A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.
The company, Syniverse, revealed in a filing dated September 27 with the U.S. Security and Exchange Commission that an unknown "individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers."
A former Syniverse employee who worked on the EDT systems told Motherboard that those systems have information on all types of call records.
Subscribe to CYBER anywhere you listen to podcasts.
Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver's numbers, the location of the parties in the call, as well as the content of SMS text messages.
"Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other," the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. "So it inevitably carries sensitive info like call records, data usage records, text messages, etc. [...] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers."
The company wrote that it discovered the breach in May 2021, but that the hack began in May of 2016.
Do you work or used to work at Syniverse or another telecom provider? Do you have more information about this breach? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com.
Syniverse provides backbone services to wireless carriers like AT&T, Verizon, T-Mobile, and several others around the world. The company processes more than 740 billion text messages every year and has “direct connections” to more than 300 mobile operators around the world, according to its official website. Ninety-five of the top 100 mobile carriers in the world, including the big three U.S. ones, and major international ones such as Telefonica, and America Movil, are Syniverse customers, according to the filing.
To give perspective as to Syniverse’s importance, due to a maintenance update in 2019, Syniverse lost tens of thousands of text messages on Valentine's Day, which meant that the text messages were lost in transit and only delivered months later. Syniverse routes text messages between different carriers both in the U.S. and abroad, allowing people who are on Verizon’s network to communicate with customers who use another carrier. It also manages routing and international roaming between networks, using the notoriously insecure SS7 and Diameter protocols, according to the company's site.
"The world’s largest companies and nearly all mobile carriers rely on Syniverse’s global network to seamlessly bridge mobile ecosystems and securely transmit data, enabling billions of transactions, conversations and connections [daily]," Syniverse wrote in a recent press release.
"Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse's main systems is a global privacy disaster," Karsten Nohl, a security researcher who has studied global cellphone networks for a decade, told Motherboard in an email. "Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once."
That means the recently discovered and years-long data breach could potentially affect millions—if not billions—of cellphone users, depending on what carriers were affected, according to an industry insider who asked to remain anonymous as he was not authorized to speak to the press.
"With all that information, I could build a profile on you. I'll know exactly what you're doing, who you're calling, what's going on. I'll know when you get a voicemail notification. I'll know who left the voicemail. I'll know how long that voicemail was left for. When you make a phone call, I'll know exactly where you made that phone call from," a telecom industry insider, who asked to remain anonymous as he was not authorized to speak to the press, told Motherboard in a call. "I’ll know more about you than your doctor."
But the former Syniverse employee said that the damage could be much more limited.
“I feel it is extremely embarrassing but likely not the cause of significant damage. It strikes me as a result of some laziness, as I have seen security breaches happen like this a few times,” the former employee said. “Because we have not seen anything come out of this over five years. Not saying nothing bad happened but it sounds like nothing did happen.”
"Seems like a state-sponsored wet dream," Adrian Sanabria, a cybersecurity expert and founder of Security Weekly Labs, told Motherboard in an online chat. "Can't imagine [Syniverse] being a target for anyone else at that scale."
The hack is already raising the alarm in Washington.
“The information flowing through Syniverse’s systems is espionage gold," Sen. Ron Wyden told Motherboard in an emailed statement. "That this breach went undiscovered for five years raises serious questions about Syniverse’s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse's cybersecurity practices were negligent, identify whether Syniverse's competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.”
“The information flowing through Syniverse’s systems is espionage gold”
In particular, Motherboard asked Syniverse whether the hackers accessed or stole personal data or cellphone users. Syniverse declined to answer that question.
Instead, the company sent a statement that echoed what it wrote in the filing.
"As soon as we learned of the unauthorized activity, we implemented our security incident response plan and engaged a top-tier forensics firm to assist with our internal investigation. We also notified and are cooperating with law enforcement. Syniverse has completed a thorough investigation of the incident which revealed that the individual or organization gained unauthorized access to databases within its network on several occasions and that login information allowing access to or from its EDT environment was compromised for certain customers," the statement read. "All EDT customers have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. We have communicated directly with our customers regarding this matter and have concluded that no additional action is required. In addition to resetting customer credentials, we have implemented substantial additional measures to provide increased protection to our systems and customers."
Syniverse disclosed the breach in an August SEC filing as the company gearing to go public at a valuation of $2.85 billion via a merger with M3-Brigade Acquisition II Corp., a special purpose acquisition company (SPAC). In the document, the company wrote that it "did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity. Syniverse did not experience and does not anticipate that these events will have any material impact on its day-to-day operations or services or its ability to access or process data. Syniverse has maintained, and currently maintains, cyber insurance that it anticipates will cover a substantial portion of its expenditures in investigating and responding to this incident."
It's not a household name among customers, but Syniverse is one of the largest companies in the world when it comes to the cellphone infrastructure that helps more well-known companies like Verizon or AT&T to run on a day-to-day basis.
"It is actually surprising that more stuff like this has not happened, considering what a mess Syniverse has become in recent years," the former Syniverse employee told Motherboard in 2019, referring to the Valentine's Day text messaging incident.
The FBI and the FCC did not immediately respond to a request for comment. The Cybersecurity and Infrastructure Agency (CISA) declined to comment.
AT&T, T-Mobile, Vodafone, Telefonica, China Mobile, and America Movil did not respond to a request for comment. Verizon declined to comment.