Breach of Syniverse Reveals Yet Another Supply Chain Attack5-Year Intrusion Is the Latest Incident Involving Lesser-Known - Yet Key - Provider
Raise your hand if you'd heard of Syniverse before the news broke this week that the telecommunications service provider had suffered a five-year breach.
The breach is a big deal because Tampa, Florida-based Syniverse helps route calls and text messages for 95 of the world's top 100 mobile carriers, among others, handling more than 1 trillion messages per year.
Telephone call records - meaning metadata of the type Edward Snowden in 2013 warned that the U.S. National Security Agency was recording as part of a vast surveillance apparatus - may have been exposed. At risk are details about senders and recipients, device identifiers and their location. The content of text - aka SMS - messages, which can be used to reset access to accounts at Facebook, Google, Microsoft, Yahoo and many other services, may also have been exposed.
In other words, whoever attacked Syniverse was able to hit a single organization that handles a key task for its 1,250 customers, who themselves count millions of users.
If this sounds familiar, it's because this was a classic supply chain attack. Hitting one organization that serves many other organizations can be an incredible force multiplier.
"I'm not surprised that criminal hackers would go after these critical points in infrastructure," says Karsten Nohl, the founder and chief scientist at Berlin-based Security Research Labs, who has conducted extensive research on the aging protocols underpinning today's internet and communication networks, including Border Gateway Protocol - tied to Facebook's massive Monday outage - and Signaling System #7 (see: Bank Account Hackers Used SS7 to Intercept Security Codes).
"The lesser known, the better, because then there's less attention. There's less security scrutiny from the public and customers," Nohl says. "So all of this comes down to supply chain security, where it's been learned time and time again, especially over the last - let's say 24 months - that more often, you suffer damage by one of your suppliers getting hacked than you do by yourself getting hacked, because of the multiplier effect."
Supply Chain Hits
A few example from the past two years include SolarWinds, Mimecast and Kaseya. In the case of Kaseya, which makes remote management software for managed service providers, ransomware-wielding attackers were able to forcibly encrypt its customers' customers' systems.
The European Union Agency for Cybersecurity, or ENISA, recently warned that it expects to see four times more supply chain attacks in 2021 than in 2020. It expects half of these attacks will be attributable to nation-state hacking teams, aka advanced persistence threat actors.
Reviewing 24 supply chain attacks reported from the start of 2020 through mid-2021, ENISA found two-thirds involved altering a supplier's code base, and more than half of all attacks were aimed at stealing data.
For attackers, hitting one organization to gain access to information on potentially millions of people is a no-brainer.
"In the mind of security professionals, supply chain security is the number one topic," Nohl says. "But that hasn't trickled down to kind of a general awareness that there are technology providers who are basically responsible for the privacy - or lack of privacy - of virtually everyone."
Who Hacked Syniverse?
How Syniverse first got hacked and failed to spot the intrusion for so long hasn't been publicly detailed. Citing an ongoing law enforcement probe as well as confidentiality agreements with customers, a Syniverse spokesman declined to comment on how the company found the breach, exactly what types of data was exposed, which of its 235 telecommunication carrier customers were affected, or if investigators had attributed the attack to a crime group or nation-state attackers.
But with the metadata exposure and access to text messages, spying seems a likely driver. As Sen. Ron Wyden, D-Ore., has noted: "The information flowing through Syniverse's systems is espionage gold."
Seen in that light, a more pertinent question about this episode might be: Why wasn't Syniverse hacked before 2016? Then again, maybe it had been.
"We don't know what we don't know," says Alan Woodward, a visiting professor of computer science at England's University of Surrey. "It may be that Syniverse has suffered chronic penetration, but it's only this case that we know about. Having said that, it did continue for a remarkably long time. So I'd ask myself how that managed to persist, and more particularly, what was it that alerted the company to this incident?"
Core Infrastructure at Risk
As ENISA's report makes clear, Syniverse certainly won't be the last such provider to get hit. "There are many of these companies who quietly carry on supporting large areas of infrastructure that, whilst they may have disappeared out of the headlines, they are still in everyday use," Woodward says.
Keeping track of companies such as Syniverse, who provide a key service on which many businesses - and by extension consumers - rely, can be challenging, not least for corporate security teams attempting to model risk.
The company's existence was news to many, prior to Vice this week breaking the story of the breach, based on a corporate filing to the U.S. Securities and Exchange Commission, dated Sept. 27.
In November 2019, The Verge published a report - titled "how one company you've never heard of swallowed tens of thousands of text messages - then spit them back out" - detailing how a Syniverse server failure led to text messages sent for Valentine's Day disappearing until they were mysteriously delivered nine months later.
As the new breach disclosure makes clear, of course, from an IT standpoint, Syniverse at that time faced much worse problems, which it had yet to detect.
Better Core Security: Who's Responsible?
In the wake of the breach, "we have implemented substantial additional measures to provide increased protection to our systems and customers," a Syniverse spokesman tells Information Security Media Group.
In the bigger picture, however, what about the security of text messages themselves? "It's easy to declare text messaging insecure. But there doesn't seem to be a viable option that comes with the same properties, in terms of functionality," Security Research Labs' Nohl says.
For example, a large number of organizations continue to rely on text messages to send one-time codes for account access. If someone loses their smartphone, he says, they can take their ID card into their smartphone provider's store and order a new smartphone, with a SIM card installed giving them access to their same phone number, thus allowing them to regain access to their SMS-protected accounts.
"I suspect SMS will be around for some considerable time to come, so we really do need to take it seriously and guard it appropriately," Surrey University's Woodward says. "It's one of the few universal platforms for sending data, other than over the internet. Two-factor authentication is a classic example where SMS is still used by many as the second channel - even though one might argue it's not really a true second factor - primarily because it is something everyone with a mobile phone will have. Not everyone has one of the authenticators, or WhatsApp or Signal, or whatever."
As with so many aspects of the protocols that underpin today's core communications infrastructure, however, who might take responsibility for making text messaging more secure, as well as fund those improvements, remains an open question.
"We expect the telcos to improve the security of their services, without anybody being willing to pay anything more for it," Nohl says. While better security for core services - including text messaging - is sorely needed, arguably so too is finding the right incentives.