crIMe

the athens affair

On 9 March 2005,
how some extremely
smart hackers known as Vodafone
a 38-year-old Greek Greece, the coun-
electrical engineer pulled off the most try’s largest cel-
named costas Tsalikidis audacious cell-network lular service pro-
was found hanged in his break-in ever vider; Tsalikidis
athens loft apartment, was in charge of
an apparent suicide. It By Vassilis Prevelakis network planning
would prove to be merely & Diomidis Spinellis at the company. a
the first public news of connection seemed
a scandal that would roil Greece obvious. Given the
for months. list of people and their posi-
The next day, the prime minister tions at the time of the tapping,
of Greece was told that his cellphone we can only imagine the sen-
was being bugged, as were those of the sitive political and diplomatic
mayor of athens and at least 100 other discussions, high-stakes busi-
high-ranking dignitaries, including an ness deals, or even marital
employee of the U.S. embassy. indiscretions that may have
The victims were customers of athens- been routinely overheard and,
based Vodafone-Panafon, generally quite possibly, recorded.
 Even before Tsalikidis’s death, Basically, the hackers broke into a
investigators had found rogue soft­
ware installed on the Vodafone
Greece phone network by parties
unknown. Some extraordinarily
telephone network and subverted
its built­in wiretapping features for
their own purposes. That could have
been done with any phone account,
ce0s, MPs & a PM
The illegally wiretapped cellphones in the Athens
knowledgeable people either pen­ not just cellular ones. Nevertheless, affair included those of the prime minister, his
etrated the network from outside or there are some elements of the defense and foreign affairs ministers, top military
subverted it from within, aided by Vodafone Greece system that were and law enforcement officials, the Greek EU com-
an agent or mole. In either case, the unique and crucial to the way the missioner, activists, and journalists.
software at the heart of the phone crime was pulled off.
system, investigators later discov­ We still don’t know who com­ On 6 April 2006, Bill Zikou,
ered, was reprogrammed with a mitted this crime. A big reason is CEO of Ericsson Hellas, was
finesse and sophistication rarely that the UK­based Vodafone Group, summoned to give evidence
before a parliamentary
seen before or since. one of the largest cellular providers committee looking into the
A study of the Athens affair, surely in the world, bobbled its handling of scandal. His company pro-
the most bizarre and embarrassing some key log files. It also reflexively vided the telecommunica-
scandal ever to engulf a major cell­ removed the rogue software, instead tions switching equipment
that rogue programmers
phone service provider, sheds consid­ of letting it continue to run, tipping broke into.
erable light on the measures networks off the perpetrators that their intru­
can and should take to reduce their sion had been detected and giving
vulnerability to hackers and moles. them a chance to run for cover. The Vodafone Greece CEO GiorGos
It’s also a rare opportunity to get company was fined €76 million this koronias ordered the removal
a glimpse of one of the most elusive past December. of the surveillance program,
because, as he explained in
of cybercrimes. Major network pene­ To piece together this story, we
a February 2006 newspaper
trations of any kind are exceedingly have pored through hundreds of pages interview, “the company had to
uncommon. They are hard to pull off, of depositions, taken by the Greek react immediately.” Removing
and equally hard to investigate. parliamentary committee investi­ the program is thought to have
Even among major criminal infil­ gating the affair, obtained through tipped off the perpetrators and
helped them evade capture.
trations, the Athens affair stands a freedom of information request
out because it may have involved filed with the Greek Parliament. We
state secrets, and it targeted indi­ also read through hundreds of pages Greek Prime Minister Costas
viduals—a combination that, if of documentation and other records, karamanlis was only the
it had ever occurred before, was supplemented by publicly available most notable of the 100
not disclosed publicly. The most information and interviews with inde­ or so individuals illegally
wiretapped, which, besides
notorious penetration to compro­ pendent experts and sources associ­
the country’s political, law
mise state secrets was that of the ated with the case. What emerges enforcement, and military elite,
“Cuckoo’s Egg,” a name bestowed are the technical details, if not the included Karamanlis’s wife.
by the wily network administrator motivation, of a devilishly clever and
who successfully pursued a German complicated computer infiltration.
programmer in 1986. The program­
mer had been selling secrets about The cellphone bugging began some­ Costas tsalikidis was found
the U.S. Strategic Defense Initiative time during the fevered run­up to hanged, an apparent sui-
(“Star Wars”) to the Soviet KGB. the August 2004 Olympic Games cide, just before the Athens
But unlike the Cuckoo’s Egg, the in Athens. It remained undetected affair became public. As a
Athens affair targeted the conversa­ until 24 January 2005, when one telecommunications engineer
in charge of network planning
tions of specific, highly placed gov­ of Vodafone’s telephone switches at Vodafone, he was ideally
ernment and military officials. Given generated a sequence of error mes­ placed to be either an inside
the ease with which the conversations sages indicating that text messages accomplice or discoverer of
could have been recorded, it is gener­ originating from another cellphone the digital break-in. But his
involvement in the case has
ally believed that they were. But no operator had gone undelivered. The
never been established.
one has found any recordings, and switch is a computer­controlled
we don’t know how many of the calls component of a phone network that GiorGos VoulGarakis was
were recorded, or even listened to, by connects two telephone lines to com­ the first government official
the perpetrators. Though the scope plete a telephone call. To diagnose to whom Koronias disclosed
of the activity is to a large extent the failures, which seemed highly the case. Giannis Angelou,
the director of the Prime
unknown, it’s fair to say that no other unusual but reasonably innocuous Minister’s political office,
computer crime on record has had the at the time, Vodafone contacted the was also present.
same potential for capturing informa­ maker of the switches, the Swedish
tion about affairs of state. telecommunications equipment
While this is the first major manufacturer Ericsson.
infiltration to involve cellphones, We now know that the illegally
OPPOSITE PAGE: ARCHIVBERlIN FOTOAGENTUR/AlAMy;
the scheme did not depend on the implanted software, which was FROM TOP: KOSTAS TSIRONIS/AP PHOTO(2); JOHANNA lEGUERRE/AFP/GETTy
IMAGES; AFP/GETTy IMAGES; lOUISA GOUlIAMAKI/AFP/GETTy IMAGES
wireless nature of the network. eventually found in a total of four of

