Syniverse Hack

This is interesting:

A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.

I’ve never heard of the company.

No details about the hack. It could be nothing. It could be a national intelligence service looking for information.

Tags: , ,

Posted on October 6, 2021 at 9:19 AM22 Comments

Comments

No.name October 6, 2021 9:50 AM

Who owns Syniverse (largest shareholder) and where are their offices/employees located?

https://www.yahoo.com/now/telecoms-firm-syniverse-public-via-002244744.html

NYSE due diligence may now require some disassociation with specific regions prior their upcoming IPO. Huawei is banned for the same reason. Are they reporting prior data sharing as a leak? Perhaps.

New laws passed in the US last year banning shell corps and also delisting foreign corps. Companies now have to prove they are American. They cannot just claim to be in order to go public in the US.

Beatrix Willius October 6, 2021 10:19 AM

I’d be interested to know how secure 2-factor authentication is in regards to the hack.

Aaron October 6, 2021 10:37 AM

Which is more of a concern; the hack and how long it’s been happening or the part where this company is basically unknown to the globe and yet has its fingers wrapped throughout the global communication infrastructure?

deloris October 6, 2021 11:12 AM

Do you guys remember when the telephone company used to do stuff itself? They basically invented telecommunications and everything related to it (e.g. the transistor and laser, even UNIX)… and now they can’t transfer small bits of text without hiring some company we’ve never heard of? What?

I get that the system is probably much more complex than email, for example, but that’s kind of the telcos’s fault too—anyone who’s looked at cellular protocols has seen what appears to be needless complexity. Personally, I might have just built the system on email or Jabber with E164 number mapping (the DNS-based mapping having been officially proposed 21 years ago).

J.A.Duke October 6, 2021 12:12 PM

I believe the only reason we heard about this hack is that Syniverse is being acquired/merged with a SPAC and there are SEC filings required regarding potential issues that might arise pre-/post-acquisition and this hack was listed in one of the filings.

If they remained privately held, we might have never heard about it.

Clive Robinson October 6, 2021 12:27 PM

@ deloris, ALL

Do you guys remember when the telephone company used to do stuff itself?

As far as mobile phones are concerned, the companies who’s name appears at the top of your contract / bill are little more than shell companies to offshore tax reduction schemes.

Therefore as a rule of thumb you will find,

1, They do not own cell sites
2, They do not own cell towers
3, They do not own cell equipment
4, Only a few own the back haul
5, Only a few own the databases

And so on.

They basically rent / lease, whilst some do have exclusive use of the first three on the list more often than not it’s shared these days.

Likewise the back end infrastructure is leased / rented from companies you have very probably never have heard of either.

If you ever get to go to a major “site” like say AT&T at Bothall Washington State, whilst you might know the company logo above the door the chances are the majority of the people walking through those doors twice a day are not payed by that company, or even a company that the company has a contract with, they will be subies of subies…

Some are actually subies of the equipment leasers, or as I was at one point, a contractor to a sub-org that was using the data to supply other goods and services to apparently entirely unrelated organisations supplying cities with up to the minute traffic flows for radio stations and census data for city planning depts…

I had to install a Unix box at one major European node to grab SS7 etc data. Nobody I met there was actually employed by any of the telcos or major equipment suppliers.

When a problem came up it took over three days to find a telco employee and they were over a hundred km away, and they had to consult with someone two countries away who did not even speak the same languages…

So yeh,

… and now they can’t transfer small bits of text without hiring some company we’ve never heard of.

That sums it up.

But… the important point to note is that Syniverse has absolutly no contractual relationship with anyone who’s private information they carried. Their contracts are probably not even with the organisations who’s name appears on your bill, but some second or third party down the line.

Which is why I find this piece of gormlessness raising a smile, with the esteemed Sen. Ron Wyden in an email saying,

“The information flowing through Syniverse’s systems is espionage gold,”

Well yes and no, it rather depends on what sort of espionage you are talking about, and who is spying on who… state-state, state-citizen, state-corporate, corporate-state, corporate-corporate corporate-citizen…

The real money is in “corporate-XXX” espionage where every SMS etc earns them not just handling charges but several cents of “marketing money” as well.

So when Sen. Ron Wyden gets all huffy and writes in the Email,

“That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.”

He must have been asleep at the wheel for years, this sort of data vacuuming has been approved by various US politicians / legislators for a long time now.

The simple fact is it is a “sip from the fire hose” problem for most “State-XXX” espionage so it’s all destined for those tape robots and similar, where it will probably rot.

The trick for the smarter citizen is working out how to take advantage of the fact that the “State’s eye” tends to be pointed towards those who paint targets on their own backs by using “secure” or other obviously crypto created messages that can and almost certainly will be kept forever unlike plaintext messages…

Hedo October 6, 2021 12:38 PM

@Bruce,
I’ve never heard of the company.

