work; you'd be amazed at the contortions the system has to go through to support this. It applies to both the circuit-switched and packet-switched sides of the network. This complexity is part of what keeps a cell phone (GPRS/W-CDMA) packet network from being as simple as an ordinary Internet ISP. The equipment is more specialized, slower, more complex, and has fewer customers, all of which contribute to making the equipment exotic and expensive.

None of the articles I've seen explicitly detail the technology used, but since the infrastructure is already there, my assumption is that what was hacked was control of the existing intercept gateways, so that rules or filters could be put in place. There's no need for particularly complex software, unless some was put in place to hide the taps from regular audits. The hacking itself could have been as simple as acquiring a carelessly controlled password, then running a few command-interpreter commands once into the system. It takes a lot of knowledge, but I'll bet the changes to the machines were ultimately very small.

The articles talk about cell phone calls being tapped, they make no mention of data (SMS/email/MMS/web browsing) being tapped.

[Update: Bruce Schneier points to an article that claims it was done by tapping into the conference calling system and making each of the phone calls into a surreptitious conference call. He also says it's Ericsson equipment.]

No comments:

Post a Comment