The senators also provide evidence in their letter that US telecoms have worked with third-party cybersecurity firms to conduct audits of their systems related to the telecom protocol known as SS7 but have declined to make the results of these evaluations available to the Defense Department. “The DOD has asked the carriers for copies of the results of their third-party audits and were informed that they are considered attorney-client privileged information,” the department wrote in answer to questions from Wyden’s office.
The Pentagon contracts with major US carriers for much of its telecom infrastructure, which means that it inherits any potential corporate security weaknesses they may have but also the legacy vulnerabilities at the heart of their telephony networks.
AT&T and Verizon did not respond to multiple requests for comment from WIRED. T-Mobile was also reportedly breached in the Salt Typhoon campaign, but the company said in a blog post last week that it has seen no signs of compromise. T-Mobile has contracts with the Army, Air Force, Special Operations Command, and many other divisions of the DOD. And in June, it announced a 10-year, $2.67 billion contract with the Navy that “will give all Department of Defense agencies the ability to place orders for wireless services and equipment from T-Mobile for the next 10 years.”
In an interview with WIRED, T-Mobile chief security officer Jeff Simon said that the company recently detected attempted hacking activity coming from its routing infrastructure by way of an unnamed wireline partner that suffered a compromise. T-Mobile isn’t certain that the “bad actor” was Salt Typhoon, but whoever it was, Simon says the company quickly stymied the intrusion attempts.
“From our edge routing infrastructure you can’t get to all of our systems—they’re somewhat contained there and then you need to try to move between that environment and another one in order to gain more access,” Simon says. “That requires them to do things that are rather noisy and that’s where we were able to detect them. We’ve invested heavily in our monitoring capabilities. Not that they’re perfect, they never will be, but when someone’s noisy in our environment, we like to think that we’re going to catch them.”
In the midst of the Salt Typhoon chaos, T-Mobile’s assertion that it did not suffer a breach in this instance is noteworthy. Simon says that the company is still collaborating with law enforcement and the telecom industry more broadly as the situation unfolds. But it is no coincidence that T-Mobile has invested so extensively in cybersecurity. The company had suffered a decade of repeated, vast breaches, which exposed an immense amount of customer data. Simon says that since he joined the company in May 2023, it has undergone a significant security transformation. As one example, the company implemented mandatory two-factor authentication with physical security keys for all people who interact with T-Mobile systems, including all contractors in addition to employees. Such measures, he says, have drastically reduced the risk of threats like phishing. And other improvements in device population management and network detection have helped the company feel confident in its ability to defend itself.
“The day we did the transition, we cut off a number of people’s access, because they hadn’t gotten their YubiKeys yet. There was a line out the door of our headquarters,” Simon says. “Every life form that accesses T-Mobile systems has to get a YubiKey from us.”
Still, the fact remains that there are fundamental vulnerabilities in US telecom infrastructure. Even if T-Mobile successfully thwarted Salt Typhoon’s latest intrusion attempts, the espionage campaign is a dramatic illustration of long-standing insecurity across the industry.
“We urge you to consider whether DOD should decline to renew these contracts,” the senators wrote, “and instead renegotiate with the contracted wireless carriers, to require them to adopt meaningful cyber defenses against surveillance threats.”
Additional reporting by Dell Cameron.