www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 27

Vodafone’s Greek switches, created paral­ numbers. Besides the prime minister and phone and the network as a whole. Your
lel streams of digitized voice for the tapped his wife, phones belonging to the minis­ telephone handset converts your words
phone calls. One stream was the ordinary ters of national defense, foreign affairs, and into a stream of digital data that is sent to
one, between the two calling parties. The justice, the mayor of Athens, and the Greek a transceiver at the base station.
other stream, an exact copy, was directed to European Union commissioner were all The base station’s activities are gov­
other cellphones, allowing the tappers to lis­ compromised. Others belonged to members erned by a base station controller, a
ten in on the conversations on the cellphones, of civil rights organizations, peace activists, special­purpose computer within the
and probably also to record them. The soft­ and antiglobalization groups; senior staff at station that allocates radio channels and
ware also routed location and other informa­ the ministries of National Defense, Public helps coordinate handovers between the
tion about those phone calls to these shadow Order, Merchant Marine, and Foreign transceivers under its control.
handsets via automated text messages. Affairs; the New Democracy ruling party; This controller in turn communi­
Five weeks after the first messaging the Hellenic Navy general staff; and a cates with a mobile switching center that
failures, on 4 March 2005, Ericsson alerted Greek­American employee at the United takes phone calls and connects them to
Vodafone that unauthorized software had States Embassy in Athens. call recipients within the same switching
been installed in two of Vodafone’s central Within weeks of the initial discovery center, other switching centers within the
offices. Three days later, Vodafone tech­ of the tapping scheme, Greek government company, or special exchanges that act
nicians isolated the rogue code. The next and independent authorities launched as gateways to foreign networks, routing
day, 8 March, the CEO of Vodafone Greece, five different investigations aimed at calls to other telephone networks (mobile
Giorgos Koronias, ordered technicians to answering three main questions: Who or landline). The mobile switching centers
remove the software. was responsible for the bugging? Was are particularly important to the Athens
Then events took a deadly turn. On Tsalikidis’s death related to the scandal? affair because they hosted the rogue
9 March, Tsalikidis, who was to be married And how did the perpetrators pull off this phone­tapping software, and it is there
in three months, was found hanged in his audacious scheme? that the eavesdropping originated. They
apartment. No one knows whether his appar­ were the logical choice, because they are
ent suicide was related to the case, but many To undersTand how someone could secretly at the heart of the network; the intruders
observers have speculated that it was. listen to the conversations of Greece’s most needed to take over only a few of them in
The day after Tsalikidis’s body was dis­ senior officials, we have to look at the infra­ order to carry out their attack.
covered, CEO Koronias met with the direc­ structure that makes it possible. Both the base station controllers and the
tor of the Greek prime minister’s political First, consider how a phone call, yours switching centers are built around a large
office. Yiannis Angelou, and the minis­ or a prime minister’s, gets completed. Long computer, known as a switch, capable of
ter of public order, Giorgos Voulgarakis. before you dial a number on your handset, creating a dedicated communications path
Koronias told them that rogue software your cellphone has been communicating between a phone within its network and,
used the lawful wiretapping mechanisms with nearby cellular base stations. One of in principle, any other phone in the world.
of Vodafone’s digital switches to tap about those stations, usually the nearest, has Switches are holdovers from the 1970s, an
100 phones and handed over a list of bugged agreed to be the intermediary between your era when powerful computers filled rooms

