AT&T, Verizon blocking release of Salt Typhoon security assessment reports

reuters.com

・

243 points

・

redman25

・

8 hours ago

68 comments

Zigurd ・ 5 hours ago

Many years ago I wrote a functional spec for lawful intercept in a 3G data node. It was based on a spec for a different product, so it contained a lot of institutional knowledge of how lawful intercept works.

A key element of the design of lawful intercept is not to trust the company running the network. Otherwise employees of that company would become targets for organized crime influence, among what are probably a few other considerations. The network operator isn't told about intercepts, and the relatively low rate of traffic intercept, the node has to support up to 3% of traffic intercepted, at least that was the spec at the time, makes it relatively easy for that traffic to be hidden from network management tools. It's not supposed to show up in your logs or network management reporting.

Intercepts originate on LI consoles operated by law enforcement agencies. This sounds pretty good so far. Until a hacker breaks into an LI console. Now that hacker can acquire traffic with pinpoint accuracy, undetected by design.

I have always been skeptical of claims that network operators have eliminated salt typhoon from their networks. I do not believe they know when the exploit began. Nor can they tell if their networks are truly free of salt typhoon activity. There are multiple vendors of LI console software. It's a standardized interoperable protocol to set up intercepts. So there's no one neck to wring.

jtbayly ・ 38 minutes ago

What is an LI console? Where is it installed that it has access to accomplish this?

ungreased0675 ・ 7 hours ago

These companies were required by the government to have lawful intercept capability. A bad actor took advantage of that government-required backdoor, and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.

illithid0 ・ 5 hours ago

I've worked as a security consultant with one or two companies (who shall remain nameless) whose sole product was a hardware device with a black-box software stack meant to be a plug-and-play lawful intercept compliance solution. Telecoms should be able to buy it, install it, and access a web panel to do their government-mandated business.
In the three or four year I worked with them, they would only let me do penetration testing of their user network, and never the segments where the developers were, and never the product itself. In speaking with their security team (one guy - shocker) during compliance initiatives, it was very clear to me that the product itself was not to be touched per the explicit direction of senior leadership.
All I can say is that if the parts of their environment they did let us touch are any indication of the state of the rest of their assets, that device was compromised a long time ago.
- red-iron-pine ・ 22 minutes ago
  
  when I lived in NoVA I had a roommate that installed and serviced boxes that sound suspiciously similar.
  SSL crackers to MITM all ISP user traffic
SunshineTheCat ・ 6 hours ago

I agree with you on electing better people, but this is largely a systematic problem with how government works:
1. Propose bill to solve a problem which is either minor or completely misunderstood by the person proposing the bill 2. Pass bill, don't solve original "problem," creates 15 new, actual problems 3. Run on fixing all the new problems they created (and some others that don't exist) 4. Repeat
maltalex ・ 6 hours ago

The problem isn't the back door. Every telecom company in every country provides access for "lawful intercept". Phone taps have been a thing for decades and as far as I know, require a warrant.
The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.
Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.
- forgotaccount3 ・ 6 hours ago
  
  > many telecoms are reluctant to do it.
  This really buries the lede. Telecoms are reluctant to do it because 'doing' it isn't aligned with their priorities.
  Why would a telecom risk bankruptcy by investing heavily into a system that their competitors aren't?
  If you want a back-door to exist (questionable) then the government either needs to have strong regulatory compliance where poor implementations receive a heavy fine such that telecoms who don't invest into a secure implementation get fined in excess of the investment cost or the government needs to fund the implementation itself.
  
  maltalex ・ 6 hours ago
  ・ 2 more
  
  Yes, telecoms should be forced to invest in their own security if they're not doing it. But the focus on the back door misses the point in my opinion. Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.
  
  AnthonyMouse ・ 3 hours ago
  
  > Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.
  This is only because of the design defect that "lawful intercept" requires.
  Telecoms should be completely untrusted because everything is end-to-end encrypted. Compromising a telecom shouldn't allow you to do anything other than bring about a denial of service, and even that would only be effective against anyone who didn't have a redundant link with a different provider, which all actually critical infrastructure should. And a denial of service is conspicuous, as opposed to spying on required-to-be-unencrypted traffic which can continue undetected indefinitely and is a significant national security risk.
  Our need to not be spied on is greater than our need to spy on ourselves and requiring designs that assume the opposite of that is a major self-imposed security vulnerability.
- ddtaylor ・ 6 hours ago
  
  The problem is the back door.
  Decentralized systems don't have the same faults.
  Just because you want to force a structure or paradigm doesn't absolve it of responsibility for the problem.
  Hand waving the problem away because a company is bad at management or scale doesn't change anything.
  
