Syniverse Hack: Billions of Users’ Data Leaks Over Five Years
A huge, yet invisible, chunk of phone infrastructure has been breached. Hackers broke into the massive telephony interconnection service run by Syniverse—formerly GTE TSI.
It’s yet another reason to avoid using SMS for two-factor authentication (2FA). The messages and call metadata of perhaps billions of people are in the hands of persons unknown. And it happened more than five years ago, with the attackers silently lurking until May this year.
A state sponsored attack? Could be the NSA/GCHQ. In today’s SB Blogwatch, we cry me a river.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Right to repair.
GTE TSI SMS SS7 APT EDT TLA BBQ
What’s the craic? Lorenzo Franceschi-Bicchierai reports—“Company That Routes Billions of Text Messages Quietly Says It Was Hacked”:
Billions of cellphone users”
Syniverse revealed—in a filing dated September 27 with the U.S. Security and Exchange Commission—that an unknown “individual or organization gained unauthorized access to databases within its network on several occasions. … Login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised.” … It discovered the breach in May 2021, but that the hack began in May of 2016.
…
A former Syniverse employee [said] those systems have information on all types of call records. … A person who works at a telephone carrier [said] whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.
…
It’s not a household name among customers, but Syniverse is one of the largest companies in the world [in] cellphone infrastructure. … The company processes more than 740 billion text messages every year and has “direct connections” to more than 300 mobile operators around the world. … That means the … breach could potentially affect … billions of cellphone users.
Syni-who? Ionut Ilascu illustrates—“Largest mobile SMS routing firm discloses five-year-long breach”:
Future cyber attack”
Syniverse is so big that it brags about having as its customers “nearly every mobile communications provider, the largest global banks, the world’s biggest tech companies.” [It] provides text messaging routing services to over 300 mobile operators, among them Vodafone, AT&T, T-Mobile, Verizon, America Movil, Telefonica, and China Mobile.
…
“The unauthorized access began in May 2016,” the company reveals … in a filing on September 27 with the [SEC]. For five years, hackers maintained access to Syniverse internal databases and compromised the login data for the … EDT environment.
…
The company notes that its investigation did not reveal intent to disrupt operations or to monetize from the intrusion. [But it] does not exclude the possibility of data exfiltration, which … could also lead to a future cyber attack.
Wait. Pause. Who still uses SMS? bird reminds us that’s not the point:
Years of call metadata was also part of the package, and that’s not nothing.
And SMS is widely used for authentication. Yoohoo, here’s u/woohooguy:
That’s why 2FA apps like Authy are better than SMS, once the original token is generated by the website and imported to the app, the app works locally without data. Much more secure than sms or email based authentication.
Or the Google Authenticator app? Don’tJoin isn’t a fan:
That wasn’t an option”
Last time I tried to log onto Google services they required me to enter my phone number so they could send me an SMS for 2FA. Listen to how stupid that sounds.
…
The funniest thing was I have Google Authenticator for that account, but that wasn’t an option.
Anyway, what a mess. htrp agrees:
There is always some bubblegum and duct tape holding the edges of the network together.
Not what you might call a resilient, reliable infrastructure. Amirite? @KarlBode is ready to give up:
Between this and the SS7 flaw it seems like global wireless communications is just utterly compromised and has been for, well, years?
Sounds like the sort of thing the NSA would be interested in. u/ijustsaynotoyou just says yes:
Snowden leaks”
Syniverse was a US company anyway so their data was automatically copied to the NSA, and they bought their competitor MACH in Europe some years ago. MACH were mentioned in the Snowden leaks … PowerPoint presentation.
Meanwhile, peterww has curious powers of persuasion:
This is fine”
Don’t worry about it. You could already hijack SMS messages even without compromising any particular company’s network, so this is only really useful for collecting bulk data sets to sell on the black market. Your data was already not secure, so this is fine.
And Finally:
Right to repair: Trolling Apple, John Deere, etc.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Markus Winkler (via Unsplash)
