AT&T, Verizon blocking release of Salt Typhoon security assessment reports
reuters.comMany years ago I wrote a functional spec for lawful intercept in a 3G data node. It was based on a spec for a different product, so it contained a lot of institutional knowledge of how lawful intercept works.
A key element of the design of lawful intercept is not to trust the company running the network. Otherwise employees of that company would become targets for organized crime influence, among what are probably a few other considerations. The network operator isn't told about intercepts, and the relatively low rate of traffic intercept, the node has to support up to 3% of traffic intercepted, at least that was the spec at the time, makes it relatively easy for that traffic to be hidden from network management tools. It's not supposed to show up in your logs or network management reporting.
Intercepts originate on LI consoles operated by law enforcement agencies. This sounds pretty good so far. Until a hacker breaks into an LI console. Now that hacker can acquire traffic with pinpoint accuracy, undetected by design.
I have always been skeptical of claims that network operators have eliminated salt typhoon from their networks. I do not believe they know when the exploit began. Nor can they tell if their networks are truly free of salt typhoon activity. There are multiple vendors of LI console software. It's a standardized interoperable protocol to set up intercepts. So there's no one neck to wring.
I worked in/with network ops at a big US telco. Some of the engineers have ideas on which nodes have these intercepts (and what they are) based on the call flows they monitor and the level of access they have to troubleshoot problems further. I can’t guess the details further since that wasn’t my domain, but that part of opsec wasn’t fully hidden.
What is an LI console? Where is it installed that it has access to accomplish this?
"Lawful Intercept".
Some may find this interesting https://www.fcc.gov/calea
> LI console?
it's a (possibly virtual) appliance. It has connection to the intercept engine sitting somewhere in-band.
RAVEN?
These companies were required by the government to have lawful intercept capability. A bad actor took advantage of that government-required backdoor, and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
I've worked as a security consultant with one or two companies (who shall remain nameless) whose sole product was a hardware device with a black-box software stack meant to be a plug-and-play lawful intercept compliance solution. Telecoms should be able to buy it, install it, and access a web panel to do their government-mandated business.
In the three or four year I worked with them, they would only let me do penetration testing of their user network, and never the segments where the developers were, and never the product itself. In speaking with their security team (one guy - shocker) during compliance initiatives, it was very clear to me that the product itself was not to be touched per the explicit direction of senior leadership.
All I can say is that if the parts of their environment they did let us touch are any indication of the state of the rest of their assets, that device was compromised a long time ago.
when I lived in NoVA I had a roommate that installed and serviced boxes that sound suspiciously similar.
SSL crackers to MITM all ISP user traffic
Certainly these devices exist and are installed daily to further steal our info, but are you sure these devices weren't DPI boxes? If you could give a little more detail I might know since I've worked with this type of equipment.
Yuck.
I agree with you on electing better people, but this is largely a systematic problem with how government works:
1. Propose bill to solve a problem which is either minor or completely misunderstood by the person proposing the bill 2. Pass bill, don't solve original "problem," creates 15 new, actual problems 3. Run on fixing all the new problems they created (and some others that don't exist) 4. Repeat
You forgot about the part to appropriate money, spend it, & declare the problem solved
The problem isn't the back door. Every telecom company in every country provides access for "lawful intercept". Phone taps have been a thing for decades and as far as I know, require a warrant.
The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.
Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.
> many telecoms are reluctant to do it.
This really buries the lede. Telecoms are reluctant to do it because 'doing' it isn't aligned with their priorities.
Why would a telecom risk bankruptcy by investing heavily into a system that their competitors aren't?
If you want a back-door to exist (questionable) then the government either needs to have strong regulatory compliance where poor implementations receive a heavy fine such that telecoms who don't invest into a secure implementation get fined in excess of the investment cost or the government needs to fund the implementation itself.
Yes, telecoms should be forced to invest in their own security if they're not doing it. But the focus on the back door misses the point in my opinion. Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.
> Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.
This is only because of the design defect that "lawful intercept" requires.
Telecoms should be completely untrusted because everything is end-to-end encrypted. Compromising a telecom shouldn't allow you to do anything other than bring about a denial of service, and even that would only be effective against anyone who didn't have a redundant link with a different provider, which all actually critical infrastructure should. And a denial of service is conspicuous, as opposed to spying on required-to-be-unencrypted traffic which can continue undetected indefinitely and is a significant national security risk.
