Hacking Verizon Call Records A Security Breach With National Security Implications

pSecurity researcher Evan Connelly recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for a malicious actor to leak call history logs of Verizon Wireless customers ppCall logs can be highly valuable particularly for nationstates as they enable intelligence agencies to map social networks track highvalue targets figure out communication patterns and correlate metadata with other surveillance data to uncover covert operations or political affiliations This was evident in the recent coverage of the Salt Typhoon breach of telecom networks ppGiven that this data is of such value youd expect that both how its accessed and who is given access would be closely guarded However as I found this may not be the case Connelly said  ppHe said in order to display the recent history of received calls in the Verizon Call Filter app a network request is made to a server which contains details such as the phone number and the requested time period for call records The server then responds with a list of calls and timestamps for each ppSo surely the server validated that the phone number being requested was tied to the signed in user Right Right Wellno It was possible to modify the phone number being sent and then receive data back for Verizon numbers not associated with the signed in user In short anyone could lookup data for anyone ppConnelly said while this a privacy concern for everyone for some their safety could be at risk too  ppConsider scenarios involving survivors of domestic abuse law enforcement officers or public figuresindividuals who rely on the confidentiality of their communication patterns Having their incoming call logs exposed is not just invasive its dangerous ppWhile call metadata may seem harmless in the wrong hands Connelly says it becomes a powerful surveillance tool With unrestricted access to another users call history an attacker could reconstruct daily routines identify frequent contacts and infer personal relationships Timestamps can be crossreferenced with social media or public sightings to map physical movements Repeated numbers expose private or burner lines compromising whistleblowers journalists or abuse survivors ppThis wasnt just a data leak It was a realtime surveillance mechanism waiting to be abused he explained ppThe app retrieves call histories by sending a request to the endpoint httpsclraqxcequintvzwecidcomclrcallLogRetrieval including a JSON Web Token JWT in the Authorization header and the target phone number in the XCeqMDN header  ppThe JWTs payload contains the sub field representing the signedin users phone number However the server did not validate that the phone number in the XCeqMDN header matched the sub field in the JWT payload  ppThis oversight allowed attackers to specify any Verizon phone number in the XCeqMDN header and access that numbers call history without proper authorization ppThe vulnerability was linked to Cequint a subsidiary of Transaction Network Services TNS which provides caller ID and call authentication services for major telecom carriers including Verizon Cequints backend infrastructure was responsible for processing call log requests in the Verizon Call Filter app ppThe security flaw arose because Cequints API allowed unauthorized users to request call logs for arbitrary Verizon numbers as it did not enforce a proper validation check between the JWTs sub field which should represent the authenticated user and the XCeqMDN header which specified the target phone number  ppThis misconfiguration meant that a threat actor with a valid JWTlikely from their own Verizon accountcould supply any other Verizon number and retrieve its call history  ppSince Cequint provides similar services to other carriers the discovery of this flaw begs the question about whether similar vulnerabilities could exist in other telecom implementations as well as how much data does this obscure company without a website of its own have And how well secured is it ppI do want to credit Verizon for a quick response and fix While I dont have the exact date they fixed this issue I believe it was sooner than when I retested the issue and noted on my side that it looked to be resolved They were also prompt to acknowledge my report Connelly ended ppKirsten Doyle has been in the technology journalism and editing space for nearly 24 years during which time she has developed a great love for all aspects of technology as well as words themselves Her experience spans B2B tech with a lot of focus on cybersecurity cloud enterprise digital transformation and data centre Her specialties are in news thought leadership features white papers and PR writing and she is an experienced editor for both print and online publicationsppThe opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz ppInformation Security Buzz is an independent resource that provides the experts comments analysis and opinion on the latest Cybersecurity news and topicspp
Type above and press Enter to search Press Esc to cancel p