  KaiserPro ・ 5 hours ago
  ・ 3 more
  
  you are both confusing two issues.
  Yes there is a lawful intercept system that operates inside telecoms networks, that is an issue.
  The other issue is that there is no real security inside said telecoms networks. (side note, there is still fucking SS7 floating about)
  Salt typhoon is not "just hijacking lawful intercept" its ability to fuck with the network in a way that is largely undetected. Sure the intercept stuff might help, but they don't actually need that. In the same way we learnt about state actors taking complete control of middle east telecoms systems, we can be fairly sure that other state actors have taken control of USA telecoms systems
  Both the Executive and congress have done shit all about it, and will continue to ignore it until something happens
  
  maltalex ・ 3 hours ago
  
  > you are both confusing two issues.
  How am I confusing the two? My whole point was the same as yours - that the existence of lawful intercept is a separate issue and that the focus should be on securing telecoms.
  
  pigggg ・ 4 hours ago
  
  This. The lawful intercept infrastructure is one facet of their network. The rest of their infra is also a deep concern: call records, SS7 signaling, the IP network, mobile infra and it's back end (sim swapping).
  
  maltalex ・ 6 hours ago
  ・ 4 more
  
  Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure. Telecoms should be highly secure. Period.
  
  ddtaylor ・ 5 hours ago
  ・ 3 more
  
  It's okay to have unlocked backdoors because you don't lock your front door?
  
  Clent ・ 5 hours ago
  
  No, it's pointless to complain about the existence of a backdoor, locked or unlocked because there is a front door that is not being locked.
  
  maltalex ・ 5 hours ago
  
  I get that you don't like lawful intercept. That's fine. But focusing on only that aspect of telcos derails the conversation and prevents us (in the very broad sense of "us") from making progress on things we all agree on. Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?
  A hacker in control of a telco can do as they please regardless of any backdoors or lawful intercept systems. They can just use regular network functions to route calls wherever they want.
gruez ・ 6 hours ago

>and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
Where's "the government [... grandstanding] about privacy and security"? It's getting blocked by the companies, not the government.
>She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon.
- observationist ・ 6 hours ago
  
  "US Senator says AT&T, Verizon blocking release of Salt Typhoon security assessment reports"
  A US senator is using it for political grandstanding. She is an ineffective twit with no power and no principles, no right under law to receive what she demanded, and she made sure to run to the press with it "see! look, I'm a principled, powerful senator holding those evil corporations feet to the fire!"
  The problem is that the vulnerability exploited by salt typhoon is a systemic flaw implemented at the demand of Cantwell and other of our legislative morons.
  You cannot have an "only the good guys" backdoor. That doesn't work. People are bad, and stupid, and fallible. You can't make policy or exceptions that depend on people being good, and smart, and infallible.
  She's using the inevitable consequence of a system she helped create for her own political benefit. She voted for the backdoor back in 94 against the strenuous and principled objections by people who actually know what they're talking about.
  Bobblehead talking points should not serve as the basis for technical policy and governance, but here we are.
  
  oasisbob ・ 4 hours ago
  ・ 2 more
  
  > The problem is that the vulnerability exploited by salt typhoon is a systemic flaw implemented at the demand of Cantwell and other of our legislative morons.
  Assuming you're talking about CALEA, I find it hard to blame Cantwell personally given that she first joined the House in 1993, and CALEA was passed in 1994. She wasn't in much of a position to "demand" anything against the headwinds of a bipartisan bill passed in both chambers by a voice vote.
  
  jtbayly ・ 34 minutes ago
  
  The point remains that she's pretending the problem is AT&T, when really it is the US government's demand for a backdoor.
  This should be trumpeted as an example of why we cannot mandate encryption backdoors in chat, unless we want everybody to have access to every encrypted message we send.
  
  Spivak ・ 6 hours ago
  ・ 3 more
  
  You can tell this whole thing will be a nothingburger on the government side because the only thing she can actually do is pull in some CEOs to (not) answer questions and receive a congressional tsk tsk.
  
  observationist ・ 5 hours ago
  
  It's not even a strongly worded letter, lol. Senators and congress people should have to wear shock collars, and on majority polling get hourly "feedback" from their constituency, and for senators, weekly national feedback.
  The convention of states project seems like it might be the only way out - there's a shot at implementing term limits, clearing up some of the money in politics issues, no risk of a runaway convention, etc, and we can bypass the people deliberately fouling up the system.
  
  plagiarist ・ 5 hours ago
  
  The country is such a dumpster fire. Fucking congressional hearings. The best case scenario is a little video clip that legislators can use to campaign with.
  Each election period they have to take a break from eroding citizens' rights catering to lobbyists. The video clips help them pretend they were doing something other than insider trading while in the seat.
  
  charcircuit ・ 4 hours ago
  ・ 10 more
  
  >You cannot have an "only the good guys" backdoor.
  So what? If I store a document in a private Google doc. I know that technically a Google employee could read it if they really wanted to, but the policies, security, and culture in place make it have a 0% of happening. It's possible to design proper access systems where random people are not able to come in and utilize that access.
  