Our need to not be spied on is greater than our need to spy on ourselves and requiring designs that assume the opposite of that is a major self-imposed security vulnerability.
Even if let's say lawful intercept is done away with and calls are end-to-end encrypted, the telco would still be in control of key management and distribution... and if those clowns can't secure lawful intercept, why do you think the key distribution infrastructure would fare any better?
Why should they be in charge of key management? They should be in charge of physical plant and leave all of that to someone else. We should be discontinuing the legacy PSTN and making "phone" an IETF protocol where your "phone number" is user@domain.
The problem is the back door.
Decentralized systems don't have the same faults.
Just because you want to force a structure or paradigm doesn't absolve it of responsibility for the problem.
Hand waving the problem away because a company is bad at management or scale doesn't change anything.
you are both confusing two issues.
Yes there is a lawful intercept system that operates inside telecoms networks, that is an issue.
The other issue is that there is no real security inside said telecoms networks. (side note, there is still fucking SS7 floating about)
Salt typhoon is not "just hijacking lawful intercept" its ability to fuck with the network in a way that is largely undetected. Sure the intercept stuff might help, but they don't actually need that. In the same way we learnt about state actors taking complete control of middle east telecoms systems, we can be fairly sure that other state actors have taken control of USA telecoms systems
Both the Executive and congress have done shit all about it, and will continue to ignore it until something happens
This. The lawful intercept infrastructure is one facet of their network. The rest of their infra is also a deep concern: call records, SS7 signaling, the IP network, mobile infra and it's back end (sim swapping).
> you are both confusing two issues.
How am I confusing the two? My whole point was the same as yours - that the existence of lawful intercept is a separate issue and that the focus should be on securing telecoms.
Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure. Telecoms should be highly secure. Period.
It's okay to have unlocked backdoors because you don't lock your front door?
I get that you don't like lawful intercept. That's fine. But focusing on only that aspect of telcos derails the conversation and prevents us (in the very broad sense of "us") from making progress on things we all agree on. Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?
A hacker in control of a telco can do as they please regardless of any backdoors or lawful intercept systems. They can just use regular network functions to route calls wherever they want.
> Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?
Yes, because the solutions to both are the same. Decentralized and trustless systems solve both problems is my opinion. I agree the pathway from where we are at now and there is complex, but it's not "bikeshedding" to believe there are fundamentally different and better ways to organize and secure a network that change the attack surface entirely.
(Think of IP layer being replaced with a PKI as a small example)
No, it's pointless to complain about the existence of a backdoor, locked or unlocked because there is a front door that is not being locked.
Not if the solutions to both are the same.
>and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
Where's "the government [... grandstanding] about privacy and security"? It's getting blocked by the companies, not the government.
>She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon.
"US Senator says AT&T, Verizon blocking release of Salt Typhoon security assessment reports"
A US senator is using it for political grandstanding. She is an ineffective twit with no power and no principles, no right under law to receive what she demanded, and she made sure to run to the press with it "see! look, I'm a principled, powerful senator holding those evil corporations feet to the fire!"
The problem is that the vulnerability exploited by salt typhoon is a systemic flaw implemented at the demand of Cantwell and other of our legislative morons.
You cannot have an "only the good guys" backdoor. That doesn't work. People are bad, and stupid, and fallible. You can't make policy or exceptions that depend on people being good, and smart, and infallible.
She's using the inevitable consequence of a system she helped create for her own political benefit. She voted for the backdoor back in 94 against the strenuous and principled objections by people who actually know what they're talking about.
Bobblehead talking points should not serve as the basis for technical policy and governance, but here we are.
> The problem is that the vulnerability exploited by salt typhoon is a systemic flaw implemented at the demand of Cantwell and other of our legislative morons.
Assuming you're talking about CALEA, I find it hard to blame Cantwell personally given that she first joined the House in 1993, and CALEA was passed in 1994. She wasn't in much of a position to "demand" anything against the headwinds of a bipartisan bill passed in both chambers by a voice vote.
The point remains that she's pretending the problem is AT&T, when really it is the US government's demand for a backdoor.
This should be trumpeted as an example of why we cannot mandate encryption backdoors in chat, unless we want everybody to have access to every encrypted message we send.
You can tell this whole thing will be a nothingburger on the government side because the only thing she can actually do is pull in some CEOs to (not) answer questions and receive a congressional tsk tsk.
