The company that routes SMS for all major US carriers was hacked for five years

A woman's hand holding a smart phone.

Getty Images | d3sign

Syniverse, a company that routes hundreds of billions of text messages each year for hundreds of carriers, including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases during five years. Syniverse and the operators have not said whether the hacker had access to customers’ text messages.

TO filing with the Securities and Exchange Commission last week it said that “in May 2021, Syniverse became aware of unauthorized access to its operating and information technology systems by an unknown person or organization. Immediately after Syniverse detected the unauthorized access, Syniverse initiated an internal investigation, notified the police and began repairing actions and hired specialized legal advisory services and other incident response professionals. “

Syniverse said its “investigation revealed that unauthorized access began in May 2016” and “that the person or organization gained unauthorized access to databases within their network on several occasions, and that the login information allows access to or from its Electronic Data Transfer (‘EDT’) was compromised for approximately 235 of its customers. “

Syniverse does not reveal any further details

When contacted by Ars today, a Syniverse spokesperson provided a blanket statement that mostly repeats what’s in the SEC filing. Syniverse declined to answer our specific questions about whether the text messages were exposed and about the impact on major US carriers.

“Given the confidential nature of our relationship with our clients and a pending police investigation, we do not anticipate further public comment on this matter,” Syniverse said.

The SEC filing is a preliminary proxy statement related to a pending merger with a special purpose acquisition company that will make Syniverse a publicly traded company. (The document was submitted by M3-Brigade Acquisition II Corp., the blank check company.) As is standard with SEC filings, the document discusses risk factors for investors, in this case including security-related risk factors demonstrated by Syniverse database hack.

Synchronized route messages for 300 operators

Syniverse says it is intercarrier courier service processes more than 740 billion messages each year for more than 300 mobile operators around the world. Although Syniverse is probably not a household name to most cell phone users, the company plays a key role in ensuring that text messages reach their destination.

Today we asked AT&T, Verizon, and T-Mobile if the hacker had access to people’s text messages, and we’ll update this article if we get new information.

The importance of Syniverse in SMS was highlighted in November 2019 when a server failure caused more than 168,000 messages to be delivered almost nine months late. Messages were in a queue and were not delivered when a server crashed on February 14, 2019, finally reaching their recipients in November when the server went down. reactivated.

Syniverse says it fixed vulnerabilities

Syniverse said in the SEC filing and statement to Ars that it restored or deactivated the credentials of all EDT clients, “even if their credentials were not affected by the incident.”

“Syniverse has notified all affected customers of this unauthorized access where it is required by contract, and Syniverse has concluded that no further action, including any customer notification, is required at this time,” the SEC filing said. Syniverse told us that it also “implemented substantial additional measures to provide greater protection to our systems and customers” in response to the incident, but did not say what those measures are.

Syniverse is apparently confident that it has everything under control, but told the SEC that it could still uncover more issues resulting from the breach:

Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity … While Syniverse believes that it has properly identified and fixed the vulnerabilities that led to the incidents described above, There can be no guarantee that Syniverse will not discover evidence of exfiltration or misuse of your data or IT systems from the May 2021 Incident, or that it will not experience a future cyber attack leading to such consequences. Any such exfiltration could result in the public disclosure or misappropriation of customer data, Syniverse trade secrets or other intellectual property, personal information of its employees, confidential information of its customers, suppliers and vendors, or material financial information. and other related to your business.

Syniverse’s filing with the SEC was filed on September 27 and was discussed yesterday at a article in the Motherboard section of Vice. According to Vice, a “former Syniverse employee who worked on EDT systems” said those systems contain information about all kinds of call records. Vice also quoted a phone company employee as saying that a hacker could have gained access to the content of SMS text messages.

Vice wrote:

Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person working at a phone operator, whoever hacked Syniverse could have had access to metadata such as duration and the cost, the caller. and the recipient’s numbers, the location of the parties in the call, as well as the content of the SMS text messages.

“Syniverse is a common clearinghouse for operators around the world who pass billing information to each other,” the source, who asked to remain anonymous, told Motherboard as they were not authorized to speak to the press. “So it inevitably carries sensitive information like call logs, data usage logs, text messages, and so on. […] The point is, I don’t know exactly what was being exchanged in that environment. One would have to imagine that they could easily be customer records and [personal identifying information] since Syniverse exchanges call logs and other billing details between carriers. “

Leave a Reply

Your email address will not be published. Required fields are marked *