The senators also cited evidence in their letter that US Telecom has worked with third-party cybersecurity firms to audit its systems related to telecom protocols. ss7 But the Defense Department has refused to make the results of these evaluations available. “DOD has asked the carriers for copies of the results of their third-party audits and has been informed that they are considered attorney-client privileged information,” the department wrote in response to questions from Wyden's office.
The Pentagon contracts with major US carriers for most of its telecommunications infrastructure, which means it inherits any potential corporate security vulnerabilities they have, but also inherits vulnerabilities at the heart of their telephony networks.
AT&T and Verizon did not respond to multiple requests for comment from WIRED. T-Mobile was also reportedly breached in the Salt Typhoon campaign, but the company said blog post There were no signs of agreement last week. T-Mobile has contracts with the Army, Air Force, Special Operations Command, and several other divisions of the DOD. And in June, it announced A 10-year, $2.67 billion contract with the Navy that will “give all Department of Defense agencies the ability to order wireless services and equipment from T-Mobile for the next 10 years.”
In an interview with WIRED, T-Mobile Chief Security Officer Jeff Simon said the company recently attempted to contain hacking activity coming from its routing infrastructure through an unnamed wireline partner, which had to be compromised. T-Mobile isn't sure if the “bad actor” was Salt Typhoon, but whoever it was, Simon says the company immediately stopped the intrusion attempts.
“With our edge routing infrastructure you can't access all of our systems – they're contained there to some extent and then you have to try to go between that environment and another environment to get more access,” says Simon. “It requires them to do things that are quite noisy and that's where we were able to detect them. We have invested heavily in our monitoring capabilities. Not that they are perfect, they will never be perfect, but when someone in our environment makes noise, we like to think that we will catch them.
Amid the Salt Typhoon chaos, T-Mobile's claim that it found no violations in this case is notable. Simon says the company is still collaborating with law enforcement and the telecommunications industry more broadly as the situation unfolds. But it's no coincidence that T-Mobile has Invested extensively in cyber securityThe company suffered loss decade Frequently, huge The breach, which exposed large amounts of customer data. Simon says there has been a significant security change since joining the company in May 2023. As an example, the company implemented mandatory two-factor authentication with a physical security key for everyone who interacts with T-Mobile systems, including all contractors other than employees. He says that with such measures the risk of threats like phishing has been reduced to a great extent. And other improvements in device population management and network detection have helped the company feel confident in its ability to protect itself.
“The day we made the change, we cut off access for many people because they had not yet received their YubiKeys. There was a line out the door to our headquarters,” says Simon. “Every life form that accesses the T-Mobile system must receive a Yubikey from us.”
Nevertheless, the fact remains that the US telecommunications infrastructure has fundamental vulnerabilities. Even though T-Mobile has successfully thwarted Salt Typhoon's latest intrusion attempts, the spying campaign is a dramatic illustration of long-standing insecurity throughout the industry.
“We urge you to consider whether DOD should decline to renew these contracts,” the senators wrote, “and instead renegotiate with contracted wireless carriers to protect them from surveillance threats.” There is a need to adopt meaningful cyber security against.
Additional reporting by Dale Cameron.