A recent hack discovered by one of the world's largest telecommunications companies has the potential to impact millions of mobile phone users worldwide.
Syniverse, the company in question, claims to process more than 740 billion text messages per year and has direct connections to over 300 mobile operators around the world, including 95 of the top 100 mobile carrier companies.
Syniverse describes the company's critical importance to global communications in a press release:
"The world's largest companies and nearly all mobile carriers rely on Syniverse's global network to seamlessly bridge mobile ecosystems and securely transmit data, enabling billions of transactions, conversations and connections [daily]."
It also claims the tagline, "the world's most connected company."
Well, "most connected" certainly does not guarantee most secure.
Syniverse submitted a filing to the United States Securities and Exchange Commission (SEC) saying this:
"[An unknown] individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers."
The company also says it discovered the breach in May 2021, but the hack began five years earlier in 2016.
2FA concerns from Syniverse hack
The hack is a significant concern for all 235 affected customers of Syniverse, but the damage could be much more widespread than that. Several security researchers have expressed concerns over the secondary effects of the breach, including how it could impact two-factor authentication (2FA).
Karsten Nohl, a security researcher who studies global cellphone networks, told Vice's Motherboard the following in an email:
"Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse's main systems is a global privacy disaster.
Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once."
Vykintas Maknickas, Head of Product Strategy at Nord Security, also discussed the impact on 2FA:
"There were several red flags with how Syniverse handled the hack, but one of the more dangerous aspects of this hack relates to 2FA. If the hackers could access user text messages, this would have enabled them to access other accounts that had 2FA enabled through text messages.
Security experts have almost a complete consensus that authenticator apps provide better protection than SMS 2FA, so one immediate action post-hack would be to switch your 2FA method.
Another thing that people can do is look for the login history of their most critical accounts like their emails to see if there's something suspicious. The reason being, even if 2FA was [done] enabled through SMS, even services like Gmail could miss that the attempt to log in was suspicious."
Syniverse data is a hacker's dream
Considering the scale of Syniverse's business, its easy to see how a data breach could impact the personally identifiable information (PII) of millions of people around the world. Throw that in with the potential information that could be stolen through accounts with 2FA enabled by SMS texts, and the company could have a serious issue on its hands.
A telecom industry insider who spoke with Motherboard said this:
"With all that information, I could build a profile on you. I'll know exactly what you're doing, who you're calling, what's going on. I'll know when you get a voicemail notification. I'll know who left the voicemail. I'll know how long that voicemail was left for. When you make a phone call, I'll know exactly where you made that phone call from. I'll know more about you than your doctor."
Considering this, it did not take long for government officials to take notice. Senator Ron Wyden (D-OR) told Motherboard in an emailed statement:
"The information flowing through Syniverse's systems is espionage gold. That this breach went undiscovered for five years raises serious questions about Syniverse's cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse's cybersecurity practices were negligent, identify whether Syniverse's competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry."
Syniverse data breach result of 'laziness'?
Its unusual for a hack to essentially lay dormant for five years. A lot of times, when hackers gain unauthorized access to an organization's network, they want to move quickly before being detected. There are plenty of cases where intruders went undetected for several months, or even years. But almost never for as long as five years, which makes this case interesting.
Motherboard was able to connect with a former Syniverse employee, who wished to remain anonymous. Here is what they said about the situation:
"I feel it is extremely embarrassing but likely not the cause of significant damage. It strikes me as a result of some laziness, as I have seen security breaches happen like this a few times. Because we have not seen anything come out of this over five years. Not saying nothing bad happened but it sounds like nothing did happen."
Syniverse has not commented on the scale of the breach or which customers were impacted. The company did put out a statement saying that login information for some specific customers was compromised, but it doesn't appear to be overly concerned about the data breach.
"All EDT customers have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. We have communicated directly with our customers regarding this matter and have concluded that no additional action is required. In addition to resetting customer credentials, we have implemented substantial additional measures to provide increased protection to our systems and customers."
See the original story from Motherboard for more information.
Check out the SecureWorld News page for the latest on other cybersecurity topics.
