crime the athens affair How some extremely On 9 March 2005, known as Vodafone a 38-year-old Greek smart hackers Greece, the coun- electrical engineer pulled off the most try’s largest cel- named Costas Tsalikidis audacious cell-network lular service pro- was found hanged in his break-in ever vider; Tsalikidis Athens loft apartment, was in charge of an apparent suicide. It By Vassilis Prevelakis network planning would prove to be merely & Diomidis Spinellis at the company. A the first public news of connection seemed a scandal that would roil Greece obvious. Given the for months. list of people and their posi- The next day, the prime minister tions at the time of the tapping, of Greece was told that his cellphone we can only imagine the sen- was being bugged, as were those of the sitive political and diplomatic mayor of Athens and at least 100 other discussions, high-stakes busi- high-ranking dignitaries, including an ness deals, or even marital employee of the U.S. embassy. indiscretions that may have The victims were customers of Athens- been routinely overheard and, based Vodafone-Panafon, generally quite possibly, recorded. Even before Tsalikidis’s death, Basically, the hackers broke into a investigators had found rogue soft­ telephone network and subverted ware installed on the Vodafone its built-in wiretapping features for Greece phone network by parties their own purposes. That could have CE0s, MPs & a PM unknown. Some extraordinarily been done with any phone account, The illegally wiretapped cellphones in the Athens knowledgeable people either pen­ not just cellular ones. Nevertheless, affair included those of the prime minister, his etrated the network from outside or there are some elements of the defense and foreign affairs ministers, top military subverted it from within, aided by Vodafone Greece system that were and law enforcement officials, the Greek EU com- an agent or mole. In either case, the unique and crucial to the way the missioner, activists, and journalists. software at the heart of the phone crime was pulled off. system, investigators later discov­ We still don’t know who com­ On 6 April 2006, Bill Zikou, ered, was reprogrammed with a mitted this crime. A big reason is CEO of Ericsson Hellas, was finesse and sophistication rarely that the UK-based Vodafone Group, ­summoned to give evidence before a parliamentary seen before or since. one of the largest cellular providers committee looking into the A study of the Athens affair, surely in the world, bobbled its handling of scandal. His company pro- the most bizarre and embarrassing some key log files. It also reflexively vided the telecommunica- scandal ever to engulf a major cell­ removed the rogue software, instead tions switching equipment that rogue programmers phone service provider, sheds consid­ of letting it continue to run, tipping broke into. erable light on the measures networks off the perpetrators that their intru­ can and should take to reduce their sion had been detected and giving vulnerability to hackers and moles. them a chance to run for cover. The Vodafone Greece CEO Giorgos It’s also a rare opportunity to get company was fined €76 million this Koronias ordered the removal a glimpse of one of the most elusive past December. of the surveillance program, of cybercrimes. Major network pene­ To piece together this story, we because, as he explained in a February 2006 newspaper trations of any kind are exceedingly have pored through hundreds of pages interview, “the company had to uncommon. They are hard to pull off, of depositions, taken by the Greek react immediately.” Removing and equally hard to investigate. parliamentary committee investi­ the program is thought to have Even among major criminal infil­ gating the affair, obtained through tipped off the perpetrators and helped them evade capture. trations, the Athens affair stands a freedom of information request the athens affair out because it may have involved filed with the Greek Parliament. We state secrets, and it targeted indi­ also read through hundreds of pages Greek Prime Minister Costas viduals—a combination that, if of documentation and other records, Karamanlis was only the it had ever occurred before, was ­supplemented by publicly available most notable of the 100 not disclosed publicly. The most information and interviews with inde­ or so individuals illegally notorious penetration to compro­ pendent experts and sources associ­ wiretapped, which, besides the country’s political, law mise state secrets was that of the ated with the case. What emerges enforcement, and military elite, “Cuckoo’s Egg,” a name bestowed are the technical details, if not the included Karamanlis’s wife. by the wily network administrator motivation, of a devilishly clever and who successfully pursued a German complicated computer infiltration. programmer in 1986. The program­ mer had been selling secrets about The cellphone bugging began some­ Costas Tsalikidis was found the U.S. Strategic Defense Initiative time during the fevered run-up to hanged, an apparent sui- (“Star Wars”) to the Soviet KGB. the August 2004 Olympic Games cide, just before the Athens But unlike the Cuckoo’s Egg, the in Athens. It remained undetected affair became public. As a Athens affair targeted the