The senators also provide evidence in their letter that US Telecom has worked with third-party cybersecurity firms to conduct audits of its systems related to the telecommunications protocol known as SS7 but they have refused to make the results of these assessments available to the Department of Defense. “DOD has asked the carriers for copies of the results of their third-party audits and has been advised that they are considered attorney-client privilege,” the department wrote in response to questions from Wyden’s office.
The Pentagon contracts with major US carriers for much of its telecommunications infrastructure, which means it inherits any potential corporate security weaknesses they might have, but also inherited vulnerabilities at the heart of their phone networks. .
AT&T and Verizon did not respond to multiple requests for comment from WIRED. T-Mobile was also reportedly breached in the Salt Typhoon campaign, but the company said in a blog entry last week that he has seen no signs of compromise. T-Mobile has contracts with the Army, Air Force, Special Operations Command, and many other DOD divisions. And in June, that announced a 10-year, $2.67 billion contract with the Navy that will “give all Department of Defense agencies the ability to order wireless services and equipment from T-Mobile over the next 10 years.”
In an interview with WIRED, T-Mobile’s head of security Jeff Simon said the company recently detected attempted hacking activity coming from its routing infrastructure through an unnamed partner who suffered a compromise. T-Mobile isn’t sure if the “bad actor” was Salt Typhoon, but whoever it was, Simon says the company quickly put a stop to the intrusion attempts.
“You can’t access all of our systems from our edge routing infrastructure; they’re kind of contained there, and then you have to try to move between that environment and another environment to get more access,” says Simon. “This requires them to do rather noisy things and this is where we were able to detect them. We have invested heavily in our monitoring capabilities. It’s not that they’re perfect, they never will be, but when someone makes noise around us, we like to think we’ll catch them.”
Amidst the chaos of Typhoon Salt, T-Mobile’s claim that it suffered no breach in this case is noteworthy. Simon says the company is continuing to work with law enforcement and the broader telecommunications industry as the situation develops. But it’s no coincidence that T-Mobile has heavily invested in cyber security. The company had suffered a decade repeatedly, vast breaches, which exposed an immense amount of customer data. Simon says that since joining the company in May 2023, it has seen a major security transformation. As an example, the company implemented mandatory two-factor authentication with physical security keys for everyone interacting with T-Mobile systems, including all contractors in addition to employees. These measures, he says, have dramatically reduced the risk of threats such as phishing. And other improvements in device population management and network detection have helped the company feel confident about its ability to defend itself.
“The day we transitioned, we cut off a number of people, because they hadn’t gotten their YubiKeys yet. There was a line out the door to our headquarters,” says Simon. “Every life form that accesses T-Mobile systems must obtain a YubiKey from us.”
Still, the fact remains that there are fundamental vulnerabilities in the US telecommunications infrastructure. Even if T-Mobile successfully thwarted Salt Typhoon’s latest intrusion attempts, the spying campaign is a dramatic illustration of long-standing insecurity in the industry.
“We urge you to consider whether DOD should decline to renew these contracts,” the senators wrote, “and instead renegotiate with contracted wireless carriers to require them to adopt meaningful cyber defenses against threats surveillance”.
Additional reporting by Dell Cameron.
