While the fallout around Israel’s NSO Group and its Pegasus smartphone spyware continues, the co-founder and COO of a Swiss telecom service is at the center of a new phone surveillance controversy.
Mitto AG’s co-founder and COO Ilja Gorelik has been accused by former employees and clients of running a secret surveillance service on the side, according to a report by the Bureau of Investigative Journalism and Bloomberg News written by Crofton Black and Ryan Gallagher.
Mitto AG bills itself as a leading provider of global, omnichannel communications solutions. Mitto AG’s platform is used by companies to send text messages for sales promotions, appointment reminders and security codes.
The company’s client list includes some of the biggest names in tech. Mitto clients reportedly include TikTok, Twitter, Google, Whatsapp, LinkedIn and Telegram. The report names Mitto’s partner operator networks including Vodafone, Telefónica, MTN and Deutsche Telekom.
The report claims Gorelik sold off-the-books access to Mitto’s networks. The investigation interviewed more than two dozen people for the report, including former Mitto employees.
Gorelik’s clients, said the report, were surveillance companies contracted by government agencies. Those clients used the service to secretly surveil and track mobile phone users, according to former employees and clients. The report alleges that Gorelik installed custom software at Mitto that could be used to target individuals.
SS7 exploited
The report says that Gorelik exploited weaknesses in the Signalling System 7 (SS7) telecom protocol. SS7 is the signaling protocol for 3G networks, still in use on many networks. SS7 exploits are nothing new – they have been reported on for years, and carriers still supporting the protocol mitigate attack risk using security methods which have to be regularly updated. The report alleges that Mitto’s deals with operators provided it with SS7 access, which Gorelik then exploited.
“The existence of the alternate service was only known to a small number of people within the company, these former employees said. Gorelik sold the service to surveillance companies which in turn contracted with government agencies, according to the employees,” said the report.
In the wake of the revelations, Mitto AG denied knowledge of a separate business. In a statement, Mitto AG said it is conducting an internal review. Mitto added that it will “take corrective action” if necessary.
Gorelik was not available for comment. A Mitto representative declined to comment for the report on Gorelik’s current status within the company.