  observationist ・ 4 hours ago
  ・ 2 more
  
  So you think there's no Google employees with privileged access gooning on private images, stalking, selling access, disrupting individuals, etc?
  Schmidt notoriously had a backdoor, and I'd be far more shocked if executives did not have backdoor access and know all the workarounds and conditions in which they have unaccountable, admin visibility into any data they might want to access.
  These are human beings, not diligent, intrepid champions of moral clarity with pristine principles.
  
  happyopossum ・ 4 hours ago
  
  Google employees with access? Yes. Google employees without audited and multiple levels of approval? No. I can tell you there are not.
  Any Eng at Google can read the entire codebase for gdrive, if there were backdoors it would become public knowledge very quickly.
  
  bigyabai ・ 4 hours ago
  
  > It's possible to design proper access systems where random people are not able to come in and utilize that access.
  How quickly "Hacker" News forgets Snowden.
  
  wang_li ・ 3 hours ago
  ・ 6 more
  
  >I know that technically a Google employee could read it if they really wanted to, but the policies, security, and culture in place make it have a 0% of happening.
  We know it's non-zero as they have already had occasions when it has happened that Google employees used their access to stalk teenagers.
  
  charcircuit ・ 3 hours ago
  ・ 5 more
  
  And such access kicked off an internal investigation and got him fired. Privacy is taken seriously.
  
  jtbayly ・ 27 minutes ago
  ・ 2 more
  
  This is such a backwards take. You are ignoring that the system you cite as evidence that secure systems with backdoors can be designed and protected from random access has not been perfectly protected.
  And you say it's stronger now.
  Ok, so which country or neighbor is going to be the one to hack our national encryption system with a back door the first time? The second time? The third time? Before we manage to get it right (which we never will), what damage will be done by the backdoor? Probably something like Salt Typhoon, which you also conveniently ignore as a counterfactual to your claim.
  
  charcircuit ・ 11 minutes ago
  
  It not being perfectly protected is by design. Security comes with trade offs.
  >Before we manage to get it right (which we never will)
  Keep in mind that modern encryption isn't perfect either. You can just guess the key and then decrypt a message. In practice if you make the walls high enough (requiring a ton of guesses) than it can be good enough to keep things secure.
  
  wang_li ・ 2 hours ago
  ・ 2 more
  
  >And such access kicked off an internal investigation and got him fired. Privacy is taken seriously.
  The complaints of the victim's parents kicked off an internal investigation, months later. It's not like google found this and took care of it on their own. Also, it has happened before too.
  
  charcircuit ・ 2 hours ago
  
  Google's internal privacy controls and monitoring are much stronger today than when that happened.
dmix ・ 7 hours ago

Is this speculation or has that information come out already?
- medina ・ 7 hours ago
  
  https://www.commerce.senate.gov/2025/12/experts-agree-u-s-co...
  > “The Chinese government's espionage operation deeply penetrated networks of at least nine U.S. telecom companies, including AT&T and Verizon,” said Sen. Cantwell. “They exploited the wiretapping system that our law enforcement agencies rely on under the Communications Assistance for Law Enforcement Act -- known as CALEA. These systems became an open door for Chinese intelligence. Salt Typhoon allowed the Chinese operation to track millions of Americans’ locations in real time, record phone calls at will and read our text messages.”
  
  xnx ・ 6 hours ago
  
  This quote speaks in past tense, but last I heard the Chinese still had access/control of compromised systems. Do we know if this attack is even over?
  
  dmix ・ 6 hours ago
  
  That definitely deserves a congressional investigation then. No wonder they don't want to talk about that.
downrightmike ・ 11 minutes ago

Not even that, they have CVE 10 from 2019 on their routers, which the hackers got root on then patched, so they wouldn't be kicked off by other hackers. All because IT upkeep wasn't done and hardening on Cisco devices is a distinct admin guide and not at all on by default. The days are long gone of qualified and careful network admins, now we just get the low-ball outsourced Cisco TAC and the like which DGAF

bastardoperator ・ 41 minutes ago

I worked at Verizon almost 10 years ago, they hired a group come to come in and assess. Within 3-4 hours they pwned the entire place (including offices outside of the office we were in) through an unsecured windows jenkins machine/script console.

briandw ・ 4 hours ago

This was enabled by the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994. Congress made their bed, now they need to lie in. Time to remove the govt mandated backdoors.

engelo_b ・ 5 hours ago

blocking these reports is a huge blow to systemic risk management.

if the specific vectors of the breach aren't disclosed, the rest of the critical infrastructure ecosystem is basically flying blind. it feels like we're trading collective security for corporate reputational damage control.

