Inside T-Mobile’s Massive Security Failure

Around the middle of August, a security research firm named Unit221B reached out to T-Mobile with some bad news—someone, or some entity, was attempting to sell reams of T-Mobile customer data on the dark web. A couple of days later, T-Mobile went public with the news that it had been massively hacked, and some 54 million customer records had been stolen.

Some customers had their names, Social Security numbers, and birth dates exposed. Others had IMEI and IMSI numbers divulged, which is a starting point a hacker can use to take control of someone’s phone. It’s unclear how this information has been sold or has moved around the dark web since the hack.

Stories like these are commonplace these days. Even people who have no interest in cybercrime trends could probably list-off a few recent, high-profile hacks. The Colonial Pipeline hack that disrupted the flow of gas to the Eastern Seaboard; the colossal Equifax breach that affected millions of customers; or the Target hack that compromised 40 million credit and debit cards—to name a few.

In this week’s post, we take a deeper look at the T-Mobile hack—who was responsible, how he did it, and where T-Mobile and its customers go from here.

How a 21-Year-Old in Turkey Hacked T-Mobile

John Binns is a 21-year-old American who grew up in Northern Virginia then moved to Turkey with his mother a few years ago. His motivation behind the T-Mobile cyberattack is murky—he claims it was partly to “generate noise,” but he also claimed he was kidnapped by U.S. government officials in Germany and placed into a mental hospital. The hack may have been some form of ‘retribution.’

In messages sent on Telegram, Binns described the hack in detail to The Wall Street Journal, where he made clear that breaching the carrier’s system was straightforward and too easy (for a hacker, at least).

Binns used a simple tool available on the web for scanning internet addresses for weak security, and applied the tool to T-Mobile’s known internet addresses. In July, he discovered an unprotected router exposed on the internet—a discovery that gave Binns access to a T-Mobile data center in Washington, where he was able to breach over 100 servers. A week later, he was in.

Security researchers have since attempted to trace past activity for Mr. Binns, and they discovered he has been part of ‘botnets’ in the past. Botnets happen when hackers hijack large numbers of computers to build a massive network, and in turn launch an attack designed to overload servers of their targets. Some readers may recall the 2014 Christmas Day attacks on Sony’s PlayStation Network and the Xbox Live service, which used botnets to create outages. It’s unclear if Binns was directly involved with those attacks, but his online names IRDev and v0rtex have been associated with botnets in the past. According to Mr. Binns, he learned to find software flaws by discovering cheats on videogames, a path that led him to a botnet-building virus called Satori. With time and nefarious intentions, it was only a matter of time before he could orchestrate a major hack on his own.

U.S. prosecutors have worked over the years to limit the threat of botnets, with some success, but network attacks have seen an uptick of late. Young gamers in Europe and the U.S. are learning hacking techniques, and the sharing culture with other gamers means information for malicious activity moves around with ease. A widely-understood reality in the digital world is that there’s a straight line between more hackers and the likelihood of more hacks.

For T-Mobile, the security weakness has reportedly been patched, but this marks the third security breach for the carrier in the last two years. It’s clear there are bigger issues with the company’s defenses than are likely being made public. The Federal Trade Commission has launched a penalty probe, which could mean hundreds of millions of dollars in fines. By way of comparison, the Equifax breach cost the company $700 million in settlements.

For customers, the standard two years of identity-protection services has been offered, and everyone has been encouraged to regularly update passwords and PIN codes. But the larger issue remains—high-profile breaches of U.S. corporations are commonplace, and personal information and details are being passed around the dark web in droves. In spite of significant efforts to ramp up security and make new investments in defenses, hackers are still finding a way in. It’s a reminder that the race to building digital security is a marathon, and hackers currently have a big lead.

This article is authored by

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.