[ISN] Greek spies plant rootkit in a phone exchange

From: InfoSec News (alerts@private)
Date: Fri Jul 13 2007 - 00:04:30 PDT


By Jeremy Kirk
IDG News Service 
12 July 2007

A highly sophisticated spying operation that tapped into the mobile 
phones of Greece's prime minister and other top government officials has 
highlighted weaknesses in telecommunications systems that still use 
decades-old computer code.

The spying case, where the calls of around 100 people using Vodafones 
network were secretly tapped, remains unsolved and is still being 
investigated. Also complicating the case are question marks over the 
suicide in March 2005 of a top engineer at Vodafone Group in Greece in 
charge of network planning.

A look [1] into how the hack was accomplished has revealed an operation 
of breathtaking depth and success, according to an analysis on IEEE 
Spectrum Online, the website of the Institute of Electrical and 
Electronics Engineers.

The case includes the "first known rootkit that has been installed in an 
[phone] exchange," said Diomidis Spinellis, an associate professor at 
the Athens University of Economics and Business, who wrote the report 
with Vassilis Prevelakis, an assistant professor of computer science at 
Drexel University in Philadelphia.

A rootkit is a special programme that buries itself deep into an OS for 
some malicious activity and is extremely difficult to detect.

The rootkit enabled a transaction log to be disabled and allow call 
monitoring on four switches made by Telefonaktiebolaget LM Ericsson 
within Vodafone's equipment. The software enabled the hackers to monitor 
phone calls in the same way as law enforcement agencies would do, but 
without the normal required court order. The software allowed for a 
second, parallel voice stream to be sent to another phone for 

The intruders covered their tracks by installing patches on the system 
to route around logging mechanisms that would alert administrators that 
calls were being monitored. "It took guile and some serious programming 
chops to manipulate the lawful call-intercept functions in Vodafone's 
mobile switching centres," the authors wrote.

The secret operation was finally discovered around January 2005 when the 
hackers tried to update their software and interfered with the way text 
messages were forwarded, which generated an alert. Investigators found 
hackers had installed 6,500 lines of code, an extremely complex coding 

"The size of the code is not something that somebody could hack in a 
weekend," Spinellis said. "It takes a lot of expertise and time to do 

The investigation, which included a Greek parliamentary inquiry, netted 
no suspects, partly because key data was lost or was destroyed by 
Vodafone, the authors wrote. It is not known if the hack was an inside 

Vodafone may have been able to discover the scheme sooner through 
statistical call analysis that could have linked the calls of those 
being monitored, to calls to phones used to monitor the conversations, 
they wrote. Carriers already do that sort of analysis, but more for 
marketing than security reasons.

But the defense against rogue code, viruses and rootkits is complicated 
because of the way the telecom infrastructure has developed. "Complex 
interactions between subsystems and baroque coding styles (some of them 
remnants of programmes written 20 or 30 years ago) confound developers 
and auditors alike," the report said.

[1] http://www.spectrum.ieee.org/jul07/5280

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Fri Jul 13 2007 - 00:18:31 PDT