-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/29/2013 05:00 AM, Andy Isaacson wrote: > On Wed, Aug 28, 2013 at 10:47:16PM -0400, Sandy Harris wrote: >> It gets worse. The US has a Communications Assistance to Law >> Enforcement Act (CALEA) that basically makes it illegal for >> anyone to sell phone switches without wiretap capability in the >> US. As a result nearly all such switches have the capability >> built in. That includes the switches that various nasty regimes >> buy. > > Expanding on this point -- > > Once the wiretapping capability is built into the switch, it's > often very easy to turn on (by a small bribe to the technician who > manages the switch, for example). Even if the wiretapping feature > is an added cost extra, generally that means that the code is > included in the shipping product and just needs to be enabled by a > small hack of the software. > > Exactly this happened in Greece in 2004. > > http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%9305
'tis > true, methinks. But there was more than a small hack needed to abuse the "Lawful Interception" interfaces designed in ETSI for "GSM family" networks. AFAIR that were 6.000 lines or so of "Plex" code needed to hack these Ericsson mobile fone switches. The guys that ran this rogue secret service operation in the Greek Vodafone network patched their code more than a dozen times during that period. Every time Ericsson delievered a patch, they did the same. The case blew up later because of SMS and the ETSI surveillance interface. The unknown operators had used a system of two or three dozen of prepaid Vodafone mobiles used as receiving units. SMS services to these numbers were blocked on the network level by the rogue Plex code in the switches. The needed the SMS function on the mobiles to receive the metadata of the mobile phones they intercepted. So they would not only record what prime minister Karamanlis said to his minister of defence but get all the metadata as well. Locations, movements and the likes thereof. Every few months the operators changed to new prepaid mobile accounts and let the older accounts expire. Six months after that these numbers [recte: IMSIs] were given to new Vodafone customers. These people complained because SMS services were dead. After a while Vodafone discovered that the problem was located on their mobile switching units. Deputy CSO Kostas Tsalikidis was found hanged a few days later early in 2005. In 2006 Adamo Bove, CSO of Telecom Italia Mobile, fell off a bridge in Naples. That was a few days after the biggest telco data surveillance scandal in Italian history had come to light. The deputy chief of SISMI [military secret service] was arrested then. Accompanied by half a dozen of other guys from SISMI and the Carabinieri, as well as telco technicians and young code mercenaries not deserving the epiteth "hackers". Together these people had run a company selling fone metadata including SMS on a "first come first serve" basis. You could even order "futures" on call contents recorded via the ETSI lawful interception interface. Sorry for being lengthy and somewhat off-topic. This was only to illustrate what a _foreign_ secret service can achieve in a _foreign_ telco network. Example: Greece. A domestic secret service such as in Italy has a hombase there in an admin range. Servus zur guten Nacht Erich M. post/scrypt: For anybody still interested here are links to PPTs from 2008 [English] http://moechel.com/doqs/olympic_surveillance.pdf and 2010 [German] on topic, both including a functional description of the ETSI surveillance interface http://moechel.com/doqs/missbrauchte_vorratsdaten.pdf > > It's safe to assume that it's happened many more times that > weren't discovered. > > -andy > - -- http://moechel.com/kontakt.html PGP KEY 0x2440DE65 fingerprint A564 1457 71C3 E907 6D78 429E 76F3 C66E 2440 DE65 - --... ...-- -.. . . .-. .. -.-. .... --- . ...-- . -- -... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJSH7bmAAoJEHbzxm4kQN5luuMH/iqGHqnbOl3y9Y2dPcg7+XMS CN0DmaoX0+fyHuKepLUAkzIM1siqSKyeRkcwPqPLvKv/k37qIFR8Sv80vLXXvXQT P0spZ/prDpqHuf5Yqdf+t/9YiaZquM4ukJFB0lm7GKE0IdgfffdbWoeE+dLOovEK MxRc0E8ULE8bFbxaT/DiLAQYgEG+xw2Pz58EQSVL2N4g8FNleXcOqbVDmzbziCkl pwBLmzkNFkcYvfWghpyg2ogPklUGnNvg7WUSDjV6JiV5BQSKvN9ITwd8wFuy+x4A ND0rWyUKDt1vpTSNXnkfp1j7XdaTxBOvxIduWnPfRsrTB1RmfzWJCwTZ42z5chg= =Rgy/ -----END PGP SIGNATURE----- -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.