Major SMS Company Hacked

Atlantic.Net is providing this security advisory as a news item. We want to reassure our customers that Atlantic.Net does not use any of these exploited products internally or in any of our service offerings.

On 27th September 2021, U.S. telecom giant Syniverse filed to the U.S. Security and Exchange Commission that they had been hacked. There is a good chance that you have never heard of Syniverse, but if you live in the United States and you have a cell phone, it’s extremely likely that your SMS data flows through Syniverse systems.

Syniverse provides backbone telecoms services between the major telecoms providers, their services allow each network to talk to one another. Their service links providers in the U.S., Europe, and Asia.

Syniverse revealed that “an individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers.”

In the U.S. we know that Syniverse processes SMS data for AT&T, T-Mobile, and Verizon. In Europe, they are used by Vodafone, and in Asia, China Mobile. It’s likely they process data for many smaller carriers as well. Astoundingly, it appears that this hack went on for five years.

We don’t know what data has been stolen in the breach, but the website vice.com reported that former Syniverse employees advised that Syniverse processes metadata about the length and cost of calls, the sender and receiver numbers, their location, and the content of the SMS message.

The biggest concern here is that this hack lasted for over five years; evidence found on the SEC.gov website (page 69) states that the hack started way back in May 2016! Syniverse has notified the companies that they are contractually required to, but this approach has been criticized, as such a potentially large hack has been very quietly released to the public.

As of yet, there has been no mention of the breach on the Syniverse website; the only evidence is the sec.gov official filing. Syniverse states that there is no evidence that data has been misappropriated, but the filing warns that future impact from the fallout of this hack is possible. It is clear that Syniverse is concerned about its public image, financial damage, and the adverse impact on “Syniverse’s overall strategy to be a leading provider of technology solutions to the wireless ecosystem.”

Syniverse stated on the filing that they have fixed and remediated the issue that allows hackers to gain access, but we don’t know what the attack vector was. It’s possible it was a server or application exploit, or an unsecured public asset, such as a cloud storage bucket.

Syniverse has publicly stated that it must “strive to update its legacy IT infrastructure and existing operations,” suggesting that the existing infrastructure is old and not fit for purpose. Perhaps this is how access has been gained?

Why is this hack important?

There are a lot of lessons that can be learned from the Syniverse hack. They have been universally criticized about their handling of the incident, only notifying the carriers and not the customer impacted. There has been no official announcement via the company website, and a general feeling like the company has been trying to keep things quiet and play down the impact of the hack.

You may think that SMS is an outdated service, being rapidly replaced with services like WhatsApp and Messenger. The breach is reported to contain phone call metadata too, potentially huge news because it could contain the private information about billions of phone called made in the last 5 years.

Next is the fact that they remained breached for 5 years, and using the dates in their report, that’s 1975 days! Now consider what SMS is used for; lots of multifactor authentication services use SMS such as Azure Active Directory. Some businesses even send account reset URLs direct to an SMS message, and clicking on the link gives you access to the site.

What can you do to protect yourself?

The first recommendation we offer is to review your multifactor solution. Most providers will offer an alternative to SMS, such as an app like Authy or phone call authentication.

The next best line of defense is to team up with a Managed Service Provider like Atlantic.Net that has the manpower to overcome and patch these attacks. Atlantic.Net has 30 years of experience in providing security-defined, hardened, and robust managed services for our customers.

Syniverse has already stated that their infrastructure is out-of-date and that they are in urgent need of digital transformation. Let us manage your server infrastructure. We will take care of all your security patching requirements on top of the day-to-day upkeep of the cloud platform.

Hackers gain access to systems when they are inadequately protected, and the best way to find if you are vulnerable is by performing vulnerability scanning. This technique tests the external and internal computer infrastructure against all known vulnerabilities. Atlantic.Net systems are tested for weakness often, and our team can recommend some of our trusted partners to test your systems directly with penetration testing.  In a situation like this, it is best to ensure that you are taking advantage of all best-known security practices to minimize any exposure to zero-day exploits.

If your business is concerned about cybersecurity, please feel welcome to reach out to Atlantic.Net. We are specialists in Managed Services, Cloud Hosting, and HIPAA compliance. Security of our infrastructure is of paramount importance, and we work hard to ensure we have the best security processes in place.  Atlantic.Net has a full suite of Managed Security Services to help be proactive and prepare in advance for any security issues. Get in touch today.

HIPAA Compliant Hosting with Atlantic.Net

Contracting with Atlantic.Net for HIPAA-compliant web hosting gives you peace of mind that your provider knows what they’re doing. Atlantic.Net is SOC 2, SOC 3, HIPAA audited, and PCI ready and provides clients with the hardened, secure, and compliant infrastructure they need.