Company that routes SMS for all major US carriers was hacked for five years

Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers' text messages.

A filing with the Securities and Exchange Commission last week said that "in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse's detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals."

Syniverse said that its "investigation revealed that the unauthorized access began in May 2016" and "that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer ('EDT') environment was compromised for approximately 235 of its customers."

Syniverse isn’t revealing more details

When contacted by Ars today, a Syniverse spokesperson provided a general statement that mostly repeats what's in the SEC filing. Syniverse declined to answer our specific questions about whether text messages were exposed and about the impact on the major US carriers.

"Given the confidential nature of our relationship with our customers and a pending law enforcement investigation, we do not anticipate further public statements regarding this matter," Syniverse said.

The SEC filing is a preliminary proxy statement related to a pending merger with a special-purpose acquisition company that will make Syniverse a publicly traded firm. (The document was filed by M3-Brigade Acquisition II Corp., the blank-check company.) As is standard with SEC filings, the document discusses risk factors for investors, in this case including the security-related risk factors demonstrated by the Syniverse database hack.

Syniverse routes messages for 300 operators

Syniverse says its intercarrier messaging service processes over 740 billion messages each year for over 300 mobile operators worldwide. Though Syniverse likely isn't a familiar name to most cell phone users, the company plays a key role in ensuring that text messages get to their destination.

Syniverse's importance in SMS was highlighted in November 2019 when a server failure caused over 168,000 messages to be delivered nearly nine months late. The messages were in a queue and left undelivered when a server failed on February 14, 2019, and finally reached their recipients in November when the server was reactivated.

We asked AT&T, Verizon, and T-Mobile today whether the hacker had access to people's text messages, and we will update this article if we get any new information.

Update: T-Mobile provided Ars a statement saying that it has "no indication" that text messages or other types of personal information were exposed. "We are aware of a security incident involving one of [our] third-party vendors, Syniverse. They provide reconciliation services for payments made between carriers. The breach impacted numerous carriers, including T-Mobile, however we have no indication that any personal information, call record details or text message content of T-Mobile customers were impacted. We will continue to investigate and work with Syniverse to close any vulnerabilities identified," T-Mobile said.

Syniverse says it fixed vulnerabilities

Syniverse said in the SEC filing and its statement to Ars that it reset or deactivated the credentials of all EDT customers, "even if their credentials were not impacted by the incident."

"Syniverse has notified all affected customers of this unauthorized access where contractually required, and Syniverse has concluded that no additional action, including any customer notification, is required at this time," the SEC filing said. Syniverse told us that it also "implemented substantial additional measures to provide increased protection to our systems and customers" in response to the incident but did not say what those measures are.

Syniverse is apparently confident that it has everything under control but told the SEC that it could still discover more problems resulting from the breach:

Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity... While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences. Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse's trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.

Syniverse's SEC filing was submitted on September 27 and discussed yesterday in an article in Vice's Motherboard section. According to Vice, a "former Syniverse employee who worked on the EDT systems" said those systems contain information on all types of call records. Vice also quoted an employee of a phone company who said that a hacker could have gained access to the contents of SMS text messages.

Vice wrote:

Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver's numbers, the location of the parties in the call, as well as the content of SMS text messages.

"Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other," the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. "So it inevitably carries sensitive info like call records, data usage records, text messages, etc. [...] The thing is—I don't know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers."