I wrote the lawful intercept spec for a 3G GGSN node. So keep in mind that my knowledge of present day systems might be outdated. The spec was derived from pre-existing specifications for telephone equipment. One of the interesting things about lawful intercept is that it was supposed to hide from network management. Intercepts aren't logged at the network operator. The node being used in an intercept gives no indication that the intercept is happening.
IIRC the standard at the time was to enable intercepting up to 3% of traffic, without the surveillance target of course knowing, but also without their carrier knowing. Law-enforcement agencies used LI consoles on their own premises to order intercepts.
So it's not that lawful intercept was particularly easy to hack, it's that once it's compromised, detecting that it's being used nefariously is especially difficult. I would question whether anyone knows for sure when the compromise began, and how long it lasted.
replies(1):