from alpha 20 Jan Shadow phones operate in

Lycabettus restaurant in Athens.

to omega 6 Jun Accounts for

first two shadow
phones are created.
9 Jun Three more
24 Jan–1 Feb Two test numbers are
configured for interception at a fourth
exchange, MEAPA.
24 Jan The MEAPA exchange begins
logging forlopp errors.
11 Feb MEAKF upgrades
from R9.1 to R10 software,
shadow phones are destroying the rogue code.
registered. 25 Jan The MEAPA exchange stops
logging forlopp errors. 18 Feb Credits are added to
29 Jun One shadow the shadow phone accounts.
phone makes two 27 Jan Credits are added to the
31 Jan Ericsson provides outgoing calls. shadow phone accounts. 18 Feb Shadow phones
Vodafone with the details operate in Lycabettus
of its R9.1 software, which 31 Jan Shadow phones make one call restaurant.
includes lawful inter­ and forward another. The call recipient
ception (LI) capability. then sends an SMS message to itself.

JAN JAN JAN MAR MAy JUl SEP NOV JAN

2002 2003 2004 2005

4 Aug Nine more shadow phones 27–29 Oct
are registered. Rogue software
4–10 Aug Rogue software is is installed in
installed in three exchanges: the MEAPA
MEAKS, MEAKF, MEAPS. exchange but
is not used for
9–11 Aug Rogue software is con­ monitoring.
figured with interception numbers.
20 Jan Ericsson delivers 13 Aug Opening ceremony of the
R9.1 system software Athens 2004 Olympic Games.
containing partial LI
functionality to Vodafone.

