EustaceWhen a multibillion dollar media mogul like News Corporation finds itself under fire, it’s not only its executives and senior editors on the ‘hot seat.’ When the dust settles, chances are, blame will spread well beyond company confines to include unlikely candidates like you and I…engineers in completely unrelated industries. This evolving saga bears a resemblance to a high profile phone tapping scandal in Greece in the mid-1990s involving high-ranking government officials to include the Prime Minister. By the time that dust settled, unlikely engineers in Finland had to defend themselves to Greece authorities. Are you building enough security in your products to protect yourself and your company from practices you neither anticipate nor condone?


The allegations against News Corp are directed toward questionable news acquisition practices, the most offensive of which is hacking into private phones and sometimes deleting messages as means to eavesdrop more. Ranking top 3 in the world, News Corp.’s media prowess is one to make or break careers so it’s no surprise its activities command attention and even fear from commoners to celebrities, law enforcement, and high ranking political figures alike. It should therefore be no surprise these allegations hold so much public interest.

Scandals are unpleasant to say the least, and dealing with them can be costly. Bad publicity destroys careers, lives, and closes down companies. Deservedly or not, employees of News of the World can already attest to this unfortunate fact. The rest of the world, especially us fellow engineers, watches events like these with a sense of immunity, that it’s about them not us. Are we immune?

The allegations against News Corp are still an evolving saga. Not only are full and objective details not yet public knowledge, it is bad form to dwell on matters of ongoing investigations. Fortunately, we can draw lessons from history. Of particular relevance is a story that featured in the July 2007 edition of IEEE Spectrum titled “The Athens Affair” ( It was a phone wiretapping scandal victimizing hundreds of high ranking government and military officials, and involving death. Sounds familiar? It happened in Greece in the mid-nineties, and by its conclusion, innocent bystanding engineers in Finland have had to answer to Greece authorities. This story is a good example of the notion that not being them and/or not doing (bad things) isn’t enough to keep you out of trouble.

The Athens Affair

IEEE Spectrum’s excellent July 2007 documentary by Vassilis Prevelakis and Diomidis Spinellis gathers firsthand information from depositions by the Greek parliamentary committee that investigated the scandal. They obtained the depositions through a freedom of information request filed with the Greek Parliament. It is a lengthy article laden with details and the curious reader is highly encouraged to explore. For the purpose of this article here is a brief summary.

It began with a series of error messages by a cellular network switching equipment belonging to the network provider, Vodafone Greece, Greece’s largest cellular network operator, indicating that text messages originating from another network had gone undelivered. The ensuing investigation led to discovery of wiretaps on cellular phone lines belonging to the prime minister and his wife, minister of national defense, the minister of foreign affairs, and the minister of justice, as well as over 100 other high ranking officials in various ministries, political parties, activist groups, and even an employee of the US embassy in Athens.

Some cursory understanding of cellular phone communications is necessary for appreciation of the hack. Calls from cellular phones are routed through cellular towers to a base station. The base station contains special-purpose computers, one of which is a mobile switching center. The base station as a whole serves as the interface between the cellular phone equipment and the rest of the worldwide phone network while the mobile switching center connects in coming calls to their final destinations. The Greece hack happened within the mobile switching center.

cellular towerCellular phone communications are encrypted but the encryption is not end-to-end. End-to-end encryption is when encrypted information leaving originating equipment never gets decrypted till it reaches the destination equipment. Banking networks operate this way. Phone networks however don’t. Encrypted information from an originating phone gets decrypted at the base station and then gets re-encrypted before forwarding to the receiving phone. Decryption at the base station allows for legal wiretaps. Wiretapping describes the situation where the incoming message from the phone equipment to the base station is spliced into two with one duplicate continuing to the originally intended phone equipment and the other re-routed to alternate receiving equipment typically belonging to law-enforcement officers. This allows the alternate equipment to eavesdrop calls. Wiretaps are legal when sanctioned by respective laws and courts governing the region. Greece supports legal wiretapping but the hack in this wiretapping scandal was not legal.

Due to understandable sensitivity, the security around wiretapping equipment is very high. Physical and network accesses are strictly controlled. All user activities like creation of legal wiretaps and machine activities are controlled and logged. Firmware running the equipment is subject to controls like periodic integrity checks, periodic consistency checks between numbers being wiretapped and numbers the equipment is actually wiretapping, and periodic consistency checks between system processes meant to be running at any time and processes actually running at that time.

