betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

01 March 2006

telnetd root Backdoor in Vodafone's Ericsson Systems?

Some rumors for ΑΔΑΕ/ADAE

The investigation in the Vodafone phone tapping scandal in Greece has lead to some information being published in the last days. What the published information from ADAE say boils down to this being an "insiders" job. I agree and I have some of what I would call "qualified rumors" for ΑΔΑΕ: Maybe they should have a look at the backdoor Ericsson puts in the telnetd...


Let's start with the facts, as publicized by the press based on ΑΔΑΕ (ADAE, "Hellenic Authority for the Information and Communication Security and Privacy"):

The Facts

Some days ago I had a little conversation with an IT sec guy who passed me some interesting information. I can't verify the stuff (no Ericsson AXE around) and also this information is about a year old, so things may have changed. But the information sounded reasonable, and after I read what's in the news today it sounds even more reasonable. That's why I'm going to spread it as what I would call a "qualified rumor". But read on and judge for yourself.

The Rumor

Disclaimer: It's just a rumor

Now, dear reader, you should take this as a rumor by a complete stranger. I actually don't expect anyone to really believe this, but it would be kind of nice if ΑΔΑΕ/ADAE had a close look at the telnetd binary on the machine in question. (And maybe it would still make sense to have that close look before any of the helpful technicians could cover up anything that might or might not have ben there in the first place.) Of course they might not find anything, then the result would have just been that I ruined my inexistent reputation by spreading a rumor.

Let's look at them together

But let us look at how the rumor fits in with the published facts:

If the Ericsson modified telnetd is real, then any Ericsson technicians helping in the investigation will likely hide it from view (unconscious or conscious in full conspiracy theory mode) or at least downplay it... "yeah, but that's not a problem, we always use this".

The statement that "only 3 people at Ericsson Sweden know the code" does not work for a proper password authentication system. When there is a regular auth system, then there is a way to change passwords or keys... and they should and likely will be changed on a customers installation. "Only 3 people know" points to a backdoor on the level of a "service account". Computer security history has taught us that "service accounts" are notorious for being spread illegally. If the rumor is true, then "only 3 people know" is at once what Ericsson wants us to believe and in fact many more know. At the same time it points to the rumor, because if "only 3 people know" then the access can likely not be changed.

Allowing access to a service only from an internal network is an additional measure usually taken to protect even password protected access services. Now, if the rumor is true, then the protection of access to that root shell is very weak, so security relies heavily on that "internal network" line. Which would obviously point any investigators to an "insider connection" (to be on the internal network one has to be an "insider"). Especially if one believes in the kind of snake oil security that the rumor tells us. When you trust in that stuff, then it must have been an insider, with super know how too.

But to tell you the truth, I do believe in the insider theory to some degree, even when we presume the rumor to be true. Given the scenario from the rumor, the insider does not have to be a James Bond type. A summer intern or a friends friend who is asked to try out a cool screen saver is all it takes. All we need is a tunnel to the internal network (and ssh -R can do wonders in that respect).

Now even swallowing this assumption together with the rumor, we still need some knowledge: First about the backdoor's existence, second about the proper environment variable to set for the telnet client. As for the first one: Well, the rumor got to me and I'm neither part of the telco industry nor some black hat, so why couldn't it have gotten so someone else. And if the rumor holds true, then some audit found the backdoor, so anyone with even a test installation could have found it. For the second one: That is easier than it may seem, at least for some people. This telnetd is likely the same for every customer. It would be troublesome, inefficient, and not very easy to test an installation, if one had to recompile for every customer with different settings. So I might be wrong, but I believe that whoever learns the magic env-var key to one mobile kingdom holds them all. Even if that does not work out, then we should keep in mind that this is telnet, completely unencrypted. It just takes more energy on the part of the insider to sniff out the telnet traffic on the local network for the proper environment variables.

My own, private conclusion

To me, the rumor fits in. But in the end it is still an unproven rumor, so I doubt that any more will come out of it.

Update: Bruce Schneier has posted about the wiretappings again. And the paper "Ta Nea" writes that at Vodafone and Ericsson together "not more than 10 people had access" to the surveillance systems (article in Greek).

Posted by betabug at 23:34 | Comments (5) | Trackbacks (0)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Backyard Adventure (07/08 08:18)
Danakos Climbing Gym (06/26 18:40)
Getting into the Ruby Debugger (06/13 13:36)
The site is coming back (06/11 14:17)
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< Current Weather in Greece on Weblog | Main | US Ex-Diplomat Points Finger at CIA for Phone Tapping >>
Comments
Re: telnetd root Backdoor in Vodafone's Ericsson Systems?

While performing a security audit on a french GSM operator's systems, I found out a similar thing. That was a couple of years ago (like 2 or 3), and the backdoor was not a modified telnetd, but rather a login backdoor [1]. I found it while searching for .login files. The original login binary had been moved to /usr/bin/.login, luckily :).
the machine I found that on was from Ericsson, but I don't know how it's been dealt with by the company I was contracting for.



[1] http://packetstormsecurity.org/UNIX/penetration/rootkits/ulogin.c

Posted by: Jérôme Magnin at March 02,2006 19:15
Re: telnetd root Backdoor in Vodafone's Ericsson Systems?

rumor seams logical. usr/sbin/in.telnetd xxxx is the place? Gain access to the root, make your entrance via Ericssons "not existing backdoor" and park in WHAT software? Any ideas?

Posted by: interceptor(joke) at March 13,2006 17:39
Re: telnetd root Backdoor in Vodafone's Ericsson Systems?

Vodafone blames Ericsson saying that the manufacturer has the knowledge which we don't have. This is a very convinient excuse for them. Which measn for whatever security holes we have blame Ericsson

Don't forget also that:
- Senior engineering team from Vodafone comes from Intracom
- Intracom was a subcontractor of Ericsson on AXE platform
- Koronias (CEO Vodafone) worked for several years for Intracom.

To keep it short:
Don't look for international conspiracy.
It is a greek "job", homemade by a very well established "system", that uses "information" to control business by affecting politics.

We all know how business+politics interact in Greece.
The "system" just felt in danger and tried to protect itself.


G.



Posted by: dacapo at March 24,2006 16:26
Re: telnetd root Backdoor in Vodafone's Ericsson Systems?

First things first, your blog never ceases to amaze me :-)

IF and I say IF such a backdoor was planted can be discovered easily by the use of tools such as IDA Pro.
A Semi-knowlegable computer dude with access to .so and .a (or whatever is the (p)Solaris equivalent ) can check for this in like 10mins ...

Posted by: thanasisk at September 19,2007 22:00
Re: telnetd root Backdoor in Vodafone's Ericsson Systems?

Thanasis, thanks for the compliment :-)
As for the backdoor, just look at Jérôme's comment... he found such a backdoor (even though it wasn't exactly what the rumour described) in the systems of a french GSM provider.

Posted by: betabug at September 20,2007 08:40
Trackbacks
You can trackback to: http://betabug.ch/blogs/ch-athens/312/tbping
More on Greek Wiretapping

Earlier this month I blogged about a wiretapping scandal in Greece. Unknowns tapped the mobile phones of about 100 Greek politicians and offices, including the U.S. embassy in Athens and the Greek prime minister. Details are sketchy, but it seems...

Read the linking post here: Schneier on Security at March 02,2006 17:13
Leave a comment