28 IEEE Spectrum | July 2007 | NA www.spectrum.ieee.org

 and were built around proprietary hardware typically used for setting up wiretaps, ware suite. That upgrade included the RES
and software. Though these computers are which only law officers are supposed to software, according to a letter from Ericsson
smaller nowadays, the system’s basic archi­ have access to. When the wiretapped that accompanied the upgrade. So after the
tecture remains largely unchanged. phone makes a call, the RES copies the upgrade, the Vodafone system contained the
Like most phone companies, Vodafone conversation into a second data stream software code necessary to intercept calls
Greece uses the same kind of computer for and diverts that copy to a phone line used using the RES, even though it lacked the
both its mobile switching centers and its by law enforcement officials. high­level user interface in the IMS nor­
base station controllers—Ericsson’s AXE Ericsson optionally provides an inter­ mally used to facilitate such intercepts.
line of switches. A central processor coordi­ ception management system (IMS), through That odd circumstance would turn out
nates the switch’s operations and directs the which lawful call intercepts are set up and to play a role in letting the Athens hackers
switch to set up a speech or data path from managed. When a court order is presented illegally listen in on calls and yet escape
one phone to another and then routes a call to the phone company, its operators initi­ detection for months and months.
through it. Logs of network activity and bill­ ate an intercept by filling out a dialog box
ing records are stored on disk by a separate in the IMS software. The optional IMS in iT Took guile and some serious program­
unit, called a management processor. the operator interface and the RES in the ming chops to manipulate the lawful call­
The key to understanding the hack at the exchange each contain a list of wiretaps: intercept functions in Vodafone’s mobile
heart of the Athens affair is knowing how wiretap requests in the case of the IMS, switching centers. The intruders’ task
the Ericsson AXE allows lawful intercepts— actual taps in the RES. Only IMS­initiated was particularly complicated because they
what are popularly called “wiretaps.” wiretaps should be active in the RES, so a needed to install and operate the wiretap­
Though the details differ from country to wiretap in the RES without a request for a ping software on the exchanges without
country, in Greece, as in most places, the tap in the IMS is a pretty good indicator being detected by Vodafone or Ericsson
process starts when a law enforcement offi­ that an unauthorized tap has occurred. An system administrators. From time to time
cial goes to a court and obtains a warrant, audit procedure can be used to find any the intruders needed access to the rogue
which is then presented to the phone com­ discrepancies between them. software to update the lists of monitored
pany whose customer is to be tapped. It turns out Vodafone had not purchased numbers and shadow phones. These activi­
Nowadays, all wiretaps are carried out the lawful intercept option at the time of the ties had to be kept off all logs, while the
at the central office. In AXE exchanges a illegal wiretaps, and the IMS phone­tapping software itself had to be invisible to the
remote­control equipment subsystem, or management software was not installed system administrators conducting rou­
RES, carries out the phone tap by moni­ on Vodafone’s systems. But in early 2003, tine maintenance activities. The intruders
toring the speech and data streams of Vodafone technicians upgraded the Greek achieved all these objectives.
switched calls. It is a software subsystem switches to release R9.1 of the AXE soft­ They took advantage of the fact that the