Despite this impressive list of security measures, hackers were still able to infiltrate and operate. They bypassed all the measures, installed rogue firmware that concealed itself, eluded detection and escaped overrides from firmware upgrades. The rogue firmware also concealed phone numbers for the illegal wiretaps to elude consistency checks. Its operation went for months undetected until that fateful aforementioned undelivered text message. Till date, Greece authorities have never found the culprits nor could prove inside involvement, although there was a suspiciously coincidental death of a base station worker around the time of discovery, just three months before his planned wedding. His involvement remains a suspicion till date.

Why Should You Care?

While the Athens affair was still unfolding in Greece, some engineers in Finland were probably asking the same question but sooner than later, they found themselves as defenders to Greece authorities. These were employees of then Ericsson and their only connection to the case was that Ericsson made the mobile switching center. These engineers programmed this special purpose computer. They quickly became victims of finger pointing from both Vodafone Greece and Greece authorities in the heat of the investigation. In the aftermath, no wrongdoing or negligence was found on their part, but they nonetheless, still endured dealing with Greece authorities in unpleasant terms. The outcome could have been worse. Could this have been you?

How Could the Hack Have Been Prevented?

The simple summation of the wiretapping hack is that rogue firmware infiltrated the system and eluded detection. Computer systems use system integrity checks to validate that firmware running inside the system is the same firmware that is intended, in other words, the firmware has not been tampered with in any fashion.

System integrity checks typically involve passing all the bytes of the firmware through an algorithm to create a summary that is easy to store and reference. A good algorithm will generate a summary that is unique to that piece of firmware like a fingerprint is to a human and will change to indicate any change in even a single bit of a firmware byte. A reference summary or fingerprint is generated prior to firmware installation and periodic integrity checks involve regenerating the fingerprint from the installed firmware and comparing it with the reference fingerprint. The comparison must match perfectly otherwise take note that something has changed within the firmware.

Many algorithms for integrity checks exist and range from simple ones like checksums and cyclic redundancy checks (CRC) to more sophisticated cryptographic algorithms like the second generation Secure Hash Algorithm (SHA-256), or the Advanced Encryption Standards (AES) algorithm. AES is an encryption algorithm but possesses operation modes that equally apply to integrity checking. One of its well trusted modes that applies equally well to integrity checking is the Cipher Block Chaining Message Authentication Code (CBC-MAC). For simplicity, the AES algorithm implemented in this mode is commonly referred to as AES-CCM. All integrity checking algorithms churn an unlimited number of bytes to generate a fixed width summary.

All candidate algorithms for integrity checks have their purpose and place. The Athens affair reports use of CRC for firmware integrity checking in the mobile switching center.

Figure 1 CRCSimple integrity checking algorithms are appropriate when the goal is checking communications fidelity. The well known algorithms like checksums and CRC are popular for checking the integrity of a message in both wired and wireless communications where the transmitting medium can potentially distort the message. In this use case, the system anticipates the distortions by breaking each message into small packets before transmitting in a process during which all distorted packets are retransmitted. The whole process aims to assure message fidelity at the receiving end. Long before the recipient gets the message, several of such repetitions might have happened for many packets. Even so, there still exist rare situations where a distorted packet generates the same summary as would its undistorted counterpart. This situation in integrity checking is called a collision i.e. a message and its distorted version generated the same summary. Collisions tend to happen with simple integrity checking algorithms and are near impossible to detect, given its simplicity. For the most part, collisions are rare and tolerable in many kinds of communication systems where there is no foul as long as the correct packet is received most of the times. These simple algorithms remain popular because their simplicity demands very little in system computational bandwidth.

Use of simple integrity checking algorithms becomes less appropriate when the goal is security. When it comes to security, collisions can no longer be tolerated and we cease from talking in terms of message summaries but message fingerprinting to emphasize the importance of uniqueness of each fingerprint to its message. Integrity checking for security demands specialized and sophisticated cryptographic algorithms like those mentioned earlier. A single inconsistency between a message and its fingerprint spells danger and demands immediate investigation for potential intrusion. Unlike the communications use case, the security use case does not permit retries.

