27 votes

Company that routes SMS for all major US carriers was hacked for five years

6 comments

  1. precise
    Link
    This is a great reason/reminder to use E2EE communications like Signal. SMS at the end of the day is just internet packets, lots of people use VPNs to protect their internet traffic, might as well...

    This is a great reason/reminder to use E2EE communications like Signal. SMS at the end of the day is just internet packets, lots of people use VPNs to protect their internet traffic, might as well take similar precautions with text messages.

    I'm really curious to see who is behind this though, I would not be surprised if this ends up being a state-sponsored compromise. I am suspicious of the timing of this release though, right after Facebook comes under fire (again) and takes over the headlines. I can understand wanting to time it from a PR standpoint, but if text messages and call records have been compromised that is huge.

    I'd argue it's more substantial than what Facebook has been doing though. Text messages and call records have a reasonable expectation of privacy. Cellular communications really should be treated as public utilities given the ubiquitous nature and necessity of life they now engender.

    Yet here we are. Evilcorp runs our necessary infrastructure and will probably get off with a slap on the wrist as this seems to slip through the headlines and by the public eye.

    10 votes
  2. AugustusFerdinand
    Link

    Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers' text messages.

    Syniverse says its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn't a familiar name to most cell phone users, the company plays a key role in ensuring that text messages get to their destination.

    A filing with the Securities and Exchange Commission last week said that "in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse's detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals."

    6 votes
  3. [3]
    DepartedPretzel
    Link
    This depresses me. Centralization knows no bounds. Does email also suffer from a single point of failure like this? I ask since a recent MetaFilter discussion related to Facebook praised email as...

    This depresses me. Centralization knows no bounds.

    Does email also suffer from a single point of failure like this? I ask since a recent MetaFilter discussion related to Facebook praised email as one of the few accessible means of decentralized electronic communication. Perhaps not if one entity holds all the keys.

    5 votes
    1. whbboyd
      (edited )
      Link Parent
      No (except insofar as Google and Microsoft each handle roughly a third of the world's email, meaning as a naïve approximation they're at at least one end of 90% of all correspondent pairs). As...

      Does email also suffer from a single point of failure like this?

      No (except insofar as Google and Microsoft each handle roughly a third of the world's email, meaning as a naïve approximation they're at at least one end of 90% of all correspondent pairs). As long as the sender's email server and the recipient's email server have network connectivity to each other, they can send email to each other.

      While successfully interoperating with the global email infrastructure has become extremely challenging (mostly due to technical measures to fight spam), merely demonstrating the decentralization is easy straightforward: within an isolated network, set up two hosts running SMTP servers, turn off all the safeties, and send mail from one to the other by IP address.

      9 votes
    2. onyxleopard
      Link Parent
      Not inherently, but maybe in practice given the ubiquity of GMail? Tom Scott did a neat “what if” scenario on this.

      Not inherently, but maybe in practice given the ubiquity of GMail?

      Tom Scott did a neat “what if” scenario on this.

      2 votes
  4. mosburger
    Link
    Oof - another strike against using SMS for 2FA.

    Oof - another strike against using SMS for 2FA.

    2 votes