AXE allows new software to be installed
without rebooting the system, an impor­
4 Mar Ericsson informs Vodafone tant feature when any interruption would
of the existence of rogue software.
disconnect phone calls, lose text mes­
4 Mar Shadow phones make no further calls.
7 Mar Vodafone locates the rogue software.
8 Mar Vodafone extracts a list of logged phone 7 Apr ADAE publishes its second
numbers from MEAKS. interim report on the case.
8 Mar Vodafone Greece CEO Giorgos Koronias 8 Mar The govern­
orders removal of the rogue software. ment security agency,
ADAE, presents its
first interim report
on the case to the
Parliament Committee
Jul Vodafone, follow­ on Institutions and
ing its data retention Transparency.
policies, destroys the 31 Oct Vodafone
visitor sign­in books 23 Mar ADAE performs
places an order a simulation of the
at one exchange with Ericsson for LI
facility. rogue software.
software.
Jul Vodafone
upgrades two of the 18 Nov Ericsson
access servers, wiping delivers LI soft­
Koronias out access logs. ware to Vodafone.

MAR MAy JUl SEP NOV JAN MAR MAy NOV

2006
9 Mar Costas Tsalikidis, head of 1 Feb Public prosecutor
network planning of Vodafone Greece of the Supreme Court
is found hanged in his apartment. finishes the preliminary
10 Mar Koronias briefs Giannis investigation.
Angelou, director of the prime 2 Feb The government
minister’s political office. provides details of the case
10 Mar The Greek presidential in a press conference.
decree specifying lawful intercep­ 2 Feb Criminal prosecution
tion procedures takes effect. for the violation of commu­
16 Mar Vodafone sends e­mail to nications privacy and pos­ 14 Dec ADAE fines Vodafone
Ericsson asking for the return of all sibly spying is ordered. €76 million (US $99.4 million).
exchange backup data.
Voulgarakis
Tsalikidis
ClOCKWISE FROM TOP lEFT: ERICSSON; KOSTAS TSIRONIS/AP PHOTO; MICHAEl BROWN/ISTOCKPHOTO; ADAE;
VODAFONE; lOUISA GOUlIAMAKI/AFP/GETTy IMAGES; AFP/GETTy IMAGES; ANDREy PROKHOROV/ISTOCKPHOTO

www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 29

sages, and render emergency services between the remote cellphone and its clos­ sor. The AXE’s existing code is structured
unreachable. To let an AXE exchange est base station, but it is not protected while around independent blocks, or program
run continuously for decades, as many it transits the provider’s core network. For modules, which are stored in the central
of them do, Ericsson’s software uses sev­ this reason—and for the ease of monitoring processor’s memory. The release being used
eral techniques for handling failures and calls from the comfort of their lair—the per­ in 2004 consisted of about 1760 blocks. Each
upgrading an exchange’s software with­ petrators of the Vodafone wiretaps attacked contains a small “correction area,” used
out suspending its operation. These tech­ the core switches of the Vodafone network. whenever software is updated with a patch.
niques allow the direct patching of code Encrypting communications from the start Let’s say you’re patching in code to force
loaded in the central processor, in effect of the chain to its end—as banks, for exam­ the computer to do a new function, Z, in
BRyAN CHRISTIE DESIGN

altering the operating system on the fly. ple, do—makes it very difficult to implement situations where it has been doing a differ­
Modern GSM systems, such as legal wiretaps. ent function, Y. So, for example, where the
Vodafone’s, secure the wireless links with a To simplify software maintenance, the original software had an instruction, “If X,
sophisticated encryption mechanism. A call AXE has detailed rules for directly patch­ then do Y” the patched software says, in
to another cellphone will be re­encrypted ing software running on its central proces­ effect, “If X, then go to the correction area