farco12 ・ 34 minutes ago

This interview discusses potential vectors: https://www.cybersecuritydive.com/news/tmobile-salt-typhoon-...

y-c-o-m-b ・ 4 hours ago

A decent example of why implementing authoritarian policies is a bad strategy for the US; particularly coming from the current administration. We're only strengthening Chinese supremacy at this point and tearing the US apart in the process of trying to claw some back. We don't have what it takes to pull this shit off as well as China does. This is a failure at many levels: the uncoordinated surveillance, the gross lack of security, lack of skills, lack of knowledge, etc. and it extends to many aspects of American governance. Between the US putting significant traumatic pressure on its own citizens and companies doing mass layoffs in an increasingly unaffordable economy, this will push even more brain drain overseas, which only accelerates China's strengthening stance more.

MisterTea ・ 3 hours ago

This very much feels like the old cold war dynamic between Russia and the USA with the roles reversed.

bastard_op ・ 5 hours ago

They don't want their backdoors they allowed and buffoonery in securing/managing them exposed. This is only the wireless providers, now what about all the residential ISP's like Comcast, Cox, Charter, etc? They're even more incompetent usually, I've worked for enough to know.

undefined ・ 6 hours ago

[deleted]

undefined ・ 7 hours ago

[deleted]

Zenul_Abidin ・ 3 hours ago

The hackers already have it.

There is no reason to hide it from the general public.

ok123456 ・ 7 hours ago

If they simply implicated an "APT" in wrongdoing, they would have released it, as it would have been unremarkable and fit neatly within the Overton window of hissing-chinese spys justifying an even more expansive national security apparatus and general anti-sino sentiments among the ruling class in Washington.

This leads me to two possible, non-exclusive outcomes: the links to China are tenuous, and the attribution is flimsy (e.g., they accessed a machine at 9 am Beijing time!); or the report implicates the system itself as unauditable by design, which was bound to happen given the design of the intercept tools.

walletdrainer ・ 6 hours ago

These reports would be useful for any other attacker interested in their infra, it’s obvious why the companies wouldn’t want to release them in this manner.
- ok123456 ・ 3 hours ago
  
  Yes, most organizations are shy to release reports that make them look incompetent or highlight systemic problems. That's why we have laws that now require disclosure of incidents that may have exposed customer data.
  
  JasonADrury ・ 2 hours ago
  
  >That's why we have laws that now require disclosure of incidents that may have exposed customer data.
  I don't think there's any jurisdiction that requires public disclosure at this level of detail. It's really an extraordinary ask. How many of these reports have you seen?
- thinkthatover ・ 5 hours ago
  
  If they can't provide it to us for national security purposes, certainly they could to the appropriate congressional subcommittee

natas ・ 5 hours ago

why does the government, any government, has a backdoor on anyone's phones to begin with?

pluralmonad ・ 5 hours ago

Terrorists, drugs, the children, future excuse for the panopticon.
- mikkupikku ・ 5 hours ago
  
  Wiretapping predates all of these sort of arguments. Wiretapping was invented at basically the same time that telephones themselves were and was underway for decades before the law even began to take note; the first major legal development in this regard was the Supreme Court saying cops could do it without a warrant in 1928 (they already had been the entire time.)
  
  pluralmonad ・ 4 hours ago
  
  While that is interesting from a historical perspective, does it inform on the myriad of excuses trotted out for these abuses today?

red-iron-pine ・ 36 minutes ago

translation: we got pwn3d, and badly

jbug187 ・ 5 hours ago

srsly doubt that these reports would ever be released publicly, but i'm curious if they might suggest that their recent high-profile extended outages are related to weaknesses that were easily exploited by bad actors.

learingsci ・ 5 hours ago

Glad no comments here are directed at China. We vilify our own government, our businesses, even ourselves for being too naive or gasp having trust in our networks. But the actual perpetrators, China, we have no harsh words for. It’s like if Ukrainian citizens blamed themselves rather than Putin. That’s how thoroughly brainwashed most people (here) are.

ourmandave ・ 4 hours ago

I have plenty of harsh words for China, but we know they and other countries are an ongoing threat so the criticism is why aren't we defending ourselves better?
bigyabai ・ 4 hours ago

I'll actually steelman against this; there's nothing to criticize them for. The US does the exact same thing and supports regimes around the world that perpetuate cyber-terror as a weapon of asymmetrical conflict. The US has to come to the table for negotiation or secure itself accordingly.
- Zigurd ・ 3 hours ago
  
  The sheer elegance of hacking a law enforcement intercept architecture that's designed to make intercept traffic hard to track would be so irresistibly satisfying to any hacker that I don't see how they could say "Nahhh, too far."

farceSpherule ・ 4 hours ago

[dead]

farceSpherule ・ 4 hours ago

[dead]

DeepYogurt ・ 3 hours ago

Infosec is such a scam