It's not even a strongly worded letter, lol. Senators and congress people should have to wear shock collars, and on majority polling get hourly "feedback" from their constituency, and for senators, weekly national feedback.
The convention of states project seems like it might be the only way out - there's a shot at implementing term limits, clearing up some of the money in politics issues, no risk of a runaway convention, etc, and we can bypass the people deliberately fouling up the system.
The country is such a dumpster fire. Fucking congressional hearings. The best case scenario is a little video clip that legislators can use to campaign with.
Each election period they have to take a break from eroding citizens' rights catering to lobbyists. The video clips help them pretend they were doing something other than insider trading while in the seat.
>You cannot have an "only the good guys" backdoor.
So what? If I store a document in a private Google doc. I know that technically a Google employee could read it if they really wanted to, but the policies, security, and culture in place make it have a 0% of happening. It's possible to design proper access systems where random people are not able to come in and utilize that access.
So you think there's no Google employees with privileged access gooning on private images, stalking, selling access, disrupting individuals, etc?
Schmidt notoriously had a backdoor, and I'd be far more shocked if executives did not have backdoor access and know all the workarounds and conditions in which they have unaccountable, admin visibility into any data they might want to access.
These are human beings, not diligent, intrepid champions of moral clarity with pristine principles.
Google employees with access? Yes. Google employees without audited and multiple levels of approval? No. I can tell you there are not.
Any Eng at Google can read the entire codebase for gdrive, if there were backdoors it would become public knowledge very quickly.
What's this notorious backdoor?
> It's possible to design proper access systems where random people are not able to come in and utilize that access.
How quickly "Hacker" News forgets Snowden.
>I know that technically a Google employee could read it if they really wanted to, but the policies, security, and culture in place make it have a 0% of happening.
We know it's non-zero as they have already had occasions when it has happened that Google employees used their access to stalk teenagers.
And such access kicked off an internal investigation and got him fired. Privacy is taken seriously.
>And such access kicked off an internal investigation and got him fired. Privacy is taken seriously.
The complaints of the victim's parents kicked off an internal investigation, months later. It's not like google found this and took care of it on their own. Also, it has happened before too.
Google's internal privacy controls and monitoring are much stronger today than when that happened.
This is such a backwards take. You are ignoring that the system you cite as evidence that secure systems with backdoors can be designed and protected from random access has not been perfectly protected.
And you say it's stronger now.
Ok, so which country or neighbor is going to be the one to hack our national encryption system with a back door the first time? The second time? The third time? Before we manage to get it right (which we never will), what damage will be done by the backdoor? Probably something like Salt Typhoon, which you also conveniently ignore as a counterfactual to your claim.
It not being perfectly protected is by design. Security comes with trade offs.
>Before we manage to get it right (which we never will)
Keep in mind that modern encryption isn't perfect either. You can just guess the key and then decrypt a message. In practice if you make the walls high enough (requiring a ton of guesses) than it can be good enough to keep things secure.
> Privacy is taken seriously.
With bug fixes and performance improvements ? Your privacy is very important for us, that's why we collect it all.
Is this speculation or has that information come out already?
https://www.commerce.senate.gov/2025/12/experts-agree-u-s-co...
> “The Chinese government's espionage operation deeply penetrated networks of at least nine U.S. telecom companies, including AT&T and Verizon,” said Sen. Cantwell. “They exploited the wiretapping system that our law enforcement agencies rely on under the Communications Assistance for Law Enforcement Act -- known as CALEA. These systems became an open door for Chinese intelligence. Salt Typhoon allowed the Chinese operation to track millions of Americans’ locations in real time, record phone calls at will and read our text messages.”
This quote speaks in past tense, but last I heard the Chinese still had access/control of compromised systems. Do we know if this attack is even over?
That definitely deserves a congressional investigation then. No wonder they don't want to talk about that.
goomba fallacy. the government isn't one person with one position. i agree with you that the backdoor should never have been installed in the first place but accusing them of hypocrisy because a group of lawmakers passed a law a while ago and a different group of lawmakers want a report on what went wrong and why is silliness. It seems as though the person spearheading this effort, Senator Cantwell, is in fact one of the better people that you propose we should elect but here you are shitting on her for trying to shed light on the pitfalls of the very policy you seem to be against in the first place.
>We need to elect better people
The better people do not put themselves to be elected.
