AT&T, Verizon blocking release of Salt Typhoon security assessment reports
reuters.com109 points by redman25 3 hours ago
109 points by redman25 3 hours ago
These companies were required by the government to have lawful intercept capability. A bad actor took advantage of that government-required backdoor, and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
I've worked as a security consultant with one or two companies (who shall remain nameless) whose sole product was a hardware device with a black-box software stack meant to be a plug-and-play lawful intercept compliance solution. Telecoms should be able to buy it, install it, and access a web panel to do their government-mandated business.
In the three or four year I worked with them, they would only let me do penetration testing of their user network, and never the segments where the developers were, and never the product itself. In speaking with their security team (one guy - shocker) during compliance initiatives, it was very clear to me that the product itself was not to be touched per the explicit direction of senior leadership.
All I can say is that if the parts of their environment they did let us touch are any indication of the state of the rest of their assets, that device was compromised a long time ago.
>and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
Where's "the government [... grandstanding] about privacy and security"? It's getting blocked by the companies, not the government.
>She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon.
"US Senator says AT&T, Verizon blocking release of Salt Typhoon security assessment reports"
A US senator is using it for political grandstanding. She is an ineffective twit with no power and no principles, no right under law to receive what she demanded, and she made sure to run to the press with it "see! look, I'm a principled, powerful senator holding those evil corporations feet to the fire!"
The problem is that the vulnerability exploited by salt typhoon is a systemic flaw implemented at the demand of Cantwell and other of our legislative morons.
You cannot have an "only the good guys" backdoor. That doesn't work. People are bad, and stupid, and fallible. You can't make policy or exceptions that depend on people being good, and smart, and infallible.
She's using the inevitable consequence of a system she helped create for her own political benefit. She voted for the backdoor back in 94 against the strenuous and principled objections by people who actually know what they're talking about.
Bobblehead talking points should not serve as the basis for technical policy and governance, but here we are.
You can tell this whole thing will be a nothingburger on the government side because the only thing she can actually do is pull in some CEOs to (not) answer questions and receive a congressional tsk tsk.
The country is such a dumpster fire. Fucking congressional hearings. The best case scenario is a little video clip that legislators can use to campaign with.
Each election period they have to take a break from eroding citizens' rights catering to lobbyists. The video clips help them pretend they were doing something other than insider trading while in the seat.
The problem isn't the back door. Every telecom company in every country provides access for "lawful intercept". Phone taps have been a thing for decades and as far as I know, require a warrant.
The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.
Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.
The problem is the back door.
Decentralized systems don't have the same faults.
Just because you want to force a structure or paradigm doesn't absolve it of responsibility for the problem.
Hand waving the problem away because a company is bad at management or scale doesn't change anything.
Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure. Telecoms should be highly secure. Period.
It's okay to have unlocked backdoors because you don't lock your front door?
> many telecoms are reluctant to do it.
This really buries the lede. Telecoms are reluctant to do it because 'doing' it isn't aligned with their priorities.
Why would a telecom risk bankruptcy by investing heavily into a system that their competitors aren't?
If you want a back-door to exist (questionable) then the government either needs to have strong regulatory compliance where poor implementations receive a heavy fine such that telecoms who don't invest into a secure implementation get fined in excess of the investment cost or the government needs to fund the implementation itself.
Yes, telecoms should be forced to invest in their own security if they're not doing it. But the focus on the back door misses the point in my opinion. Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.
I agree with you on electing better people, but this is largely a systematic problem with how government works:
1. Propose bill to solve a problem which is either minor or completely misunderstood by the person proposing the bill 2. Pass bill, don't solve original "problem," creates 15 new, actual problems 3. Run on fixing all the new problems they created (and some others that don't exist) 4. Repeat
Is this speculation or has that information come out already?
https://www.commerce.senate.gov/2025/12/experts-agree-u-s-co...
> “The Chinese government's espionage operation deeply penetrated networks of at least nine U.S. telecom companies, including AT&T and Verizon,” said Sen. Cantwell. “They exploited the wiretapping system that our law enforcement agencies rely on under the Communications Assistance for Law Enforcement Act -- known as CALEA. These systems became an open door for Chinese intelligence. Salt Typhoon allowed the Chinese operation to track millions of Americans’ locations in real time, record phone calls at will and read our text messages.”
That definitely deserves a congressional investigation then. No wonder they don't want to talk about that.
This quote speaks in past tense, but last I heard the Chinese still had access/control of compromised systems. Do we know if this attack is even over?
blocking these reports is a huge blow to systemic risk management.
if the specific vectors of the breach aren't disclosed, the rest of the critical infrastructure ecosystem is basically flying blind. it feels like we're trading collective security for corporate reputational damage control.
why does the government, any government, has a backdoor on anyone's phones to begin with?
srsly doubt that these reports would ever be released publicly, but i'm curious if they might suggest that their recent high-profile extended outages are related to weaknesses that were easily exploited by bad actors.
If they simply implicated an "APT" in wrongdoing, they would have released it, as it would have been unremarkable and fit neatly within the Overton window of hissing-chinese spys justifying an even more expansive national security apparatus and general anti-sino sentiments among the ruling class in Washington.
This leads me to two possible, non-exclusive outcomes: the links to China are tenuous, and the attribution is flimsy (e.g., they accessed a machine at 9 am Beijing time!); or the report implicates the system itself as unauditable by design, which was bound to happen given the design of the intercept tools.
These reports would be useful for any other attacker interested in their infra, it’s obvious why the companies wouldn’t want to release them in this manner.