Given what we’ve learned so far, we can surmise here that use of CRC for firmware integrity checking in the mobile switching center, a clear security use case, was shortsighted. But with everything being equal, a better algorithm by itself may not have remedied the situation. If the hackers were sophisticated enough to conceal their presence for months, it stands to reason they could have subverted integrity checks even when done with sophisticated algorithms. One way one might do this is use the same algorithm the system uses (simple or cryptographic) to generate a fingerprint of the proper firmware and then retain the fingerprint for use when auditors request a system integrity check. Instead of the system running the integrity check over the whole system including the rogue firmware, the rogue firmware instead intercepts the request and returns its originally calculated fingerprint. The auditor none-the-wiser compares this fingerprint with his stored reference, declares success and remains in the dark. An effective system integrity check therefore requires more than just a good choice of algorithm.

Effective System Integrity Checks

An effective system integrity check mechanism requires more than just use of an appropriate cryptographic algorithm. In addition, it requires the following three actions:

1. Embed secret knowledge within the system. This presupposes creation of the secret. Secret knowledge can be as simple as a secret key i.e. a set of bytes preferably random and obtained from a true random number generator. Other forms of generating the secret keys are subject to vulnerabilities including social engineering and therefore not appropriate.

2. Force use of the system integrity check. Do this by requiring that the secret knowledge be part of the input bytes for security fingerprinting. Done this way, the hacker is bound to know the secret key in order to generate a fingerprint that matches the reference fingerprint.

3. Keep the secret knowledge confidential even under adverse conditions like under security attacks. Assure confidentiality of the secret knowledge by embedding the key in a tamper-resistant secure integrated circuit (IC). A secure IC is one that has been fortified through built-in countermeasures against all known attempts to extract secret information from within. If you choose a secure IC with the proper algorithm already built in, then the IC can internally generate the proper fingerprint with just the firmware (and not the key since the key is already inside the IC) as input. Never having to pass the key into the chip precludes all opportunities to reveal the key. Tamper-resistance in a secure IC is also important because it eliminates situations where the hacker can render the IC in a defunct state as means to subvert its operation in any way.Figure 2 SHA256

The advantages of using a secure IC for system integrity checking go beyond normal operation of the system. With use of a secure IC, the equipment can be submitted for servicing without fear of compromise of secret keys. In addition, the secure IC eliminates the perils of dumpster diving. Many sensitive environments like cellular base stations would have strict procedures on equipment disposal. The concern otherwise is that retired equipment can inadvertently expose confidential content. Use of a secure IC adds another layer of protection to accidental oversights in disposal.

So Where is the Connection?

In case you are still wondering how this concerns you or the relevancy to News Corp., consider this: One allegation against News Corp is that they eavesdropped on private phone messages erasing some to create room for more. The investigation is still unfolding and it’s too early to make any judgments. While News Corp has made gestures to appease victims, as of this writing, it hasn’t unequivocally admitted to the allegations nor provided details on how it was done. Did they take advantage of security vulnerability in phone networks’ messaging system or did they embed rogue firmware to illegally siphon out messages? If public outcry continues then the truth is bound to surface at some point and investigations will demand thorough understanding what really happened including detailed knowledge of the system involved. At the minimum, this would require expert testimonies. What better expert than engineer? In case you still have lingering doubts, we are talking about you. Did you work on any of the systems involved? OK, you can’t answer because you really don’t know what systems were involved but, are you taking the proper measures in all systems you build to assure predictable operation even under adversity? Still feel like it’s their problem?

Anecdotally, many convicts claim innocence but the truth is some really are innocent and yet remain incarcerated. In an alternate turn of events, the engineers of the Vodafone Greece mobile switching center could have faced far worse outcomes beyond the discomforts of investigations, depositions, and defense. The lesson here is importance of delivery beyond stated specifications to assure lifetime integrity of predictable behavior for every system we build. This may sometime entail having to convince the project manager of the benefits of the measures you are taking. That said, matters of security pose a special challenge because it often demands extra time and resources from the project and so always difficult to convince the project manager why you want to risk budget overruns on some future unidentified adversary that may never materialize. This, my friends, is why we should be thankful, in a healthy way, to wide publicity accorded these scandals. We should always strive to build secure systems. When they do, fewer bad things are possible and so happen less.


Hindsight is always 20/20 and it’s easy to poke holes at past mishaps but knowledge of shortcomings offer valuable lessons for future projects.
Delivering just on stated specifications on systems we build should be the bare minimum. Assuring the systems continue to operate amidst adversity to include malicious subjugation should be our goal.

Designing for controlled system integrity is the way and use of secure integrated circuits is a formidable means to get us there.