Did the AT&T Hack Uncover a Surveillance Program?

Another day, another data breach from an organization that should really know better. Last week, telecommunications giant AT&T informed shareholders of a data leak taking place all the way back in April, which impacted every single AT&T subscriber.

AT&T was storing huge amounts of caller data on Amazon’s long term storage system, Snowflake. This data included the metadata of all calls and texts from May to October 2022, and January 2nd, 2023 for all users on AT&T or resellers.

The leaks didn’t just contain the phone numbers involved, but also included the cell-site identification records which can show approximate location of the caller.

Even though there were no names in the leak, phone numbers are easily associated with account holders and searched for online.

As a long time and proud partner of the NSA, you would hope that AT&T learned a thing or two about security. However, AT&T didn’t bother to protect the Snowflake account with 2FA. All that was needed was a password to access the calls & text metadata of millions upon millions of subscribers. Unreal.

Paying The Hackers

Wired magazine reported that AT&T paid the hackers upwards of $370,000 in Bitcoin to delete the data. The hacker was part of the ShinyHunters hacking group that was responsible for hacks against corporations using SnowFlake as cloud storage, including the TicketMaster hack.

Through communications between a negotiator they were able to confirm that AT&T paid, and that the hackers deleted the data. One of the hackers responsible is believed to be one John Erin Binns, an American hacker living in Turkey, who has since been arrested for a separate hack.

What’s the data for?

That’s an interesting question as there are no clear answers as to why AT&T would store anonymized call records from all of their customers, unless it was to hand off to a government agency.

This anonymized call data would be perfect for making association graphs, which can be used to analyze who is calling whom. Numbers of interest can be identified and all of their connections can be listed.

AT&T has been part of programs like these in the past, one clear example is the DEA’s Hemisphere program, a warrantless surveillance program that collaborated with AT&T to store 40B call detail records (CDRs) a year and make them easy to search.

An example of Call Detail Records from Verizon

The DEA was interested in drug dealers using burner phones - these are phones that get thrown away after a few uses. They used call detail records to identify which phones were ‘dropped’, and what number the target switched to, based on who they were calling.

If the old dropped phone and a new phone popped up calling the same numbers, one could assume that they were related.

The DEA would find phone numbers of interest through this system and then issue a warrant directly to that carrier to get all related records to the target. They then hid any reference to Hemisphere by ‘Parallel Subpoenaing’, to prevent the defendant from knowing the evidence was reconstructed.

In this hack we see data that resembles those used in warrantless surveillance programs like Hemisphere, did this hack just uncover how these surveillance programs run almost 10 years later?

The use of long term storage and a third party storage platform indicates that

That would explain why the DOJ let AT&T stay quiet on a leak this big for this long so they could

It’s Not Their First Rodeo

This isn’t even AT&Ts first data leak notice this year, a dataset leaked on DarkWeb forums earlier this year. It included 70M customers including information such as social security number and pin codes, names, emails, mailing addresses, and phone numbers. AT&T says they don’t know whether it “…originated from AT&T or one of its vendors”. They have so much data they can’t even keep track of it.

Phone Numbers Aren’t Private

Telecommunications providers like AT&T have a long history of collaborating with intelligence agencies, like the NSA’s PRISM program - where they volunteered to adjust their networks to make it easier to surveil telecommunications traffic. Laws like CALEA 1994 require all telecoms to design their networks so any telecommunications can be handed over to law enforcement. All telecommunications providers have robust mechanisms for law enforcement to request data, and companies like AT&T also have warrantless, some would say - unconstitutional surveillance programs like Hemisphere. For more details on this, read our article on #TBOT.

Solutions

Ditch the phone networks and use internet-based communications. The CALEA act in the United States did not apply to information service providers, which is why internet traffic is treated differently and can be encrypted legally by using things like onion-routing networks or a VPN.

XMPP

XMPP is a 20 year old messaging protocol that can take care of all of your messaging needs. It’s decentralized so anyone can run and host their own XMPP server, and the software and protocol has supported millions upon millions of users - as early versions of Google Hangouts and WhatsApp were built ontop of XMPP.

Nowadays there are many free servers to choose from, apps that work on any device. When you sign up for XMPP you get an ID which looks like an email. You can use this email to start conversations with others on the network. Typically you will have the option to enable end to end encryption and make audio and video calls.

Learn more about XMPP here: https://takebackourtech.org/xmpp-comeback

Jitsi

Jitsi is video conferencing software, an alternative to Zoom. It’s decentralized, meaning you can run it yourself and allows for easy meetings that people can join without an app. If attendees use the web browser, calls can be end to end encrypted.

Many free instances can be found here: https://wiki.chatons.org/doku.php/services/visio-conference/jitsi

Above Suite

Through years of experience we have come to love and depend on these services, so we decided to run them professionally for others as well. Our XMPP and Jitsi services do not log and are a joy to use.

You can purchase access to these services along with an email, calendar and VPN here: https://abovephone.com/suite

Follow us:
https://www.tiktok.com/@takebackourtech
https://x.com/abovephone
t.me/takebackourtech
https://odysee.com/@takebackourtech:f

Comments

[Tim]

Does the Above suite use traditional root CAs? I'm concerned about the NSA or CIA having compromised them.