conversa­ until 24 January 2005, when one ­telecommunications engineer in charge of network planning tions of specific, highly placed gov­ of Vodafone’s telephone switches at Vodafone, he was ideally ernment and military officials. Given generated a sequence of error mes­ placed to be either an inside the ease with which the conversations sages indicating that text messages ­accomplice or discoverer of could have been recorded, it is gener­ originating from another cellphone the digital break-in. But his ally believed that they were. But no operator had gone undelivered. The ­involvement in the case has never been established. one has found any recordings, and switch is a computer-controlled we don’t know how many of the calls component of a phone network that Giorgos Voulgarakis was were recorded, or even listened to, by connects two telephone lines to com­ the first government official the perpetrators. Though the scope plete a telephone call. To diagnose to whom Koronias disclosed of the activity is to a large extent the failures, which seemed highly the case. Giannis Angelou, the director of the Prime unknown, it’s fair to say that no other unusual but reasonably innocuous Minister’s political office, computer crime on record has had the at the time, Vodafone contacted the was also present. same potential for capturing informa­ maker of the switches, the Swedish tion about affairs of state. telecommunications equipment While this is the first major manufacturer Ericsson. infiltration to involve cellphones, We now know that the illegally Opposite page: archivberlin Fotoagentur/Alamy; the scheme did not depend on the implanted software, which was From Top: Kostas Tsironis/Ap Photo(2); JOHANNA LEGUERRE/AFP/Getty wireless nature of the network. eventually found in a total of four of Images; AFP/Getty Images; LOUISA GOULIAMAKI/AFP/Getty Images

www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 27 Vodafone’s Greek switches, created paral­ numbers. Besides the prime minister and phone and the network as a whole. Your lel streams of digitized voice for the tapped his wife, phones belonging to the minis­ telephone handset converts your words phone calls. One stream was the ordinary ters of national defense, foreign affairs, and into a stream of digital data that is sent to one, between the two calling parties. The justice, the mayor of Athens, and the Greek a transceiver at the base station. other stream, an exact copy, was directed to European Union commissioner were all The base station’s activities are gov­ other cellphones, allowing the tappers to lis­ compromised. Others belonged to members erned by a base station controller, a ten in on the conversations on the cellphones, of civil rights organizations, peace activists, ­special-purpose computer within the and probably also to record them. The soft­ and antiglobalization groups; senior staff at station that allocates radio channels and ware also routed location and other informa­ the ministries of National Defense, Public helps coordinate handovers between the tion about those phone calls to these shadow Order, Merchant Marine, and Foreign transceivers under its control. handsets via automated text messages. Affairs; the New Democracy ruling party; This controller in turn communi­ Five weeks after the first messaging the Hellenic Navy general staff; and a cates with a mobile switching center that failures, on 4 March 2005, Ericsson alerted Greek-American employee at the United takes phone calls and connects them to Vodafone that unauthorized software had States Embassy in Athens. call recipients within the same switching been installed in two of Vodafone’s central Within weeks of the initial discovery center, other switching centers within the offices. Three days later, Vodafone tech­ of the tapping scheme, Greek government company, or special exchanges that act nicians isolated the rogue code. The next and independent authorities launched as gateways to foreign networks, routing day, 8 March, the CEO of Vodafone Greece, five different investigations aimed at calls to other telephone networks (mobile Giorgos Koronias, ordered technicians to answering three main questions: Who or landline). The mobile switching centers remove the software. was responsible for the bugging? Was are particularly important to the Athens Then events took a deadly turn. On Tsalikidis’s death related to the scandal? affair because they hosted the rogue 9 March, Tsalikidis, who was to be married And how did the perpetrators pull off this phone-tapping software, and it is there in three months, was found hanged in his audacious scheme? that the eavesdropping originated. They apartment. No one knows whether his appar­ were the logical choice, because they are ent suicide was related to the case, but many To understand how someone could secretly at the heart of the network; the intruders observers have speculated that it was. listen to the conversations of Greece’s most needed to take over only a few of them in The day after Tsalikidis’s body was dis­ senior officials, we have to look at the infra­ order to carry out their attack. covered, CEO Koronias met with the direc­ structure that makes it possible. Both the base station controllers and the tor of the Greek prime minister’s