Google Tells Senator It Was Warned Vendor 'Siphoning' Passcodes
"Telecom regulators, in the U.S. and elsewhere, need to get their acts together and rein in the ability of surveillance firms to get access to telephone networks," U.S. Sen. Ron Wyden said.
February 01, 2022 at 12:36 PM
6 minute read
Google told a U.S. lawmaker that it received a warning last May that a European technology company was "siphoning" user passcodes to aid surveillance carried out by foreign governments.
Google told U.S. Senator Ron Wyden, a Democrat from Oregon, that the company had been tipped off that Mitto AG may have been "siphoning off two-factor text messages for surveillance companies and their foreign government clients," according to a Wyden aide.
It's not clear who made the allegation, which, if true, could have allowed foreign governments to access personal accounts. Google said it looked into the matter but "due to a lack of visibility into telecommunications networks," wasn't able to confirm it, according to the disclosure to Wyden's office, which hasn't been previously reported. Bloomberg News has reviewed a summary of Google's exchanges with Wyden's office about the disclosure.
Google received the warning about seven months before Bloomberg and London-based Bureau of Investigative Journalism reported in December that a co-founder of Mitto operated a service that helped governments secretly surveil and track mobile phones, according to former employees and clients. Google told Wyden's office last week about the warning it had received.
"Our client strongly denies that it has ever 'siphoned-off' clients' messages, or intercepted them," attorneys for Mitto said, in a Jan. 28 letter to Bloomberg, adding that there is "absolutely no credible basis on which such a claim could be made."
A company representative said previously, in response to the December story, that Zug, Switzerland-based Mitto had no involvement in any surveillance business and had launched an internal investigation "to determine if our technology and business has been compromised" and would take corrective action if necessary.
When asked by Bloomberg about the communications with Wyden's office, a spokesperson for Alphabet Inc.'s Google wouldn't specifically address the allegation about Mitto. Instead, the spokesperson said the company had investigated allegations concerning a company it works with in Europe and found "no evidence of wrongdoing or any connection between the allegations and our separate work with them."
While not commenting directly on the allegations concerning Mitto, Wyden said he was concerned about security vulnerabilities in phone networks, where there are "shady middlemen selling access to surveillance companies and anyone else with a credit card."
"It threatens the security and privacy of nearly anyone with a phone," Wyden said. "Telecom regulators, in the U.S. and elsewhere, need to get their acts together and rein in the ability of surveillance firms to get access to telephone networks."
Closely held Mitto has established itself as a provider of automated text messages for such things as sales promotions, appointment reminders and two-factor security codes needed to log in to online accounts.
Google and other online services offer two-factor security codes as a second layer of security. They are widely used to protect email messages, bank accounts, crypto wallets and other sensitive personal data, and they can be sent in the form of a text message that must be entered in addition to a password when logging into an account.
Tobias Engel, a researcher who specializes in mobile phone network security, said intercepting text messages containing two-factor codes was a method that has been used "for years" to breach people's personal accounts. "It is not a very sophisticated attack, but one that is comparatively difficult for mobile network operators to prevent," he said.
Google recommends physical security keys as an alternative to receiving two-factor codes by text message, according to a spokesperson.
Mitto's website and promotional documents say it works with leading telecommunications companies to deliver text messages in bulk to billions of phones around the world. The company has attracted major technology giants as customers, including Google, Twitter Inc., Meta Platforms Inc.'s WhatsApp, Microsoft Corp.'s LinkedIn and messaging app Telegram, in addition to China-based ByteDance Ltd.'s TikTok, Tencent Holdings Ltd. and Alibaba Group Holding Ltd., according to Mitto documents and former employees.
But Mitto's co-founder and chief operating officer, Ilja Gorelik, was also allegedly selling access to Mitto's networks to secretly locate people via their mobile phones, and in some cases obtain their call logs, Bloomberg reported in December. The alleged venture involved exploiting weaknesses in a telecom protocol known as SS7, or Signaling System 7, a sort of switchboard for the global telecommunications industry.
Gorelik also boasted that he had connections to a national spy agency in the Middle East and was helping that country's defense ministry, according to former employees at Mitto. In at least one instance, a phone number associated with a senior U.S. State Department official was allegedly targeted in 2019 for surveillance through the use of Mitto's systems, Bloomberg reported.
Following the revelations in December, Mitto representatives allegedly informed some clients that Gorelik was no longer involved at the company.
Google has continued to work with Mitto, according to two people familiar with the matter. Google told Wyden that it contacted Mitto in December to ask the company whether it had been "siphoning off" Google's two-factor messages, according to a Wyden aide. Mitto denied the allegation, Google told Wyden's office.
In their Jan. 28 letter to Bloomberg, Mitto's attorneys said, "Clearly if Google had any concerns (which they apparently did not) then they most certainly have the technological and legal wherewithal to establish if those are valid or not, and act accordingly." They added, "Our client is a trusted provider to Google and any suggestion to the contrary would be entirely at odds with the actual position."
Other Mitto customers, however, have allegedly cut ties. In recent weeks, messaging companies Kaleyra and MessageBird have both ceased commercial relationships with Mitto, according to the two people, and a third person familiar with the matter. MessageBird's chief executive officer, Robert Vis, terminated an agreement with Mitto, citing a violation of a clause on the processing of personal data, those people said.
Kaleyra declined to comment. Vis and MessageBird didn't respond to requests for comment.
While Mitto's corporate headquarters are in Switzerland, most of its roughly 250 employees have been based in Germany and more recently, Serbia, according to former employees.
The company's presence in Switzerland has attracted the attention of authorities there. Switzerland's federal data protection and information commissioner has opened an investigation focusing on Mitto's operations. The commissioner's office said in a statement on Friday that it has "not yet terminated the evaluation" and declined further comment. Mitto has previously declined to comment on the Swiss probe.
The Google spokesperson, while not mentioning Mitto by name, said the company was monitoring an investigation in Switzerland and "will not hesitate to take immediate action if new facts come to light."
Ryan Gallagher reports for Bloomberg News.
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThese Law Firm Leaders Are Optimistic About 2025, Citing Deal Pipeline, International Business
6 minute read'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrump, ABC News Settle Defamation Lawsuit Before Depositions
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250