Isn’t it almost always the ones most of us have never heard of.
Over the years, I enjoyed very much being (and working) in the shade/shadows.
Just a personal preference I guess. The benefits of it are overwhelming.

user01 October 6, 2021 6:47 PM

I work in enterprise telecom for a large provider (handling >12% of the domestic toll-free voice traffic + a significant amount of SMS traffic).

The entire SMS ecosystem is extremely shady, terribly fragmented, horrible to work with, and borderline corrupt.

None of the tier1 providers like AT&T, Verizon, or T-Mobile want to work with each other on SMS inter-connectivity, and the small guys don’t have enough resources to interconnect to everybody themselves. This leaves only one solution: leave the inter-network SMS connectivity responsibilities up to another entity.

There are 2 major SMS interconnect entities in the SMS ecosystem:

  1. Syniverse
  2. SAP Mobile Services (name changed to Sinch somewhat recently, and used to be Sybase365 before they got bought by SAP)

These 2 entities are responsible for interconnecting SMS trafficf for nearly all carriers. Syniverse is by far the bigger one and handles the majority of the traffic.

If you send a SMS text outside your carrier network (eg. AT&T user to Verizon user) it will pass through one or both of these entities.

Things to know about these 2 companies:

  1. They read all your SMS traffic down to the last character
  2. All SMS traffic content is scanned for various purposes (they claim primarily to prevent SMS spam but it goes much further than this based on my experiences (anti-terrorism, etc))
  3. SMS compatability between different networks is shaky at best, lots of encoding conversion going on at the interconnect entities, though this has gotten better in recent years

All in all, traditional SMS is outright terrible, do not use unless you are forced to, stick to Signal or iMessage.

anon October 6, 2021 10:40 PM

They were hacked for profit. If you’re like me, you have received unsolicied SMS messages immediately following messages to recipients on different carriers.

I know that real estate speculators subscribe to the services that rae based on the hack(s).

Peter A. October 7, 2021 5:30 AM

Subcontractor frenzy was ripe in the telecom industry decades ago even in really small and underfunded markets as my home country – I cannot imagine how it is today at the scale of AT&T and the likes. My first substantial money earned as a student was a co-sub-sub-sub-contractor gig for the national telecom – and it turned out to be useless (we got paid anyway, because the contract was about “investigating a possibility”), as they already had the functionality, directly from the equipment supplier, but just didn’t know about that. We’ve discovered relevant software by accident, while reinstalling a botched setup. On top of that, the functionality, while there, was actually useless for the original purpose of the project. Fun times.

Gary October 7, 2021 9:12 AM

I worked for Syniverse about 9 years ago and currently work at Citizen Lab.

Yes, Syniverse is in the business of routing SMS messages between operators. However, the hack was associated with a different part of their business.

The attack targeted their “EDT” system, not their SMS system. EDT is associated with their roaming clearing product, which essentially receives roaming usage records called TAP records at the user level, and sends these records from a roaming visiting mobile operator to the home mobile operator and generates the associated billing.

The reason this is extremely valuable for threat actors is that they create travel profiles for users around the world including country of travel and travel duration. They can also see the details such as who they call/receive calls from, duration of calls, to whom/from whom they are text messaging, and data volume while traveling. There are some optional details such as Cell ID, LAC which are rarely used.

Oh, and it includes MSISDN and IMSI of the user. Why is this important? Well, all of those SS7 vulnerabilities you’ve heard about in the past, where phone calls and text messages can be intercepted become a very easy thing to do with a mobile MSISDN and IMSI. It lets the threat actor know when and how to launch SS7 MIM attacks.

It’s characteristic of state-sponsored activity. I’ve been doing this research for years. There are significant national security implications associated with this hack.

Who? October 8, 2021 6:18 AM

As no one on this forum has signed an agreement with Syniverse, I understand “customer” is not you—or me— but corporations like AT&T or Verizon. This turns the “impacting more than 200 of its clients” into a privacy nightmare whose size is hard to believe.

Denton Scratch October 8, 2021 6:38 AM

Big surprise: the mobile phone network isn’t secure, and shouldn’t be used for sharing secrets!

In particular, using SMS for 2FA is just nuts. If your secrets are important enough to require 2FA, then that second factor shouldn’t be written on a billboard (or a Post-It, or an SMS text-message).

I guess there are still a few “normies” that don’t realise the mobile networks are insecure, but surely nobody here falls into that category.

A mobile phone is supposed to be “something you have”. But that’s not what it is, really; it’s just a telephony endpoint. It can easily be substituted, there’s no encryption preventing that. If you need a “something you have” for 2FA, it needs to be unforgeable – like a Yubikey or whatever. Just having a phone-number doesn’t cut the mustard.

John October 8, 2021 8:49 AM

My bank tries to reward folks for using on-line banking….

I ask the teller if English is her native language and does she read?

It is hard to believe that they apparently don’t get it??!!

I wonder when the real attack will begin? The data appears to be out there already?

John

Clive Robinson October 8, 2021 11:42 AM

@ Denton Scratch, ALL,

A mobile phone is supposed to be “something you have”

That might have been true last cebtury… This century, whilst you pay lots of money, –over $1000 for some– Smart Phones are not “owned” by you, nor are they owned by the network provider –they own the SIM– nor realy by the hardware manufacturer….

No Smart Phones are owned by those who own the “walled gardens” that is the owners of the OS own your Smart Phone…

Which is very important when you think further on,

… it’s just a telephony endpoint.

Technically it’s an “Open Communications endpoint” which means anyone with access to the “air interface” be they some anonymous person in a distant country, your local government and law enforcment, the network provider or somebody who can build a pico-cell or more from “Free Open Source Software”(FOSS) and low cost easily obtaind Software Defined Radio”(SDR) can access your Smart Phone at some level via it…

The real question is thus,

“Have those that realy own the phone, done a good enough job on security?”

To which the answer is very clearly “NO” in the case of both Apple and Google, and I assume likewise any other Smart Phone OS supplier around.

So as is mentioned on this blog from time to time,

1, Attackers can End Run the OS security.
2, Any “Security Endpoint” on the Smart Phone is bypassed by the OS.

Therefore the attacker can reach forward from the communications end point to the plaintext “User Interface”(UI) and any private or secret information there…

Logically to make any current Smart Phone secure is not possible, therefor you have two options,

1, Do NOT communicate Private or Secret” information by phone.
2, Move the security endpoint past any reach from the communications endpoint.

For most people, neither option is how they want to roll…

@ ALL,

So for now, we might as well say,

“Currently we have no Privacy or Secrecy with Smart Phones”.

Repeat ten times every morning, with each repeate bang your head against the wall…

When the pain gets to much go back and visit the last option,

“Move the security endpoint past any reach from the communications endpoint.”

The easieat way to do that currently is,

“Take the security endpoint off device.”

nancy October 8, 2021 12:52 PM

Clive write:

Logically to make any current Smart Phone secure is not possible, therefor you have two options,

1, Do NOT communicate Private or Secret” information by phone.
2, Move the security endpoint past any reach from the communications endpoint.

For most people, neither option is how they want to roll…

Denton wrote:

I guess there are still a few “normies” that don’t realise the mobile networks are insecure, but surely nobody here falls into that category.

If you need a “something you have” for 2FA, it needs to be unforgeable – like a Yubikey or whatever.

What both these messages miss is that it’s generally not our choice, so it doesn’t matter how I “want to roll”. I had a workplace insurance company ask me to e-mail them a medical form—this being an insurance company that at the end of every e-mail writes something like “for your security, this message only includes the claim number and you’ll have to log in to see the details; you should never send private information by e-mail”. A bank I deal with has no online secure messaging interface; only phone, e-mail, or postal mail (and they say not to send private data by e-mail, but I’ve heard of people conducting transactions that way). Every company I’ve worked for and almost every company they’ve dealt with seemed okay with sending and discussing confidential NDA’ed data over email and phone (except ARM who’ll only send documents via a portal which uses TLS client certificates, I think).

Even if one phones up these companies to complain it’s insecure, most will refuse to hear it until one has provided personal information to “verify one’s identity”. And the banks here don’t give a choice of 2-factor authentication: provide a phone number or stop using online banking. I’d much rather use TOTP, but they won’t do it. (For that matter, they’re my bank. I already have a “something I have”, ie. my “smart” bank card with PIN. Okay, they’ll need a procedure if I lose that, maybe mail me a new one and have me perform a PIN-based transaction to activate it. USB smartcard readers don’t cost much more than the cards themselves, and may be unnecessary for those with an NFC-capable device.)

As for the Yubikey etc., they remain pretty niche devices. I don’t know a single local supplier for them, nor does any company I deal with provide or support them. They seem like the type of thing that should be in every computer store, if not every corner store. As I understand, a circa-1980s microcontroller could handle the crypto involved.

SpaceLifeForm October 8, 2021 5:30 PM

It is as clear as mud as to how Lumen owns Syniverse

hxtps://en.m.wikipedia.org/wiki/Lumen_Technologies

lurker October 8, 2021 7:10 PM

@SLF
Groping thru the fog, I was surprised not to stumble over a Wikip warning flag: This article/section reads like commercial copy. Please edit it to a more Encyclopædic style…

SpaceLifeForm October 8, 2021 8:20 PM

@ user01, Gary

Based upon information and belief,

Syniverse handles about 80% and Sinch the rest.

anon October 11, 2021 12:57 AM

@Gary
Are you trying to tell us that hackers, while being on-net for ~6 years, only hacked one part of Syniverse? I dont’ believe that for a second.

Who? October 11, 2021 4:24 AM

@anon

I believe what @Gary says. This attack looks like a well planned operation from an state actor. State actors do not modify login scripts on an operating system to write “I had been here” in big ASCII art each time the system is booted; any knowledgeable opponent (sometimes your own government) wants access to sources of information like the one described by @Gary, and will try to make as few noise as possible to remain undetected for many years.

High-end players know what they are doing, and look for the resources they need instead of breaking anything they can. They are very different to script kitties.

Obviously being careful worked this time.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.