T-Mobile Hack 2021—What Hard Lessons Must We Learn?

T-Mobile Hack 2021—What Hard Lessons Must We Learn?
Photograph by Mika Baumeister on Unsplash

T-Mobile was hacked again and, as is usual for data breaches, big numbers are used by the media to convey the attack’s impact—47.8 million is the official figure of how many accounts were breached. The stolen data included SSNs, first and last names, date of birth, driver’s license numbers, ID information, telephone numbers, and IMEI and IMSI numbers—unique numbers tied to each device and subscriber.

But big numbers don’t tell the true story of the potentially catastrophic effects this could have on a human level. Indeed, big numbers can actually numb humans to these details.

Because T-Mobile didn’t follow basic security protocols (the broken cybersecurity paradigm is real) nearly 50 million people will now be subject to:

  • Identity theft resulting in bad debt and credit ratings
  • Potential location tracking
  • Potential eavesdropping of their phone conversations

Let us explain.

The underbelly of organized crime behind data breaches

Hollywood has painted the picture that the typical hacker is usually a socially deficient male sitting in his mother’s basement in the dark. (This is sometimes not too far from the truth.) But regardless of who the hacker is that is doing the breach itself, the underbelly of where that data goes from there is where the horror story begins.

More than 80% of data breaches are linked to organized crime.

Just like the rest of the world, organized crime and human traffickers have gone digital. Predators hunt for victims via social media and hacked webcams.

So, what does this have to do with T-Mobile’s recent hack? Everything.

What are IMEIs and IMSIs, and how can hackers/predators use them?

IMEI stands for “International Mobile Equipment Identity” number. It is a unique number assigned to every single GSM mobile phone that exists. (GSMs are basically all phones that don’t run on Verizon, US Cellular, or the old Sprint network.)

And IMSI stands for “International Mobile Subscriber Identity.” IMSIs are unique numbers specifically tied to a subscriber, i.e., a person.

A fair amount of misconceptions exist surrounding IMEIs. It is not possible to hack a phone using an IMEI, despite what the internet will tell you. It also isn’t possible to intercept a phone’s SMSes if all you have is an IMEI.

It is, however, possible to track the phone under certain circumstances. And, if you can connect that IMEI with a Social Security Number, name, telephone number, and a Facebook account (perhaps through another hack that exposed email addresses and social media accounts), you can get a pretty accurate idea of the person to whom that IMEI belongs—and organized criminals can categorize that data according to demographics such as:

  • Females, under 20.
  • Children, any gender.
  • Individuals by location (data sourced from another breach).

At a staggering 3,950 data breaches in the last 13 years, the potential existence of complete profiles of potential victims sitting in criminal databases is not so far-fetched.

Is the hair on your neck starting to stand on end?

There are only two ways you could track a phone through its IMEI:

  • If that phone has an app installed on it that allows parents to track the phone using an IMEI (such as child safety apps for parents to monitor their children and keep them safe from predators—the irony is bloodcurdling).
  • Through the telecom itself.

The telecom can locate the phone using cell phone towers, through its IMEI. For them to tell you where the phone is, you would have to convince them of who you are, such as by giving your first and last name, social security numbers, date of birth, etc.—all of it data obtained in the T-Mobile breach.

Another way to get telecoms to offer up location data is if law enforcement requests it—and finding a corrupt cop is a known strategy used in human trafficking.

But tracking via IMEIs is still convoluted and tricky. That’s not the case with IMSIs.

Tracking people with IMSIs

IMSIs are a little more chilling and less nebulous. Whereas several factors have to be in place to track a phone (which is basically the same as tracking a person these days) through an IMEI, IMSIs work “out of the box” for snooping on phone conversations.

IMSI catchers (popularly called StingRays) can be used to track phone locations and, when modified, also to snoop on text messages and phone calls.

The use of IMSI catchers in organized crime is a hard fact.

IMSI catchers work like this: They fool nearby cell phones that the IMSI catcher is a cell tower and then intercept all of that phone’s communication signals. By law, IMSI catchers should not usually be used to eavesdrop or obtain information that violates someone’s constitutional rights. But IMSI catchers are fully capable of doing this.

And anyone can buy an IMSI catcher for a few hundred bucks online.

Let’s put together an all-too-common organized crime scenario: Someone, part of an organized crime ring, is on the ground with an IMSI catcher which feeds intercepted cell phone signals (including their respective IMSIs) into a local database that tries to match those IMSIs to stolen IMSIs from a recent breach. That database contains stolen identities, first and last names, and whatever other data has been gleaned from social media profiles and other data breaches in the past.

Once a match is found—the intercepted IMSI matches the one in the database—the criminal now has a physical location for someone that was, moments before, just some stolen digits in a database. Now that data has been matched to an actual person with, say, the demographic profile of “Female, Single, Under 25, Lives Alone,” and she is in the area. By intercepting calls and messages from her phone through the IMSI catcher, nailing down where she is going, becomes a piece of cake.

The organized crime potentials of stolen data are simply staggering.

Where to from here?

The FTC can boast and swagger about its latest fine for corporate privacy violations. But if those fines don’t come with enforceable sanctions to bring about change in the industry, they will likely lead to no change. These fines sound large to us mere mortals, but they are a meager drop in the ocean of the enormous revenues of these big companies.

Meanwhile, the human toll of data breaches continues to go under-reported. The breach itself is just the first pebble that forms the waves of human misery which will inevitably follow—everything from bankruptcy to executive kidnapping.

Surely the megacorps managers like T-Mobile and Facebook have thought this through. Or maybe they haven’t. Because, so far, it has always been about the money and not about people.

We feel for T-Mobile’s security team. As security professionals ourselves, who have worked in some of the largest tech companies in Silicon Valley, we know all too well the internal bureaucracy these teams sometimes have to go through to implement effective security practices. In-house code and a mish-mash of band-aid solutions forced down their throats result in a cybersecurity team that spends much of its time pulling its hair out due to the red tape required to implement a simple and effective encryption solution. In our experience, security teams want to do the right thing. But a broken cybersecurity paradigm at an industry level, and internal company politics, often render many of their efforts useless.

Had T-Mobile used a simple end-to-end encryption tool like Peacemakr to encrypt its highly sensitive personal data before storing it, such a breach would have been neutered. Regardless of whether the hackers had stolen one or one billion records, they would have walked away with nothing but ciphertexts.

As tragic as this event is, we hope that some good comes of it—that the industry finally realizes that cybersecurity needs to be put into the hands of the community, open-sourced, and that an easy solution is finally implemented that will allow companies to encrypt all their data, both at rest and in transit, so that future data breaches result in a booty of nothing but powerfully encrypted text. That would shut off the pipeline to organized crime and return a much-needed sense of security to consumers.

Ready to protect your data?

Learn the most common data protection opportunities and how Peacemakr works with your infrastructure and products to stop data breaches.