July 2007
Beer and Privacy (3 July 2007
Belgian Court Rules ISPs Must Stop File-Sharing (5 July 2007
The Greek Cellphone Tapping Scandal (6 July 2007
Pen Registers and the Internet (7 July 2007
Security and Usability: Windows Vista (13 July 2007
Fidget Toys (13 July 2007
Checkers: Solved (19 July 2007
Secondary Uses and Privacy (20 July 2007
Security Flaw in the iPhone (23 July 2007
Hacking Forensic Software (26 July 2007
Insider Attacks (28 July 2007

The Greek Cellphone Tapping Scandal

6 July 2007

There's a fascinating new IEEE Spectrum article by Vassilis Prevelakis and Diomidis Spinellis about the Greek cellphone tapping incident. In this incident, someone — just who remains unknown — inserted some code in some phone switches to abuse the built-in wiretap facilities to eavesdrop on calls. Over 100 people's lines were monitored, up to and including the prime minister.

There are two important lessons to be drawn from this incident. First, logging and process are very important. Everyone involved in system design or operation should pay attention to that portion of the article. I say "everyone" and not "all security people" because the logs in question are not necessarily intended for security purposes.

The second lesson, of course, is that built-in wiretap facilities and the like are really dangerous, and are easily abused. See, for example, Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP, by myself, Blaze, Brickell, Brooks, Cerf, Diffie, Landau, Peterson, and Treichler; The Real National-Security Needs for VoIP, by me, Blaze, and Landau; Comments on the Carnivore System Technical Review, by me, Blaze, Farber, Neumann, and Spafford; The RISKS of Key Recovery, Key Escrow, and Trusted Third-Party Encryption by Abelson, Anderson, me, Benaloh, Blaze, Diffie, Gilmore, Neumann, Rivest, Schiller, and Schneier; CERT® Advisory CA-2000-18: PGP May Encrypt Data With Unauthorized ADKs; and many more.


Update: Matt Blaze has also blogged about this article.