telnetd root Backdoor in Vodafone's Ericsson Systems?
The investigation in the Vodafone phone tapping scandal in Greece has lead to some information being published in the last days. What the published information from ADAE say boils down to this being an "insiders" job. I agree and I have some of what I would call "qualified rumors" for ΑΔΑΕ: Maybe they should have a look at the backdoor Ericsson puts in the telnetd...
Let's start with the facts, as publicized by the press based on ΑΔΑΕ (ADAE, "Hellenic Authority for the Information and Communication Security and Privacy"):
- They "reenacted" the illegal software found on Vodafone's systems on an offline installation with the help from Vodafone and Ericsson technicians.
- They concluded that it is a job done by foreigners, since no-one in Greece has the know how for this kind of job.
- The also say that there was or is an insider at Vodafone, who made the phone tapping possible.
- They say that only 3 people at Ericsson Sweden know the access code to the system used for the phone tapping (likely the IMS - Interception Management System on the AXE platform that runs on top of Sun Solaris, for which a confidential manual was published on the web).
Some days ago I had a little conversation with an IT sec guy who passed me some interesting information. I can't verify the stuff (no Ericsson AXE around) and also this information is about a year old, so things may have changed. But the information sounded reasonable, and after I read what's in the news today it sounds even more reasonable. That's why I'm going to spread it as what I would call a "qualified rumor". But read on and judge for yourself.
- Ericssons AXE platform (which runs on top of Solaris) has a backdoor build in, much like early mainframes had a service account.
- The backdoor is built into the telnetd (of all places!) where one has only to set the right environment variable on the client side to get an instant root shell on the server machine. Ericsson is said to have modified the telnetd source and is distributing a modified telnetd binary on their platform.
- Anyone on the network of either the mobile provider or Ericssons network can access this and thus get a root account on the surveillance system.
- This backdoor was brought to the attention of an unnamed european mobile provider by way of a security audit. A more secure means of access was suggested (ssh with public key auth comes to mind), but Ericsson wanted to keep the simple backdoor for "maintenance reasons" and said they would change but bill the cost for implementation, change of procedure, and training to the customer. The mobile providers bean counters made the customer retract.
Disclaimer: It's just a rumor
Now, dear reader, you should take this as a rumor by a complete stranger. I actually don't expect anyone to really believe this, but it would be kind of nice if ΑΔΑΕ/ADAE had a close look at the telnetd binary on the machine in question. (And maybe it would still make sense to have that close look before any of the helpful technicians could cover up anything that might or might not have ben there in the first place.) Of course they might not find anything, then the result would have just been that I ruined my inexistent reputation by spreading a rumor.
Let's look at them together
But let us look at how the rumor fits in with the published facts:
If the Ericsson modified telnetd is real, then any Ericsson technicians helping in the investigation will likely hide it from view (unconscious or conscious in full conspiracy theory mode) or at least downplay it... "yeah, but that's not a problem, we always use this".
The statement that "only 3 people at Ericsson Sweden know the code" does not work for a proper password authentication system. When there is a regular auth system, then there is a way to change passwords or keys... and they should and likely will be changed on a customers installation. "Only 3 people know" points to a backdoor on the level of a "service account". Computer security history has taught us that "service accounts" are notorious for being spread illegally. If the rumor is true, then "only 3 people know" is at once what Ericsson wants us to believe and in fact many more know. At the same time it points to the rumor, because if "only 3 people know" then the access can likely not be changed.
Allowing access to a service only from an internal network is an additional measure usually taken to protect even password protected access services. Now, if the rumor is true, then the protection of access to that root shell is very weak, so security relies heavily on that "internal network" line. Which would obviously point any investigators to an "insider connection" (to be on the internal network one has to be an "insider"). Especially if one believes in the kind of snake oil security that the rumor tells us. When you trust in that stuff, then it must have been an insider, with super know how too.
But to tell you the truth, I do believe in the insider theory to some degree, even when we presume the rumor to be true. Given the scenario from the rumor, the insider does not have to be a James Bond type. A summer intern or a friends friend who is asked to try out a cool screen saver is all it takes. All we need is a tunnel to the internal network (and ssh -R can do wonders in that respect).
Now even swallowing this assumption together with the rumor, we still need some knowledge: First about the backdoor's existence, second about the proper environment variable to set for the telnet client. As for the first one: Well, the rumor got to me and I'm neither part of the telco industry nor some black hat, so why couldn't it have gotten so someone else. And if the rumor holds true, then some audit found the backdoor, so anyone with even a test installation could have found it. For the second one: That is easier than it may seem, at least for some people. This telnetd is likely the same for every customer. It would be troublesome, inefficient, and not very easy to test an installation, if one had to recompile for every customer with different settings. So I might be wrong, but I believe that whoever learns the magic env-var key to one mobile kingdom holds them all. Even if that does not work out, then we should keep in mind that this is telnet, completely unencrypted. It just takes more energy on the part of the insider to sniff out the telnet traffic on the local network for the proper environment variables.
My own, private conclusion
To me, the rumor fits in. But in the end it is still an unproven rumor, so I doubt that any more will come out of it.
Update: Bruce Schneier has posted about the wiretappings again. And the paper "Ta Nea" writes that at Vodafone and Ericsson together "not more than 10 people had access" to the surveillance systems (article in Greek).