FBI cyber cop: Salt Typhoon pwned 'nearly every American'

I wrote the lawful intercept spec for a 3G GGSN node. So keep in mind that my knowledge of present day systems might be outdated. The spec was derived from pre-existing specifications for telephone equipment. One of the interesting things about lawful intercept is that it was supposed to hide from network management. Intercepts aren't logged at the network operator. The node being used in an intercept gives no indication that the intercept is happening.

IIRC the standard at the time was to enable intercepting up to 3% of traffic, without the surveillance target of course knowing, but also without their carrier knowing. Law-enforcement agencies used LI consoles on their own premises to order intercepts.

So it's not that lawful intercept was particularly easy to hack, it's that once it's compromised, detecting that it's being used nefariously is especially difficult. I would question whether anyone knows for sure when the compromise began, and how long it lasted.

It seems crazy to me that the network operator would have zero insight into any audit logs for lawful intercept. How would anyone know if someone broke in?

I can only speculate as to what they were thinking when they wrote those specs. Evidently they didn't trust network operators, or they thought that they were avoiding potential attack surfaces.

In addition to the privacy and policy and justice problems with LI, this exploit points to law enforcement agencies as the weak link. There are too many law-enforcement agencies that can initiate intercepts from systems that lack oversight and coordination.