political First, consider how a phone call, yours switching centers are built around a large office. Yiannis Angelou, and the minis­ or a prime minister’s, gets completed. Long computer, known as a switch, capable of ter of public order, Giorgos Voulgarakis. before you dial a number on your handset, creating a dedicated communications path Koronias told them that rogue software your cellphone has been communicating between a phone within its network and, used the lawful wiretapping mechanisms with nearby cellular base stations. One of in principle, any other phone in the world. of Vodafone’s digital switches to tap about those stations, usually the nearest, has Switches are holdovers from the 1970s, an 100 phones and handed over a list of bugged agreed to be the intermediary between your era when powerful computers filled rooms

20 Jan Shadow phones operate in from alpha Lycabettus restaurant in Athens. 6 Jun Accounts for 24 Jan–1 Feb Two test numbers are first two shadow configured for interception at a fourth phones are created. exchange, MEAPA. to omega 11 Feb MEAKF upgrades 9 Jun Three more 24 Jan The MEAPA exchange begins logging forlopp errors. from R9.1 to R10 software, shadow phones are destroying the rogue code. registered. 25 Jan The MEAPA exchange stops logging forlopp errors. 18 Feb Credits are added to 29 Jun One shadow the shadow phone accounts. phone makes two 27 Jan Credits are added to the 31 Jan Ericsson provides ­outgoing calls. shadow phone accounts. 18 Feb Shadow phones Vodafone with the details ­operate in Lycabettus of its R9.1 software, which 31 Jan Shadow phones make one call restaurant. includes lawful inter­ and forward another. The call recipient ception (LI) capability. then sends an SMS message to itself.

jan jan jan mar may jul sep nov jan mar may jul sep nov 2002 2003 2004 2005 4 Aug Nine more shadow phones 27–29 Oct are registered. Rogue software 4–10 Aug Rogue software is is installed in installed in three exchanges: the MEAPA MEAKS, MEAKF, MEAPS. exchange but is not used for 9–11 Aug Rogue software is con­ monitoring. figured with interception numbers. 20 Jan Ericsson delivers 13 Aug Opening ceremony of the R9.1 system software Athens 2004 Olympic Games. containing partial LI ­functionality to Vodafone.

28 IEEE Spectrum | July 2007 | NA www.spectrum.ieee.org and were built around proprietary hardware typically used for setting up wiretaps, ware suite. That upgrade included the RES and software. Though these computers are which only law officers are supposed to software, according to a letter from Ericsson smaller nowadays, the system’s basic archi­ have access to. When the wiretapped that accompanied the upgrade. So after the tecture remains largely unchanged. phone makes a call, the RES copies the upgrade, the Vodafone system contained the Like most phone companies, Vodafone conversation into a second data stream software code necessary to intercept calls Greece uses the same kind of computer for and diverts that copy to a phone line used using the RES, even though it lacked the both its mobile switching centers and its by law enforcement officials. high-level user interface in the IMS nor­ base station controllers—Ericsson’s AXE Ericsson optionally provides an inter­ mally used to facilitate such intercepts. line of switches. A central processor coordi­ ception management system (IMS), through That odd circumstance would turn out nates the switch’s operations and directs the which lawful call intercepts are set up and to play a role in letting the Athens hackers switch to set up a speech or data path from managed. When a court order is presented illegally listen in on calls and yet escape one phone to another and then routes a call to the phone company, its operators initi­ detection for months and months. through it. Logs of network activity and bill­ ate an intercept by filling out a dialog box ing records are stored on disk by a separate in the IMS software. The optional IMS in It took guile and some serious program­ unit, called a management processor. the operator interface and the RES in the ming chops to manipulate the lawful call- The key to understanding the hack at the exchange each contain a list of wiretaps: intercept functions in Vodafone’s mobile heart of the Athens affair is knowing how wiretap requests in the case of the IMS, switching centers. The intruders’ task the Ericsson AXE allows lawful intercepts— actual taps in the RES. Only IMS-initiated was particularly complicated because they what are popularly called “wiretaps.” wiretaps should be active in the RES, so a needed to install and operate the wiretap­ Though the details differ from country to wiretap in the RES without a request for a ping software on the exchanges without country, in Greece, as in most places, the tap in the IMS is a pretty good indicator being detected by Vodafone or Ericsson process starts when a law enforcement offi­ that an unauthorized tap has occurred. An system administrators. From time to time cial goes to a court and obtains a warrant, audit procedure can be used to find any the intruders needed access to the rogue which is then presented to the phone com­ discrepancies between them. software to update the lists of monitored pany whose customer is to be tapped. It