Company That Handles Billions Of Text Messages Quietly Admits It Was Hacked Years Ago
from the whoops-a-daisy dept
We've noted for a long time that the wireless industry is prone to being fairly lax on security and consumer privacy. One example is the recent rabbit hole of a scandal related to the industry's treatment of user location data, which carriers have long sold to a wide array of middlemen without much thought as to how this data could be (and routinely is) abused. Another example is the industry's refusal to address the longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7 in the US), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations.
Now this week, a wireless industry middleman that handles billions of texts every year has acknowledged its security isn't much to write home about either. A company by the name of Syniverse revealed that it was the target of a major attack in a September SEC filing, first noted by Motherboard. The filing reveals that an "individual or organization" gained unauthorized access to the company's databases "on several occasions." That in turn provided the intruder repeated access to the company's Electronic Data Transfer (EDT) environment compromising 235 of its corporate telecom clients.
The scope of the potentially revealed data is, well, massive:
"Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver's numbers, the location of the parties in the call, as well as the content of SMS text messages."
Amazingly enough the hack began in 2016 but was only discovered this year. How much data was accessed? Why did it take so long? Was it a Chinese or Russian sponsored attack? Why was there absolutely no transparency about the breach until now? Why aren't Syniverse or any wireless carriers being clear about what happened? Have government officials been compromised? Have those officials been notified by anybody? Good questions!:
"The information flowing through Syniverse’s systems is espionage gold," Sen. Ron Wyden told Motherboard in an emailed statement. "That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse's cybersecurity practices were negligent, identify whether Syniverse's competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry."
Between this and the SS7 flaw alone you have to inherently assume that most global wireless communications has been significantly compromised for a long while in some fashion. And like most hacks, the scale of this will only get worse as time goes by. Security and privacy at massive international scale isn't easy, but these kinds of repeated scandals don't have to happen. They're made immeasurably worse by our lack of even a basic internet-era privacy law, intentionally underfunded and understaffed U.S. privacy regulators, and our failure to hold companies accountable in any meaningful way for repeated and massive screw ups. Mostly because doing any of these things might put a dent in quarterly revenues.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, hack, privacy, security, ss7, text messages
Companies: syniverse
Reader Comments
Subscribe: RSS
View by: Time | Thread
"Only" 235 corporate telecom clients.
AT&T is one client.
Verizon is one client.
T-mobile is one client.
How many compromised clients do you need before you have compromised ALL such traffic?
[ link to this | view in thread ]
But they take our privacy seriously...
[ link to this | view in thread ]
Re:
It's pretty sad that the telcos don't seem to be doing anything (useful) lately, and are just outsourcing. For about a century they were at the forefront of technical development (having invented the transistor, the laser, the photovoltaic cell, UNIX, ...), and now they need someone to help them send 160 characters from one place to another?
[ link to this | view in thread ]
And this is why it's important to use the likes of Signal or other strong end-to-end encryption systems when crossing network boundaries.
[ link to this | view in thread ]
Long time no tell
Its been shown over many years that All and every system in the USA has backdoors.
From the old black boxes used to freak the phone system, to the Backbone. The USA gov has always placed back doors into our systems, for their Own use. And some to monitor whats going on.
Even our phone ID system has Created holes in it, if you know HOw they work.
[ link to this | view in thread ]
Re: Long time no tell
The funny part of this is HOW the system can be faked. And why you get phone calls from around the world, and phone numbers that cant be traced. Love those holes.
[ link to this | view in thread ]
"How much data was accessed?"
Given that SMS is commonly used by so many places as the default 2FA option to secure pretty much any kind of sensitive account, that's a hell of a question...
The admission seems to imply that the access was only metadata and not control of the messages themselves, but there's no way a company that took this long to report can be trusted on that kind of factual information,
[ link to this | view in thread ]
Re:
Yes they do. It's on their list of Top Priorities. Somewhere. Along with Making All The Money, Pay No Taxes, and Protect Our Executives From Any Consequences and many more Top Priorities.
Just remember the list includes zero, negative numbers and imaginary numbers.
[ link to this | view in thread ]