Matt Blaze's
EXHAUSTIVE SEARCH
Science, Security, Curiosity
Debugging the Greek cellphone scandal
It's still called wiretapping even when the phones are wireless.

Vassilis Prevelakis and Diomidis Spinellis just published (in the July '07 IEEE Spectrum) a terrific technical analysis [link] of the recent Greek cellular eavesdropping scandal. In 2005, it was discovered that over a hundred Athens cellphones, mostly belonging to politicians (ranging from the mayor to the prime minister), were being illegally wiretapped. The culprit hasn't been found, but there's plenty of fodder for speculation, including mysteriously missing records, suspicious suicide, and, as Prevelakis and Spinellis point out, an intriguing technological mystery.

This would all be interesting enough for its stranger-than-spy-fiction elements alone, but what makes the story essential reading here is how definitively it illustrates something that many of us in the security and privacy community have been warning about for years: so-called "lawful interception" interfaces built in to network infrastructure become inviting targets for abuse. (See, for example, this point made in 1998 [pdf] and in 2006 [pdf]). And, as this case shows, those targets can be rich indeed.

For some reason, wiretapping interfaces don't seem to get much technical scrutiny, and we're starting to see how easy it can be to exploit them to nefarious ends. Vulnerabilities here can cut both ways, too, sometimes making it easier for real criminals to evade legal surveillance. A couple of years ago, Micah Sherr, Eric Cronin, Sandy Clark and I discovered basic weaknesses in the interception technologies used for decades to tap wireline telephones. Many of the vulnerabilities have found their way, in the name of "backward compatibility", into the latest eavesdropping standards, now implemented just about everywhere. Maybe even in Greek cellular networks.

Addendum: I just noticed that Steve Bellovin has a blog post on the same subject here, with some interesting comments and links.