The senators also provide evidence in their letter that US telecoms have worked with third-party cybersecurity firms to conduct audits of their systems related to the telecom protocol known as SS7 but have declined to make the results of these evaluations available to the Defense Department. âThe DOD has asked the carriers for copies of the results of their third-party audits and were informed that they are considered attorney-client privileged information,â the department wrote in answer to questions from Wydenâs office.
The Pentagon contracts with major US carriers for much of its telecom infrastructure, which means that it inherits any potential corporate security weaknesses they may have but also the legacy vulnerabilities at the heart of their telephony networks.
AT&T and Verizon did not respond to multiple requests for comment from WIRED. T-Mobile was also reportedly breached in the Salt Typhoon campaign, but the company said in a blog post last week that it has seen no signs of compromise. T-Mobile has contracts with the Army, Air Force, Special Operations Command, and many other divisions of the DOD. And in June, it announced a 10-year, $2.67 billion contract with the Navy that âwill give all Department of Defense agencies the ability to place orders for wireless services and equipment from T-Mobile for the next 10 years.â
In an interview with WIRED, T-Mobile chief security officer Jeff Simon said that the company recently detected attempted hacking activity coming from its routing infrastructure by way of an unnamed wireline partner that suffered a compromise. T-Mobile isn’t certain that the âbad actorâ was Salt Typhoon, but whoever it was, Simon says the company quickly stymied the intrusion attempts.
âFrom our edge routing infrastructure you canât get to all of our systemsâtheyâre somewhat contained there and then you need to try to move between that environment and another one in order to gain more access,â Simon says. âThat requires them to do things that are rather noisy and thatâs where we were able to detect them. Weâve invested heavily in our monitoring capabilities. Not that theyâre perfect, they never will be, but when someoneâs noisy in our environment, we like to think that weâre going to catch them.â
In the midst of the Salt Typhoon chaos, T-Mobileâs assertion that it did not suffer a breach in this instance is noteworthy. Simon says that the company is still collaborating with law enforcement and the telecom industry more broadly as the situation unfolds. But it is no coincidence that T-Mobile has invested so extensively in cybersecurity. The company had suffered a decade of repeated, vast breaches, which exposed an immense amount of customer data. Simon says that since he joined the company in May 2023, it has undergone a significant security transformation. As one example, the company implemented mandatory two-factor authentication with physical security keys for all people who interact with T-Mobile systems, including all contractors in addition to employees. Such measures, he says, have drastically reduced the risk of threats like phishing. And other improvements in device population management and network detection have helped the company feel confident in its ability to defend itself.
âThe day we did the transition, we cut off a number of peopleâs access, because they hadnât gotten their YubiKeys yet. There was a line out the door of our headquarters,â Simon says. âEvery life form that accesses T-Mobile systems has to get a YubiKey from us.â
Still, the fact remains that there are fundamental vulnerabilities in US telecom infrastructure. Even if T-Mobile successfully thwarted Salt Typhoonâs latest intrusion attempts, the espionage campaign is a dramatic illustration of long-standing insecurity across the industry.
âWe urge you to consider whether DOD should decline to renew these contracts,â the senators wrote, âand instead renegotiate with the contracted wireless carriers, to require them to adopt meaningful cyber defenses against surveillance threats.â
Additional reporting by Dell Cameron.
