A case of wiretapping gone awry

The Greeks can take credit for plenty of firsts, starting with modern civilization, democracy, mathematics and philosophy. Here’s another they might not be in such a hurry to claim: the first known example of illegal wiretapping of phone calls using legally installed software.

No, I’m not making this up. I even predicted it: A few weeks back I wrote a column highlighting the dangers of government-mandated built-in wiretapping (see this Web site ). As I wrote then, “Building networks that are inherently ‘tapable’ seems to me to be fundamentally bad security design, because anything the good guys can do, the bad guys can do, too.”

It seems they already have. Earlier this year, news broke that unnamed bad guys had been wiretapping the Vodafone cellular network in Greece from just before the Athens Olympics in August 2004 until March 2005. Targets reportedly included Greek Premier Costas Caramanlis, the major of Athens and senior state security officials — along with senior military officers, human rights activists, journalists, Arab businessmen and the United States Embassy. The leak was ultimately traced to software installed in the switches to enable the lawful intercept of traffic, which had been hijacked by rogue programmers.

That’s right: Ericsson put wiretapping software in its switches to comply with legal requirements — and the bad guys used it in decidedly illegal ways. What a surprise. As you might expect, plenty of finger-pointing has ensued.

Vodafone blames Ericsson, saying it had no idea the switches contained wiretapping software, a claim adamantly denied by Ericsson’s Greek CEO, Bill Zikou, who maintains that Ericsson provided all relevant details about the switches’ capabilities to Vodafone management and says the responsibility to protect subscribers was with Vodafone.

And everybody blames the Greek government for failing to expose and remediate the situation in a timely fashion. As a journalist pointed out during a briefing by the Greek government earlier this year (well over a year after the event): “It isn’t the government that made it public — it was the CEO of Vodafone.” (For a partial transcript of this briefing and other informative details, check out this Web site.)

Disturbingly, nobody seems quite sure of the culprits’ identities, let alone their motives (though the selection of targets seems to clearly imply political aims). In one of the funnier moments during the whole episode, the Greek government initially denied the possibility the culprits could be Greek, on the theory that Greek geeks lack the technical knowledge necessary to pull off such a sophisticated hack — surely news to the many world-class computer scientists and engineers who hail from Hellas.

Law enforcement agents need the tools to do their jobs. But building “tapability” into networks isn’t the way to make that happen. Whether you’re more concerned about unauthorized government intrusion or attacks by criminally minded geeks, embedding tapability into the network is a bad idea.

Too bad we’ve codified this particular bad idea into our law.

QuickLink 066292

— Johnson is president and senior founding partner at Nemertes Research, an independent technology research firm. She can be reached at johna@nemertes.com.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now