turns out Vodafone had not purchased numbers and shadow phones. These activi­ Nowadays, all wiretaps are carried out the lawful intercept option at the time of the ties had to be kept off all logs, while the at the central office. In AXE exchanges a illegal wiretaps, and the IMS phone-tapping software itself had to be invisible to the remote-control equipment subsystem, or management software was not installed system administrators conducting rou­ RES, carries out the phone tap by moni­ on Vodafone’s systems. But in early 2003, tine maintenance activities. The intruders toring the speech and data streams of Vodafone technicians upgraded the Greek achieved all these objectives. switched calls. It is a software subsystem switches to release R9.1 of the AXE soft­ They took advantage of the fact that the AXE allows new software to be installed without rebooting the system, an impor­ 4 Mar Ericsson informs Vodafone tant feature when any interruption would of the existence of rogue software. disconnect phone calls, lose text mes­ 4 Mar Shadow phones make no further calls. 7 Mar Vodafone locates the rogue software. 8 Mar Vodafone extracts a list of logged phone 7 Apr ADAE publishes its second numbers from MEAKS. interim report on the case. 8 Mar Vodafone Greece CEO Giorgos Koronias 8 Mar The govern­ orders removal of the rogue software. ment security agency, ADAE, presents its first interim report on the case to the Parliament Committee Jul Vodafone, follow­ on Institutions and ing its data retention Transparency. policies, destroys the 31 Oct Vodafone 23 Mar ADAE performs visitor sign-in books places an order at one exchange a simulation of the with Ericsson for LI rogue software. facility. software. Jul Vodafone upgrades two of the 18 Nov Ericsson access servers, wiping delivers LI soft­ Koronias out access logs. ware to Vodafone.

jan mar may jul sep nov jan mar may NOV 2006 9 Mar Costas Tsalikidis, head of 1 Feb Public prosecutor ­network planning of Vodafone Greece of the Supreme Court is found hanged in his apartment. finishes the preliminary 10 Mar Koronias briefs Giannis investigation. Angelou, director of the prime 2 Feb The government minister’s political office. provides details of the case 10 Mar The Greek presidential in a press conference. decree specifying lawful intercep­ 2 Feb Criminal prosecution tion procedures takes effect. for the violation of commu­ 16 Mar Vodafone sends e-mail to nications privacy and pos­ 14 Dec ADAE fines Vodafone sibly spying is ordered. €76 million (US $99.4 million). Ericsson asking for the return of all Voulgarakis exchange backup data. Tsalikidis CLOCKWISE FROM TOP LEFT: ERICSSON; KOSTAS TSIRONIS/AP PHOTO; MICHAEL BROWN/ISTOCKPHOTO; ADAE; VODAFONE; LOUISA GOULIAMAKI/AFP/GETTY IMAGES; AFP/GETTY IMAGES; ANDREY PROKHOROV/ISTOCKPHOTO

www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 29 sages, and render emergency services between the remote cellphone and its clos­ sor. The AXE’s existing code is structured unreachable. To let an AXE exchange est base station, but it is not protected while around independent blocks, or program run continuously for decades, as many it transits the provider’s core network. For modules, which are stored in the central of them do, Ericsson’s software uses sev­ this reason—and for the ease of monitoring processor’s memory. The release being used eral techniques for handling failures and calls from the comfort of their lair—the per­ in 2004 consisted of about 1760 blocks. Each upgrading an exchange’s software with­ petrators of the Vodafone wiretaps attacked contains a small “correction area,” used out suspending its operation. These tech­ the core switches of the Vodafone network. whenever software is updated with a patch. niques allow the direct patching of code Encrypting communications from the start Let’s say you’re patching in code to force loaded in the central processor, in effect of the chain to its end—as banks, for exam­ the computer to do a new function, Z, in altering the operating system on the fly. ple, do—makes it very difficult to implement situations where it has been doing a differ­ Modern GSM systems, such as legal wiretaps. ent function, Y. So, for example, where the Vodafone’s, secure the wireless links with a To simplify software maintenance, the original software had an instruction, “If X, sophisticated encryption mechanism. A call AXE has detailed rules for directly patch­ then do Y” the patched software says, in an christie design y

to another cellphone will be re-encrypted ing software running on its central proces­ effect, “If X, then go to the correction area br

