Remember the great Vodafone Greece/Ericsson AXE hack? We blogged it and some of its freakish consequences. Now, the IEEE Spectrum has published a detailed analysis of the hack, here. It’s fascinating stuff, but if anything it deepens the mystery.
What essentially happened; well, somebody who probably had physical access to the switch used a rare and very Bellheaded function – AXEs can undergo software updates without going offline, like heart surgery without stopping the beat – to install a rootkit on it. Each memory block in the switch includes a “correction area”, a sandbox into which updates are inserted and then referenced elsewhere in the code to put them into effect. This is where the malicious code was inserted. The code allocated itself a chunk of memory, which it concealed from the operating system, and activated the lawful interception functions from within this chunk. The tapped traffic was routed into the secret memory block, and from there to the famous “four prepaid phones”.
Because Vodafone.gr didn’t at the time use Ericsson’s intercept management software, which includes an audit function, no-one noticed the extra taps. They might have got away with it for an indefinite period, had they not got greedy. Fiddling, they caused the switch to crash, meaning a major service outage. In the post I referred to above, I pointed out that telco culture played a big part in the decisions that followed; nothing gets a telco’s attention like an outage, and soon Ericsson engineers were crawling all over the thing. A core dump was taken, and compared with the last one. This revealed the security breach. Vodafone management now decided to remove the thing – who can blame them?
Far more culpable on their part is the fact that the list of people with access to the switching centre now mysteriously went missing, as did quite a lot of other information. No wonder the Greek cops and spooks who now descended on the site were displeased. But it surely can’t be that difficult. The hack involved some very advanced coding in a hellishly recondite programming language, PLEX. There aren’t that many people in the world who code PLEX. And quite a lot of them work for an Ericsson subcontractor right there in Athens…and one of the two compromised Mobile Switching Centres is located on the subcontractor’s campus.
Bruce Sterling remarked about the case that “maybe it’s teenagers”. Somehow I doubt it. There’s just no payoff from learning something like PLEX if you’re an alienated teenage geek – there’s all kinds of cool stuff you can do with other languages, like make money, nick porno films, and cheat at games. Not that you might not be interested in spying on the Greek prime minister, but the degree of expertise required before you get to his phone calls is surely beyond the plausible.
The Greek Left is of course convinced that it was the CIA. But then, from their point of view, the various military organisations being spied upon are identical with it. So what was the point?