Newsgroup: comp.risks

RISKS-LIST: Risks-Forum Digest  Monday 27 February 2006  Volume 24 : Issue 17

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.17.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

[...]
------------------------------

Date: Sun, 19 Feb 2006 19:06:25 +0200
From: Diomidis Spinellis <dds@aueb.gr>
Subject: A Malfeasant Design for Lawful Interception

Earlier this month it was revealed that more than 100 mobile phone numbers
belonging mostly to members of the Greek government and top-ranking civil
servants were found to have been illegally tapped for a period of at least
one year [1]. Apparently, the tapping was implemented by activating
Ericsson's lawful interception subsystem installed at the Vodafone service
provider. How could this happen?

After one looks at the design and implementation of Ericsson's Interception
Management System (IMS), the real question that comes to mind is how come
such events are not happening all them time (or maybe they are?)  The system
is clearly not designed with security in mind.

The major problem of the design is the lack of compartmentalization. IMS is
an extremely sensitive application, because it can setup and monitor the
tapping of arbitrary phones. Good security engineering practice dictates
that such applications should run isolated on trustworthy platforms,
minimizing the surface area exposed to malicious attacks. In such a design
the system's modules serve the same role as a ship's bulkheads: they provide
structural stability and contain damage to specific areas.

Instead, according to its user manual [2], IMS runs on top of Ericsson's
general purpose AXE exchange network management platform XMATE, which in
turn runs on top of a Solaris system chock-full of support software.  Among
other things, XMATE provides an application programming interface, a command
terminal, a macro command tool, and a file transfer application. Any of
those could be conceivably exploited to activate the IMS or its
functionality. In addition, the XMATE Solaris installation includes many
large third party applications: the Common Desktop Environment (CDE), the
Applix business performance management software [3], X.25 networking, and
the OSI file transfer (FTAM). Again, security vulnerabilities in these large
components could be used to seize control of the system and activate the
IMS.

Even if the IMS was not installed on the network management platform, the
design of the platform apparently allows a malicious user to craft the
"remote control equipment" MML commands that set up voice communication
monitoring and send them to the exchange.

In a recent thought-provoking article Matt Blaze identified a number of
signaling vulnerabilities in (mainly) older wiretapping systems [4].
Vulnerabilities associated with the way modern systems are designed and
implemented are apparently also very important.

Disclaimer: The above is my limited understanding, based on the few
documents that are publicly available.  Unfortunately, documentation that
would allow independent experts to assess the security of these systems is
scarce.  The IMS User Manual [1], although available on a number of Internet
sites, is marked with red letters as "Strictly Confidential".  (I guess
simply "Confidential" would mean that the manual was available for download
from Ericsson.)  Also, the ETSI standard TR 101 943 V2.1.1 (2004-10) states
in section 7.3.2: "It is also to be recommended that operational information
about the LI systems, such as how they are implemented, where they reside
and how they are operated and maintained, should be kept within a small
group of authorized persons."  Another instance where obscurity is probably
used as a cover for insecurity.

[1] http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005
[2] http://cryptome.org/ericsson-ims.htm
[3] http://www.applix.com/index.asp
[4] http://www.crypto.com/papers/wiretapping/

Diomidis Spinellis - http://www.dmst.aueb.gr/dds

[...]
End of RISKS-FORUM Digest 24.17
************************

Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.