30 IEEE Spectrum | July 2007 | NA www.spectrum.ieee.org

location L.” The software goes to location L upgrade or even when Vodafone techni­ trators updated their planted software. That
and executes the instructions it finds there, cians installed a minor patch. It is stan­ upgrade interfered with the forwarding of
that is, Z. In other words, a software patch dard practice in the telecommunications text messages, which went undelivered.
works by replacing an instruction at the industry for technicians to verify the These undelivered text messages, in turn,
area of the code to be fixed with an instruc­ existing block contents before performing triggered an automated failure report.
tion that diverts the program to a memory an upgrade or patch. We don’t know why At this point, the hackers’ abilities to
location in the correction area containing the rogue software was not detected in this keep their modifications to the switch’s
the new version of the code. way, but we suspect that the software also AXE software suite secret met their limits,
The challenge faced by the intruders was modified the operation of the command as it’s almost impossible to hide secrets in
to use the RES’s capabilities to duplicate used to print the checksums—codes that somebody else’s system.
and divert the bits of a call stream without create a kind of signature against which The AXE, like most large software sys­
using the dialog­box interface to the IMS, the integrity of the existing blocks can be tems, logs all manner of network activity.
which would create auditable logs of their validated. One way or another, the blocks System administrators can review the log
activities. The intruders pulled this off by appeared unaltered to the operators. files, and any events they can’t account for
installing a series of patches to 29 separate Finally, the software included a back as ordinary usage can be investigated.
blocks of code, according to Ericsson offi­ door to allow the perpetrators to control It’s impossible to overstate the impor­
cials who testified before the Greek par­ it in the future. This, too, was cleverly tance of logging. For example, in the 1986
liamentary committee that inves­ constructed to avoid detec­ Cuckoo’s Egg intrusion, the wily network
tigated the wiretaps. This rogue
software modified the central the rogue tion. A report by the Hellenic
Authority for the Information
administrator, Clifford Stoll, was asked
to investigate a 75 U.S. cents account­
processor’s software to directly
initiate a wiretap, using the RES’s software and Communication Security
and Privacy (the Greek abbre­
ing error. Stoll spent 10 months looking
for the hacker, who had penetrated deep
capabilities. Best of all, for them,
the taps were not visible to the
stored viation is ADAE) indicates
that the rogue software modi­
into the networks of Lawrence Livermore
National Laboratory, a U.S. nuclear weap­
operators, because the IMS and its bugged fied the exchange’s command ons lab in California. Much of that time
user interface weren’t used.
The full version of the software phone parser—a routine that accepts
commands from a person with
he spent poring over thousands of log
report pages.
would have recorded the phone
numbers being tapped in an offi­
numbers system administrator status—
so that innocuous commands
The AXE, like most sophisticated sys­
tems nowadays, can help operators find
cial registry within the exchange. in its own followed by six spaces would the nuggets of useful information within
And, as we noted, an audit could
then find a discrepancy between memory deactivate the exchange’s
transaction log and the alarm
the voluminous logs it generates. It is pro­
grammed to report anomalous activity on
the numbers monitored by the
exchange and the warrants active space associated with its deactiva­
tion, and allow the execution
its own, in the form of error or failure
reports. In addition, at regular intervals
in the IMS. But the rogue software of commands associated with the switching center generates a snapshot
bypassed the IMS. Instead, it cleverly stored the lawful interception subsystem. In effect, of itself—a copy, or dump, of all its pro­
the bugged numbers in two data areas that it was a signal to allow operations associ­ grams and data.
were part of the rogue software’s own mem­ ated with the wiretaps but leave no trace of Dumps are most commonly consulted
ory space, which was within the switch’s them. It also added a new user name and for recovery and diagnostic purposes, but
memory but isolated and not made known password to the system, which could be they can be used in security investigations.
to the rest of the switch. used to obtain access to the exchange. So when Ericsson’s investigators were called
That by itself put the rogue soft­ Software that not only alters operat­ in because of the undelivered text messages,
ware a long way toward escaping detec­ ing system code but also hides its tracks the first thing they did was look closely at
tion. But the perpetrators hid their own is called a “rootkit.” The term is known the periodic dumps. They found two areas
tracks in a number of other ways as well. to the public—if at all—because of one containing all the phone numbers being
There were a variety of circumstances by that the record label Sony BMG Music monitored and retrieved a list of them.
which Vodafone technicians could have Entertainment included on some music The investigators examined the dumps
discovered the alterations to the AXE’s CDs released in 2005. The Sony rootkit more thoroughly and found the rogue pro­
software blocks. For example, they could restricted copying of CDs; it burrowed into grams. What they found though, was in the
have taken a listing of all the blocks, which the Windows operating system on PCs and form of executable code—in other words,
would show all the active processes run­ then hid its existence from the owner. (Sony code in the binary language that micro­
ning within the AXE—similar to the task stopped using rootkits because of a gen­ processors directly execute. Executable
manager output in Microsoft Windows eral public outcry.) Security experts have code is what results when a software
or the process status (ps) output in Unix. also discovered other rootkits for general­ compiler turns source code—in the case
They then would have seen that some pro­ purpose operating systems, such as Linux, of the AXE, programs written in the PLEX
cesses were active, though they shouldn’t Windows, and Solaris, but to our knowl­ language—into the binary machine code
have been. But the rogue software appar­ edge this is the first time a rootkit has been that a computer processor executes. So the
ently modified the commands that list observed on a special­purpose system, in investigators painstakingly reconstructed
the active blocks in a way that omitted this case an Ericsson telephone switch. an approximation of the original PLEX
certain blocks—the ones that related to source files that the intruders developed.
intercepts—from any such listing. wiTh all of This sophisTicaTed subterfuge, It turned out to be the equivalent of about
In addition, the rogue software might how then was the rogue software finally 6500 lines of code, a surprisingly substan­
have been discovered during a software discovered? On 24 January 2005, the perpe­ tial piece of software.