30 IEEE Spectrum | July 2007 | NA www.spectrum.ieee.org location L.” The software goes to location L upgrade or even when Vodafone techni­ trators updated their planted software. That and executes the instructions it finds there, cians installed a minor patch. It is stan­ upgrade interfered with the forwarding of that is, Z. In other words, a software patch dard practice in the telecommunications text messages, which went undelivered. works by replacing an instruction at the industry for technicians to verify the These undelivered text messages, in turn, area of the code to be fixed with an instruc­ existing block contents before performing triggered an automated failure report. tion that diverts the program to a memory an upgrade or patch. We don’t know why At this point, the hackers’ abilities to location in the correction area containing the rogue software was not detected in this keep their modifications to the switch’s the new version of the code. way, but we suspect that the software also AXE software suite secret met their limits, The challenge faced by the intruders was modified the operation of the command as it’s almost impossible to hide secrets in to use the RES’s capabilities to duplicate used to print the checksums—codes that somebody else’s system. and divert the bits of a call stream without create a kind of signature against which The AXE, like most large software sys­ using the dialog-box interface to the IMS, the integrity of the existing blocks can be tems, logs all manner of network activity. which would create auditable logs of their validated. One way or another, the blocks System administrators can review the log activities. The intruders pulled this off by appeared unaltered to the operators. files, and any events they can’t account for installing a series of patches to 29 separate Finally, the software included a back as ordinary usage can be investigated. blocks of code, according to Ericsson offi­ door to allow the perpetrators to control It’s impossible to overstate the impor­ cials who testified before the Greek par­ it in the future. This, too, was cleverly tance of logging. For example, in the 1986 liamentary committee that inves­ constructed to avoid detec­ Cuckoo’s Egg intrusion, the wily network tigated the wiretaps. This rogue tion. A report by the Hellenic administrator, Clifford Stoll, was asked software modified the central The rogue Authority for the Information to investigate a 75 U.S. cents account­ processor’s software to directly and Communication Security ing error. Stoll spent 10 months looking initiate a wiretap, using the RES’s software and Privacy (the Greek abbre­ for the hacker, who had penetrated deep capabilities. Best of all, for them, viation is ADAE) indicates into the networks of Lawrence Livermore the taps were not visible to the stored that the rogue software modi­ National Laboratory, a U.S. nuclear weap­ operators, because the IMS and its bugged fied the exchange’s command ons lab in California. Much of that time user interface weren’t used. parser—a routine that accepts he spent poring over thousands of log The full version of the software phone commands from a person with report pages. would have recorded the phone system administrator status— The AXE, like most sophisticated sys­ numbers being tapped in an offi­ numbers so that innocuous commands tems nowadays, can help operators find cial registry within the exchange. in its own followed by six spaces would the nuggets of useful information within And, as we noted, an audit could deactivate the exchange’s the voluminous logs it generates. It is pro­ then find a discrepancy between memory transaction log and the alarm grammed to report anomalous activity on the numbers monitored by the associated with its deactiva­ its own, in the form of error or failure exchange and the warrants active space tion, and allow the execution reports. In addition, at regular intervals in the IMS. But the rogue software of commands associated with the switching center generates a snapshot bypassed the IMS. Instead, it cleverly stored the lawful interception subsystem. In effect, of itself—a copy, or dump, of all its pro­ the bugged numbers in two data areas that it was a signal to allow operations associ­ grams and data. were part of the rogue software’s own mem­ ated with the wiretaps but leave no trace of Dumps are most commonly consulted ory space, which was within the switch’s them. It also added a new user name and for recovery and diagnostic purposes, but memory but isolated and not made known password to the system, which could be they can be used in security investigations. to the rest of the switch. used to obtain access to the exchange. So when Ericsson’s investigators were called That by itself put the rogue soft­ Software that not only alters operat­ in because of the undelivered text messages, ware a long way toward escaping detec­ ing system code but also hides its tracks the first thing they did was look closely at tion. But the perpetrators hid their own is called a “rootkit.” The term is known the periodic dumps. They found two areas tracks in a number of other ways as well. to the public—if at all—because of one containing all the phone numbers being There were a variety of circumstances by that the record label Sony BMG Music monitored and retrieved a list of them. which Vodafone technicians could have Entertainment included on some music The investigators examined the dumps discovered the alterations to the AXE’s CDs released in 2005. The Sony rootkit more thoroughly and found the rogue pro­ software blocks. For example, they could restricted copying of CDs; it burrowed into grams. What they found though, was in the have taken a listing of all the blocks, which the Windows operating system on PCs and form of executable code—in other words, would show all the active processes run­ then hid its existence from the owner. (Sony code