A cornerstone of text messaging has been vulnerable for half a decade. Ars Technica reports that Syniverse, which routes billions of SMS chats for hundreds of carriers in the United States and abroad, used an SEC filing to disclose a hack that lasted five years.
The company discovered in May 2021 that someone had “unauthorized access” to their operational and IT systems since May 2016, and during that time had “several” opportunities to access network databases. The intruders compromised connections to Syniverse’s electronic data transfer environment for around 235 operators, according to the company.
The routing company wouldn’t say if the attackers got any messages or violated user privacy. In a statement to ArsSyniverse generally stuck to what it disclosed in the SEC filing. The company said it had found no evidence of an “intention to disrupt” operations and that there had been “no attempt to monetize” the business. The company could not, however, rule out future discoveries, and a Motherboard source said the EDT space included information about recording calls. The intruders could have obtained the contents of the text messages, the source added.
We asked AT&T, T-Mobile, and Verizon (the former parent company of Engadget) if the attackers might have compromised text passing through their networks. Syniverse said it fixed security vulnerabilities and notified all customers when required by law, but that “no further action” was required at this point.
While this answer suggests that the practical damage might be limited, there is still cause for concern here – attackers might have gained access to massive volumes of sensitive messages when a major custodian was unaware. At the very least, it is a reminder that mobile security depends as much on partner companies as it does on operators and phone manufacturers.
Update 6/10 1:20 PM ET: T-Mobile told Engadget that there was “no indication” that the breach of text messages or other compromised personal information for the operator’s users.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through any of these links, we may earn an affiliate commission.