A Malfeasant Design for Lawful Interception


Earlier this month it was revealed that more than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year (see Wikipedia article). Apparently, the tapping was implemented by activating Ericsson's lawful interception subsystem installed at the Vodafone service provider. How could this happen?

After one looks at the design and implementation of Ericsson’s Interception Management System (IMS), the real question is how come such events are not happening all them time (or maybe they are?) The system is clearly not designed with security in mind.

The major problem of the design is the lack of compartmentalization. IMS is an extremely sensitive application, because it can setup and monitor the tapping of arbitrary phones. Good security engineering practice dictates that such applications should run isolated on trustworthy platforms, minimizing the surface area exposed to malicious attacks. In such a design the system's modules serve the same role as a ship's bulkheads: they provide structural stability and contain damage to specific areas.

Instead, according to its user manual, IMS runs on top of Ericsson’s general purpose AXE exchange management system XMATE, which in turn runs on top of a Solaris system choke-full with support software. Among other things, XMATE provides an application programming interface, a command terminal, a macro command tool, and a file transfer application. Any of those could be conceivably exploited to activate the IMS or its functionality. In addition, the XMATE Solaris installation includes many large third party applications: the Common Desktop Environment (CDE), the Applix business performance management software, X.25 networking, and the OSI file transfer (FTAM). Again, security vulnerabilities in these large components could be used to seize control of the system and activate the IMS.

In a recent thought-provoking article Matt Blaze identified a number of signaling vulnerabilities in wiretapping systems. Vulnerabilities associated with the way these systems are designed and implemented are apparently also very important.

Comments   Toot! Share

Last modified: Wednesday, February 15, 2006 12:45 am

Creative Commons Licence BY NC

Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.