in the binary language that micro­ ning within the AXE—similar to the task stopped using rootkits because of a gen­ processors directly execute. Executable manager output in Microsoft Windows eral public outcry.) Security experts have code is what results when a software or the process status (ps) output in Unix. also discovered other rootkits for general- compiler turns source code—in the case They then would have seen that some pro­ purpose operating systems, such as Linux, of the AXE, programs written in the PLEX cesses were active, though they shouldn’t Windows, and Solaris, but to our knowl­ ­language—into the binary machine code have been. But the rogue software appar­ edge this is the first time a rootkit has been that a computer processor executes. So the ently modified the commands that list observed on a special-purpose system, in investigators painstakingly reconstructed the active blocks in a way that omitted this case an Ericsson telephone switch. an approximation of the original PLEX certain blocks—the ones that related to source files that the intruders developed. intercepts—from any such listing. With all of this sophisticated subterfuge, It turned out to be the equivalent of about In addition, the rogue software might how then was the rogue software finally 6500 lines of code, a surprisingly substan­ have been discovered during a software discovered? On 24 January 2005, the perpe­ tial piece of software. www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 31 logged twice. Unfortunately, the visitor but there is no conclusive evidence to records for the exchange were destroyed support that scenario. The infiltration AN INSIDE JOB? by Vodafone in accord with routine pro- could have been carried out remotely and, By Steven Cherry cedures, despite the extraordinary cir- indeed, according to a state report, in the & Harry Goldstein cumstances. So investigators had only the case of the failed text messages where the No mystery novel is complete without Intracom visitor records, which would not exact time of the event is known, the last the reader finding out “who done it,” but record any visits to the Vodafone exchange person to access the exchange had been real life is usually messier than fiction. In by Intracom personnel. issued a visitor’s badge. the Athens affair, we can only speculate The leading cause for suspecting the Similarly, we may never know whether about who may have been behind the most employees of Vodafone Greece is the Tsalikidis had anything to do with the ­spectacular cell-system penetration ever. suicide of its head of network planning, wiretaps. Many observers have found The hackers’ facility with the esoteric Costas Tsalikidis. Yet the deceased’s fam- the timing of his death highly suggestive, art of programming the Ericsson AXE ily questions whether it was a suicide at but to this day no connection has been central-office switch convinced some that all. The family’s attorney, Themistokles uncovered. Nor can observers do more the criminals were either employees of Sofos, has stated, “I am certain that Costas than speculate as to the motives of the Vodafone Greece or of Intracom Telecom. Tsalikidis did not commit suicide, and that infiltrators. [See the sidebar, “An Inside Intracom has aroused suspicion makes me believe he probably gained Job?” for a summary of the leading specu­ because it provided key software to knowledge of the phone tapping through lation; we can neither endorse nor refute Ericsson and because the Greek company his diligence with all matters professional.” the theories presented.] is a major telecommunications equipment Thus, speculation is divided between theo- Just as we cannot now know for certain supplier to Greece’s dominant carrier, OTE ries that say Tsalikidis committed suicide who was behind the Athens affair or what Group. Given that the majority of OTE’s because his involvement was about to their motives were, we can only specu­ shares are owned by the Greek state, a be discovered and those that argue that late about various approaches that the business having large dealings with OTE Tsalikidis was murdered because he had intruders may have followed to carry out would have had a strong incentive to tap discovered, or was about to discover, who their attack. That’s because key material the phones of the ruling party in order the perpetrators were. has been lost or was never collected. For to check on whether any of the deals it Another popular theory posits that the instance, in July 2005, while the investiga­ or OTE had set up under the previous U.S. National Security Agency, Central tion was taking place, Vodafone upgraded ­government were in danger of being Intelligence Agency, or some other U.S. spy two of the three servers used for accessing derailed. Under this theory, phone taps for agency did it. The location of the monitored the exchange management system. This Arabs and members of antiauthoritarian phones correlates nicely with apartments upgrade wiped out the access logs and, groups were installed to send investigators and other property under the control of the contrary to company policy, no backups on a wild goose chase. U.S. Embassy in Athens. were retained. Some time later a six‑month But what really raised eyebrows was