http://www.techworld.com/security/news/index.cfm?newsID=9463
By Jeremy Kirk
IDG News Service
12 July 2007
A highly sophisticated spying operation that tapped into the mobile
phones of Greece's prime minister and other top government officials has
highlighted weaknesses in telecommunications systems that still use
decades-old computer code.
The spying case, where the calls of around 100 people using Vodafones
network were secretly tapped, remains unsolved and is still being
investigated. Also complicating the case are question marks over the
suicide in March 2005 of a top engineer at Vodafone Group in Greece in
charge of network planning.
A look [1] into how the hack was accomplished has revealed an operation
of breathtaking depth and success, according to an analysis on IEEE
Spectrum Online, the website of the Institute of Electrical and
Electronics Engineers.
The case includes the "first known rootkit that has been installed in an
[phone] exchange," said Diomidis Spinellis, an associate professor at
the Athens University of Economics and Business, who wrote the report
with Vassilis Prevelakis, an assistant professor of computer science at
Drexel University in Philadelphia.
A rootkit is a special programme that buries itself deep into an OS for
some malicious activity and is extremely difficult to detect.
The rootkit enabled a transaction log to be disabled and allow call
monitoring on four switches made by Telefonaktiebolaget LM Ericsson
within Vodafone's equipment. The software enabled the hackers to monitor
phone calls in the same way as law enforcement agencies would do, but
without the normal required court order. The software allowed for a
second, parallel voice stream to be sent to another phone for
monitoring.
The intruders covered their tracks by installing patches on the system
to route around logging mechanisms that would alert administrators that
calls were being monitored. "It took guile and some serious programming
chops to manipulate the lawful call-intercept functions in Vodafone's
mobile switching centres," the authors wrote.
The secret operation was finally discovered around January 2005 when the
hackers tried to update their software and interfered with the way text
messages were forwarded, which generated an alert. Investigators found
hackers had installed 6,500 lines of code, an extremely complex coding
feat.
"The size of the code is not something that somebody could hack in a
weekend," Spinellis said. "It takes a lot of expertise and time to do
that."
The investigation, which included a Greek parliamentary inquiry, netted
no suspects, partly because key data was lost or was destroyed by
Vodafone, the authors wrote. It is not known if the hack was an inside
job.
Vodafone may have been able to discover the scheme sooner through
statistical call analysis that could have linked the calls of those
being monitored, to calls to phones used to monitor the conversations,
they wrote. Carriers already do that sort of analysis, but more for
marketing than security reasons.
But the defense against rogue code, viruses and rootkits is complicated
because of the way the telecom infrastructure has developed. "Complex
interactions between subsystems and baroque coding styles (some of them
remnants of programmes written 20 or 30 years ago) confound developers
and auditors alike," the report said.
[1] http://www.spectrum.ieee.org/jul07/5280
Received on Fri Jul 13 02:04:30 2007