Ilja Gorelik, Mitto AG’s co-founder and chief operating officer, allegedly helped private surveillance companies and government agencies to track people via their mobile phones.
The leak published by the Bureau of Investigative Journalism and Bloomberg News accuses the Swiss company Mitto AG to have helped to locate mobile phones and obtain information in worldwide surveillance operations.
The paradox in the Mitto AG surveillance case is that actually the technology provided is supposed to help protect secret data - not enable surveillance.
Mitto AG offers text messaging services around the world so that online services were able to offer text message verifications upon logins. To log into an online account, for example, you not only use a password, but also a code that is sent via a text message.
Mitto AG has contracts with providers all over the world to send text messages in large quantities. Big tech companies such as Google, WhatsApp, Microsoft and Twitter were clients of Mitto AG. The latter has stopped cooperating with Mitto AG recently because of the ongoing investigation in the alleged Mitto AG surveillance.
Due to its business, Mitto AG works with telecom companies in over one hundred countries and has access to the mobile communications infrastructure in numerous countries around the world, also in countries such as Afghanistan and Iran.
But since the end of last year, Mitto AG has been under serious suspicion: Instead of increasing security for users, co-founder Gorelik is said to have used access to the mobile phone infrastructure to enable third parties to monitor mobile phone users.
Starting in 2017, he sold access to the company's network to private surveillance companies, which would have used it for spying operations on behalf of state agencies, according to Bloomberg.
Mitto’s partnerships with telecommunications providers allowed it to make use of some long-established vulnerabilities in the protocol (Signaling System 7, or SS7) that underpins much of international communication. Via SS7 people can be located and information like the call history read out from their phones.
In 2017, a report by the U.S. Department of Homeland Security noted how serious the security vulnerabilities in SS7 are: Third parties can determine the physical location of mobile devices or intercept or redirect text messages and conversations due to vulnerabilities in SS7.
These issues are long known, but due to the age of SS7 - it was established in the 1970s - it is complicated, if not impossible to fix the issues.
This is also one of the reasons why Tutanota does not support text messages for two-factor authentication. Instead, we highly recommend to use U2F (hardware token) as a best practice to increase login security.
In one specific case in 2019, Mitto's systems were allegedly used to locate the phone of a high-ranking U.S. State Department official, according to Bloomberg. It is not clear who was behind the operation. In addition, the report mentions the case of a person in Southeast Asia whose surveillance allegedly involved sending system commands to read text messages.
The entire range of surveillance companies and secret services that Mitto AG cooperated with is yet unclear. However, an explosive connection to Russia has also come to light.
The Swiss newspaper Tages-Anzeiger had published business connections to Russia. According to the report, Mitto is the wholly-owned parent of a suspected shell company in Moscow, which was founded in the very year in which the surveillance activities began: 2017.
According to the Tages-Anzeiger, Mitto AG is the whole owner of the Moscow company called Tigokom. The company's purpose is listed in the Russian commercial register for "activities in the field of wireless communications". Tigokom's headquarters is a single room in a centrally located, small office building in Moscow.
For intelligence expert Erich Schmidt-Eenboom, the revelation aroused suspicions: "This raises the suspicion that Russian services may have been supplied with information from Mitto," Schmidt-Eenboom tells the Tages-Anzeiger. "Now the Swiss authorities must take action to clarify this suspicion."
Mitto AG denies that it is engaged in the espionage and surveillance business. Mitto has not operated a department that gives surveillance companies access to the telecom infrastructure to monitor people, and will not do so, it says. An internal investigation has been launched to clarify the allegations.
According to Bloomberg Mitto AG said in a statement:
"We are shocked by the assertions against Ilja Gorelik and our company. To be clear, Mitto does not, has not, and will not organize and operate a separate business, division or entity that provides surveillance companies access to telecom infrastructure to secretly locate people via their mobile phones, or other illegal acts. Mitto also does not condone, support and enable the exploitation of telecom networks with whom the company partners with to deliver service to its global customers."
As it stands, the Mitto AG surveillance case shows how dangerous it is if companies have access to sensitive data.
It took only one man - admittedly this man was the co-founder of the company, but still just one man - to leak location data of citizens to private investigation companies. This form of surveillance could be taken from a best-selling spy novel, yet it allegedly happened in reality.
The very reason why this sensitive data leak was possible in the first place are security weaknesses - or vulnerabilities - in the SS7 protocol.
This clearly shows that we must protect data whenever possible, also and particularly from the companies that handle such data.
The Mitto AG case is another example why we must never backdoor encryption.
End-to-end encryption is the best tool we have to protect sensitive data. Not just from the authorities, but also from malicious actors that might try to gain access to our personal data.
Again, the Mitto AG is proof that a 'backdoor for the good guys only' - as the authorities regularly ask for - is simply not possible. As soon as there is a backdoor, a malicious actor will come along and abuse it.
End-to-end encryption must never be broken.