Not even that, they have CVE 10 from 2019 on their routers, which the hackers got root on then patched, so they wouldn't be kicked off by other hackers. All because IT upkeep wasn't done and hardening on Cisco devices is a distinct admin guide and not at all on by default. The days are long gone of qualified and careful network admins, now we just get the low-ball outsourced Cisco TAC and the like which DGAF
This was enabled by the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994. Congress made their bed, now they need to lie in. Time to remove the govt mandated backdoors.
I worked at Verizon almost 10 years ago, they hired a group come to come in and assess. Within 3-4 hours they pwned the entire place (including offices outside of the office we were in) through an unsecured windows jenkins machine/script console.
It's hilarious that the Chinese, plus a whole boat load of other countries, plus a bunch of individuals and groups, all have access to the communications spying system.
At this point the only person without access to it is you!
It blows my mind that some individuals have allowed politicians to put these systems in place to spy on everyone.
The only purpose for these spy devices is to collect blackmail and wait until the person either becomes either important or the government wants to do parallel construction on a court case.
There is absolutely no need for anyone to spy on another persons conversation. We have had encrypted messaging for many years and the world keeps turning.
> At this point the only person without access to it is you!
This is how Microsoft, Google and Apple works.
They don't want their backdoors they allowed and buffoonery in securing/managing them exposed. This is only the wireless providers, now what about all the residential ISP's like Comcast, Cox, Charter, etc? They're even more incompetent usually, I've worked for enough to know.
No Datadome Javascript:
https://www.msn.com/en-us/technology/cybersecurity/senator-s...
Text-only:
http://assets.msn.com/content/view/v2/Detail/en-in/AA1VB52W/
(Yes, Microsoft is now using HTTP not HTTPS)
How did they regress to HTTP from HTTPS?
A decent example of why implementing authoritarian policies is a bad strategy for the US; particularly coming from the current administration. We're only strengthening Chinese supremacy at this point and tearing the US apart in the process of trying to claw some back. We don't have what it takes to pull this shit off as well as China does. This is a failure at many levels: the uncoordinated surveillance, the gross lack of security, lack of skills, lack of knowledge, etc. and it extends to many aspects of American governance. Between the US putting significant traumatic pressure on its own citizens and companies doing mass layoffs in an increasingly unaffordable economy, this will push even more brain drain overseas, which only accelerates China's strengthening stance more.
This very much feels like the old cold war dynamic between Russia and the USA with the roles reversed.
If they simply implicated an "APT" in wrongdoing, they would have released it, as it would have been unremarkable and fit neatly within the Overton window of hissing-chinese spys justifying an even more expansive national security apparatus and general anti-sino sentiments among the ruling class in Washington.
This leads me to two possible, non-exclusive outcomes: the links to China are tenuous, and the attribution is flimsy (e.g., they accessed a machine at 9 am Beijing time!); or the report implicates the system itself as unauditable by design, which was bound to happen given the design of the intercept tools.
These reports would be useful for any other attacker interested in their infra, it’s obvious why the companies wouldn’t want to release them in this manner.
If they can't provide it to us for national security purposes, certainly they could to the appropriate congressional subcommittee
Yes, most organizations are shy to release reports that make them look incompetent or highlight systemic problems. That's why we have laws that now require disclosure of incidents that may have exposed customer data.
>That's why we have laws that now require disclosure of incidents that may have exposed customer data.
I don't think there's any jurisdiction that requires public disclosure at this level of detail. It's really an extraordinary ask. How many of these reports have you seen?
> why Americans should have confidence in the security of their networks
Perhaps they should not.
The hackers already have it.
There is no reason to hide it from the general public.
why does the government, any government, has a backdoor on anyone's phones to begin with?
Terrorists, drugs, the children, future excuse for the panopticon.
Wiretapping predates all of these sort of arguments. Wiretapping was invented at basically the same time that telephones themselves were and was underway for decades before the law even began to take note; the first major legal development in this regard was the Supreme Court saying cops could do it without a warrant in 1928 (they already had been the entire time.)
While that is interesting from a historical perspective, does it inform on the myriad of excuses trotted out for these abuses today?
srsly doubt that these reports would ever be released publicly, but i'm curious if they might suggest that their recent high-profile extended outages are related to weaknesses that were easily exploited by bad actors.
translation: we got pwn3d, and badly
Infosec is such a scam