The senators also provide evidence in their letter that American telecommunications companies have worked with third-party cybersecurity companies to conduct audits of their systems related to the telecommunications protocol known as SS7, but have refused to release the results of these assessments. available to the Department of Defense. “The Department of Defense has asked insurers for copies of the results of their third-party audits and have been informed that they are considered attorney-client privileged information,” the Department wrote in response to questions from Wyden’s office.
The Pentagon contracts with major US carriers for much of their telecommunications infrastructure, meaning it inherits any potential corporate security weaknesses they may have, but also inherited vulnerabilities at the heart of their telephone networks.
AT&T and Verizon did not respond to multiple requests for comment from WIRED. T-Mobile also reportedly suffered a breach in the Salt Typhoon campaign, but the company said in a blog post last week that he has seen no signs of commitment. T-Mobile has contracts with the Army, Air Force, Special Operations Command and many other divisions of the Department of Defense. And in June, announced a 10-year, $2.67 billion contract with the Navy that “will provide all Department of Defense agencies the ability to order T-Mobile wireless equipment and services over the next 10 years.”
In an interview with WIRED, T-Mobile Chief Security Officer Jeff Simon said the company recently detected attempted hacking activity coming from its routing infrastructure through an anonymous wireline partner that suffered a compromise. T-Mobile isn’t sure the “bad actor” was Salt Typhoon, but whoever it was, Simon says the company quickly blocked intrusion attempts.
“Not all of our systems can be accessed from our edge routing infrastructure; they are somehow contained there and then you need to try to move between that environment and another environment to get more access,” Simon says. “That forces them to do pretty loud things and that’s where we were able to detect them. We have invested heavily in our monitoring capabilities. It’s not that they are perfect, they never will be, but when someone makes noise in our environment we like to think that we are going to catch them.”
Amid the chaos of the salt typhoon, T-Mobile’s claim that it did not suffer a breach in this case is noteworthy. Simon says the company continues to engage with law enforcement and the broader telecommunications industry as the situation develops. But it’s no coincidence that T-Mobile has invested so much in cybersecurity. The company suffered a decade of repeated and vast breaches, which exposed an immense amount of customer data. Simon says that since joining the company in May 2023, it has undergone a significant security transformation. As an example, the company implemented mandatory two-factor authentication with physical security keys for everyone who interacts with T-Mobile systems, including all contractors in addition to employees. These measures, he says, have dramatically reduced the risk of threats such as phishing. And other improvements in device population management and network discovery have helped the company feel confident in its ability to defend itself.
“The day we transitioned, we cut off access to several people because they had not yet received their Yubikeys. There was a queue outside our headquarters,” says Simon. “Every life form that accesses T-Mobile systems has to get a Yubikey from us.”
Still, the fact is that there are fundamental vulnerabilities in the United States’ telecommunications infrastructure. Even if T-Mobile successfully thwarted Salt Typhoon’s latest intrusion attempts, the spying campaign is a dramatic example of long-standing insecurity across the industry.
“We urge you to consider whether the Department of Defense should decline to renew these contracts,” the senators wrote, “and instead renegotiate with contracted wireless service providers, to require them to adopt meaningful cyber defenses against surveillance threats.”
Additional reporting by Dell Cameron.