www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 31

an inside Job?
logged twice. Unfortunately, the visitor but there is no conclusive evidence to
records for the exchange were destroyed support that scenario. The infiltration
by Vodafone in accord with routine pro- could have been carried out remotely and,
By Steven Cherry cedures, despite the extraordinary cir- indeed, according to a state report, in the
& Harry Goldstein cumstances. So investigators had only the case of the failed text messages where the
No mystery novel is complete without Intracom visitor records, which would not exact time of the event is known, the last
the reader finding out “who done it,” but record any visits to the Vodafone exchange person to access the exchange had been
real life is usually messier than fiction. In by Intracom personnel. issued a visitor’s badge.
the Athens affair, we can only speculate The leading cause for suspecting the Similarly, we may never know whether
about who may have been behind the most employees of Vodafone Greece is the Tsalikidis had anything to do with the
spectacular cell-system penetration ever. suicide of its head of network planning, wiretaps. Many observers have found
The hackers’ facility with the esoteric Costas Tsalikidis. yet the deceased’s fam- the timing of his death highly suggestive,
art of programming the Ericsson AXE ily questions whether it was a suicide at but to this day no connection has been
central-office switch convinced some that all. The family’s attorney, Themistokles uncovered. Nor can observers do more
the criminals were either employees of Sofos, has stated, “I am certain that Costas than speculate as to the motives of the
Vodafone Greece or of Intracom Telecom. Tsalikidis did not commit suicide, and that infiltrators. [See the sidebar, “An Inside
Intracom has aroused suspicion makes me believe he probably gained Job?” for a summary of the leading specu­
because it provided key software to knowledge of the phone tapping through lation; we can neither endorse nor refute
Ericsson and because the Greek company his diligence with all matters professional.” the theories presented.]
is a major telecommunications equipment Thus, speculation is divided between theo- Just as we cannot now know for certain
supplier to Greece’s dominant carrier, OTE ries that say Tsalikidis committed suicide who was behind the Athens affair or what
Group. Given that the majority of OTE’s because his involvement was about to their motives were, we can only specu­
shares are owned by the Greek state, a be discovered and those that argue that late about various approaches that the
business having large dealings with OTE Tsalikidis was murdered because he had intruders may have followed to carry out
would have had a strong incentive to tap discovered, or was about to discover, who their attack. That’s because key material
the phones of the ruling party in order the perpetrators were. has been lost or was never collected. For
to check on whether any of the deals it Another popular theory posits that the instance, in July 2005, while the investiga­
or OTE had set up under the previous U.S. National Security Agency, Central tion was taking place, Vodafone upgraded
government were in danger of being Intelligence Agency, or some other U.S. spy two of the three servers used for accessing
derailed. Under this theory, phone taps for agency did it. The location of the monitored the exchange management system. This
Arabs and members of antiauthoritarian phones correlates nicely with apartments upgrade wiped out the access logs and,
groups were installed to send investigators and other property under the control of the contrary to company policy, no backups
on a wild goose chase. U.S. Embassy in Athens. were retained. Some time later a six­month
But what really raised eyebrows was Under this theory, phone taps of Arabs retention period for visitor sign­in books
the fact that one of the hacked Vodafone and members of antiauthoritarian groups lapsed, and Vodafone destroyed the books
exchanges was located on the campus were installed because of fears of a ter- corresponding to the period where the
of the main Intracom facility. Anyone rorist attack on the Athens Olympics. It is rogue software was modified, triggering
wishing to enter that particular Vodafone widely believed that these U.S. agencies, the text­message errors.
facility would have had to go through the particularly the NSA, have all the neces- Traces of the rogue software installation
Intracom gates, meaning that visitors to sary tools and expertise for mounting such might have been recorded on the exchange’s
the Vodafone exchange would have been an attack. n transaction logs. However, due to a paucity
of storage space in the exchange’s man­
agement systems, the logs were retained
The investigators ran the modules in of connection used in a lawful wiretap— for only five days, because Vodafone
simulated environments to better under­ a connection to a shadow number allow­ considers billing data, which competes
stand their behavior. The result of all this ing it to listen in on the conversation. for the same space, a lot more important.
investigative effort was the discovery of Creating the rogue software so that it Most crucially, Vodafone’s deactivation of
the data areas holding the tapped numbers would remain undetected required a lot of the rogue software on 7 March 2005 almost
and the time stamps of recent intercepts. expertise in writing AXE code, an esoteric certainly alerted the conspirators, giving
With this information on hand, the competency that isn’t readily available in them a chance to switch off the shadow
investigators could go back and look at ear­ most places. But as it happens, for the past phones. As a result investigators missed
lier dumps to establish the time interval 15 years, a considerable part of Ericsson’s the opportunity of triangulating the loca­
during which the wiretaps were in effect software development for the AXE has tion of the shadow phones and catching the
and to get the full list of intercepted num­ been done under contract by a Greek com­ perpetrators in the act.
bers and call data for the tapped conver­ pany based in Athens, Intracom Telecom,
sations—who called whom, when, and for part of Intracom Holdings. The necessary so whaT can This affair teach us about
how long. (The actual conversations were know­how was available locally and was how to protect phone networks?
not stored in the logs.) spread over a large number of present and Once the infiltration was discov­
While the hack was complex, the taps past Intracom developers. So could this ered, Vodafone had to balance the need
themselves were straightforward. When have been an inside job? for the continued operation of the net­
the prime minister, for example, initiated The early stages of the infiltration would work with the discovery and prosecution
or received a call on his cellphone, the have been much easier to pull off with the of the guilty parties. Unfortunately, the
exchange would establish the same kind assistance of someone inside Vodafone, responses of Vodafone and that of Greek