Under this theory, phone taps of Arabs retention period for visitor sign-in books the fact that one of the hacked Vodafone and members of antiauthoritarian groups lapsed, and Vodafone destroyed the books exchanges was located on the campus were installed because of fears of a ter- corresponding to the period where the of the main Intracom facility. Anyone rorist attack on the Athens Olympics. It is rogue software was modified, triggering wishing to enter that particular Vodafone widely believed that these U.S. agencies, the text-message errors. facility would have had to go through the particularly the NSA, have all the neces- Traces of the rogue software installation Intracom gates, meaning that visitors to sary tools and expertise for mounting such might have been recorded on the exchange’s the Vodafone exchange would have been an attack. n transaction logs. However, due to a paucity of storage space in the exchange’s man­ agement systems, the logs were retained The investigators ran the modules in of connection used in a lawful wiretap— for only five days, because Vodafone simulated environments to better under­ a connection to a shadow number allow­ ­considers billing data, which competes stand their behavior. The result of all this ing it to listen in on the conversation. for the same space, a lot more important. investigative effort was the discovery of Creating the rogue software so that it Most crucially, Vodafone’s deactivation of the data areas holding the tapped numbers would remain undetected required a lot of the rogue software on 7 March 2005 almost and the time stamps of recent intercepts. expertise in writing AXE code, an esoteric certainly alerted the conspirators, giving With this information on hand, the competency that isn’t readily available in them a chance to switch off the shadow investigators could go back and look at ear­ most places. But as it happens, for the past phones. As a result investigators missed lier dumps to establish the time interval 15 years, a considerable part of Ericsson’s the opportunity of triangulating the loca­ during which the wiretaps were in effect software development for the AXE has tion of the shadow phones and catching the and to get the full list of intercepted num­ been done under contract by a Greek com­ perpetrators in the act. bers and call data for the tapped conver­ pany based in Athens, Intracom Telecom, sations—who called whom, when, and for part of Intracom Holdings. The necessary So what can this affair teach us about how long. (The actual conversations were know-how was available locally and was how to protect phone networks? not stored in the logs.) spread over a large number of present and Once the infiltration was discov­ While the hack was complex, the taps past Intracom developers. So could this ered, Vodafone had to balance the need themselves were straightforward. When have been an inside job? for the continued operation of the net­ the prime minister, for example, initiated The early stages of the infiltration would work with the discovery and prosecution or received a call on his cellphone, the have been much easier to pull off with the of the guilty parties. Unfortunately, the exchange would establish the same kind assistance of someone inside Vodafone, responses of Vodafone and that of Greek

32 IEEE Spectrum | July 2007 | NA www.spectrum.ieee.org law enforcement were both inadequate. cyberforensics response team that countries cannot meet this challenge, a response Through Vodafone’s actions, critical data could call on to handle such incidents. team that can needs to be created. were lost or destroyed, while the perpe­ Telephone exchanges have evolved It is particularly important not to trators not only received a warning that over the decades into software-based sys­ turn the investigation into a witch hunt. their scheme had been discovered but also tems, and therefore the task of analyzing Especially in cases where the perpetrators had sufficient time to disappear. them for vulnerabilities has become very are unlikely to be identified, it is often In the telecommunications indus­ difficult. Even as new software features, politically expedient to use the tele­ try, prevailing best practices require that such as conferencing, number portabil­ com operator as a convenient scapegoat. the operator’s policies include procedures ity, and caller identification, have been This only encourages operators and their for responding to an infiltration, such as loaded onto the exchanges, the old soft­ employees to brush incidents under the a virus attack: retain all data, isolate the ware remains in place. Complex inter­ carpet, and turns them into adversaries part of the system that’s been broken into actions between subsystems and baroque of law enforcement. Rather than looking as much as possible, coordinate activities coding styles (some of them remnants of for someone to blame (and punish), it is with law enforcement. programs written 20 or 30 years ago) con­ far better to determine exactly what went Greek federal telecom regulations also found developers and auditors alike. wrong and how it can be fixed, not only specify that operators have security poli­ Yet an effective defense against viruses, for that particular operator, but for the