32 IEEE Spectrum | July 2007 | NA www.spectrum.ieee.org

law enforcement were both inadequate. cyberforensics response team that countries cannot meet this challenge, a response
Through Vodafone’s actions, critical data could call on to handle such incidents. team that can needs to be created.
were lost or destroyed, while the perpe­ Telephone exchanges have evolved It is particularly important not to
trators not only received a warning that over the decades into software­based sys­ turn the investigation into a witch hunt.
their scheme had been discovered but also tems, and therefore the task of analyzing Especially in cases where the perpetrators
had sufficient time to disappear. them for vulnerabilities has become very are unlikely to be identified, it is often
In the telecommunications indus­ difficult. Even as new software features, politically expedient to use the tele­
try, prevailing best practices require that such as conferencing, number portabil­ com operator as a convenient scapegoat.
the operator’s policies include procedures ity, and caller identification, have been This only encourages operators and their
for responding to an infiltration, such as loaded onto the exchanges, the old soft­ employees to brush incidents under the
a virus attack: retain all data, isolate the ware remains in place. Complex inter­ carpet, and turns them into adversaries
part of the system that’s been broken into actions between subsystems and baroque of law enforcement. Rather than looking
as much as possible, coordinate activities coding styles (some of them remnants of for someone to blame (and punish), it is
with law enforcement. programs written 20 or 30 years ago) con­ far better to determine exactly what went
Greek federal telecom regulations also found developers and auditors alike. wrong and how it can be fixed, not only
specify that operators have security poli­ Yet an effective defense against viruses, for that particular operator, but for the
cies that detail the measures they will take worms, and rootkits depends crucially on industry as a whole.
to ensure the confidentiality of customer in­depth analysis that can penetrate source Merely saying—or even legislating—
communications and the privacy of network code in all its baroque heterogeneity. For that system vendors and network opera­
users. However, Vodafone’s example, a statistical analysis of tors should not allow something like
response indicates that such the call logs might have revealed this to occur is pointless, because there
policies, if they existed, were physical a correlation between the calls is little that can be done to these com­
ignored. If not for press con­
ferences and public investiga­ logbooks to the shadow numbers and panies after the fact. Instead, proactive
calls to the monitored numbers. measures should be taken to ensure that
tions, law enforcement could
have watched the behavior of
of visitors Telephone companies already such systems are developed and operated
carry out extensive analysis on safely. Perhaps we can borrow a few pages
the shadow cellphones sur­ were lost these sorts of data to spot cus­ from aviation safety, where both aircraft
reptitiously. Physical logbooks
of visitors were lost and data and data tomer trends. But from the secu­ manufacturers and airline companies are
rity perspective, this analysis is closely monitored by national and inter­
logs were destroyed. In addi­
tion, neither law enforcement logs were done for the wrong reasons and national agencies to ensure the safety of
by the wrong people—market­ airline passengers. n
authorities nor the ADAE, the
independent security and pri­
destroyed ing as opposed to security. By
training security personnel to ABOUT THE AUTHORS
vacy authority, was contacted use these tools and allowing VASSIlIS PREVElAKIS, an IEEE
directly. Instead, Vodafone Greece com­ them access to these data, customer trend member, is an assistant professor of
municated through a political channel— analysis can become an effective counter­ computer science at Drexel University, in
the prime minister’s office. It should be measure against rogue software. Philadelphia. His current research is on
noted the ADAE was a fairly new organi­ Additional clues could be uncovered automation network security and secure
zation at the time, formed in 2003. by merging call records generated by the software design. He has published
The response of Greek law enforcement exchange with billing and accounting widely in these areas and is actively
officials also left a lot to be desired. Police information. Doing so, though, involves involved in standards bodies such as the
could have secured evidence by impounding consolidating distinct data sets currently Internet Engineering Task Force.
all of Vodafone’s telecommunications and owned by different entities within the DIOMIDIS SPINEllIS, an IEEE
computer equipment involved in the inci­ telecom organization. member, is an associate professor in the
dent. Instead it appears that concerns about Another defense is regular auditing of department of management science and
disruption to the operation of the mobile the type that allowed Ericsson to discover technology at the Athens University of
telephone network led the authorities to take the rogue software by scrutinizing the off­ Economics and Business and the author
a more light­handed approach—essentially line dumps. However, in this case, as well of Code Quality: The Open Source
interviewing employees and collecting as in the data analysis case, we have to be Perspective (Addison-Wesley, 2006).
information provided by Vodafone—that sure that any rogue software cannot modify He blogs at http://www.spinellis.gr/blog.
ultimately led to the loss of forensic evidence. the information stored in the logs or the
They eventually started leveling accusations dumps, such as by using a separate moni­ TO PROBE FURTHER
at both the operator (Vodafone) and the toring computer running its own software. The Wikipedia article http://en.wikipedia.
vendor (Ericsson), turning the victims into Digital systems generate enormous org/wiki/Greek_telephone_tapping_
defendants and losing their good will, which volumes of information. Ericsson and case_2004-2005 contains additional
further hampered their investigation. Vodafone Greece had at their fingertips all links to press stories and background
Of course, in countries where such high­ the information they needed to discover material.
tech crimes are rare, it is unreasonable to the penetration of Vodafone’s network Ericsson’s Interception Management
expect to find a crack team of investigators. long before an undelivered text message System user manual (marked confiden-
Could a rapid deployment force be set up to sent them looking. As in other industries, tial) is available on the Web through a
handle such high­profile and highly techni­ the challenge now is to come up with ways Google search: http://www.google.com/
cal incidents? We’d like to see the interna­ to use this information. If one company’s search?q=IMS+ericsson+manual or at
tional police organization Interpol create a technicians and one country’s police force http://cryptome.org/ericsson-ims.htm.

www.spectrum.ieee.org July 2007 | IEEE Spectrum | NA 33