cies that detail the measures they will take worms, and rootkits depends crucially on industry as a whole. to ensure the confidentiality of customer in-depth analysis that can penetrate source Merely saying—or even legislating— communications and the privacy of network code in all its baroque heterogeneity. For that system vendors and network opera­ users. However, Vodafone’s example, a statistical analysis of tors should not allow something like response indicates that such the call logs might have revealed this to occur is pointless, because there policies, if they existed, were Physical a correlation between the calls is little that can be done to these com­ ignored. If not for press con­ to the shadow numbers and panies after the fact. Instead, proactive ferences and public investiga­ logbooks calls to the monitored numbers. measures should be taken to ensure that tions, law enforcement could Telephone companies already such systems are developed and operated have watched the behavior of of visitors carry out extensive analysis on safely. Perhaps we can borrow a few pages the shadow cellphones sur­ were lost these sorts of data to spot cus­ from aviation safety, where both aircraft reptitiously. Physical logbooks tomer trends. But from the secu­ manufacturers and airline companies are of visitors were lost and data and data rity perspective, this analysis is closely monitored by national and inter­ logs were destroyed. In addi­ done for the wrong reasons and national agencies to ensure the safety of tion, neither law enforcement logs were by the wrong people—market­ airline passengers. n authorities nor the ADAE, the ing as opposed to security. By independent security and pri­ destroyed training security personnel to About The Authors vacy authority, was contacted use these tools and allowing VASSILIS PREVELAKIS, an IEEE directly. Instead, Vodafone Greece com­ them access to these data, customer trend member, is an assistant professor of municated through a political channel— analysis can become an effective counter­ ­computer science at Drexel University, in the prime minister’s office. It should be measure against rogue software. Philadelphia. His current research is on noted the ADAE was a fairly new organi­ Additional clues could be uncovered automation network security and secure zation at the time, formed in 2003. by merging call records generated by the software design. He has published The response of Greek law enforcement exchange with billing and accounting widely in these areas and is actively officials also left a lot to be desired. Police information. Doing so, though, involves involved in standards bodies such as the could have secured evidence by impounding consolidating distinct data sets currently Internet Engineering Task Force. all of Vodafone’s telecommunications and owned by different entities within the DIOMIDIS SPINELLIS, an IEEE computer equipment involved in the inci­ telecom organization. ­member, is an associate professor in the dent. Instead it appears that concerns about Another defense is regular auditing of department of management science and disruption to the operation of the mobile the type that allowed Ericsson to discover technology at the Athens University of telephone network led the authorities to take the rogue software by scrutinizing the off- Economics and Business and the author a more light-handed approach—essentially line dumps. However, in this case, as well of Code Quality: The Open Source interviewing employees and collecting as in the data analysis case, we have to be Perspective (Addison-Wesley, 2006). information provided by Vodafone—that sure that any rogue software cannot modify He blogs at http://www.spinellis.gr/blog. ultimately led to the loss of forensic evidence. the information stored in the logs or the They eventually started leveling accusations dumps, such as by using a separate moni­ To Probe Further at both the operator (Vodafone) and the toring computer running its own software. The Wikipedia article http://en.wikipedia. vendor (Ericsson), turning the victims into Digital systems generate enormous org/wiki/Greek_telephone_tapping_ defendants and losing their good will, which volumes of information. Ericsson and case_2004-2005 contains additional further hampered their investigation. Vodafone Greece had at their fingertips all links to press stories and background Of course, in countries where such high- the information they needed to discover material. tech crimes are rare, it is unreasonable to the penetration of Vodafone’s network Ericsson’s Interception Management expect to find a crack team of investigators. long before an undelivered text message System user manual (marked confiden- Could a rapid deployment force be set up to sent them looking. As in other industries, tial) is available on the Web through a handle such high-profile and highly techni­ the challenge now is to come up with ways Google search: http://www.google.com/ cal incidents? We’d like to see the interna­ to use this information. If one company’s search?q=IMS+ericsson+manual or at tional police organization Interpol create a technicians and one country’s police force http://cryptome.org/ericsson-ims.htm. www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 33