(Bloomberg) – Google told a U.S. lawmaker it received a warning last May that a European tech company was “siphoning” user passcodes to facilitate surveillance by foreign governments.
Google told U.S. Senator Ron Wyden, a Democrat from Oregon, that the company had been tipped off that Mitto AG may have “sinked two-factor text messages for surveillance companies and their foreign government clients,” according to a Google aide. Wyden.
It is unclear who made the allegation, which, if true, could have allowed foreign governments to access personal accounts. Google said it looked into the matter but “due to a lack of visibility into telecom networks” was unable to confirm, according to the disclosure to Wyden’s office, which has not been reported. previously. Bloomberg News reviewed a summary of Google’s communications with Wyden’s office about the disclosure.
Google received the warning about seven months before Bloomberg and based in London Bureau of Investigative Journalism reported in December that a co-founder of Mitto operated a service that helped governments secretly monitor and track cellphones, according to former employees and customers. Google notified Wyden’s office last week of the warning it had received.
“Our client strongly denies ever ‘siphoning’ client messages or intercepting them,” Mitto’s attorneys said in a Jan. 28 letter to Bloomberg, adding that there was “absolutely no credible basis on which such a claim could be made.”
A company representative previously said, in response to the December story, that Zug, Switzerland-based Mitto was not involved in any surveillance activities and had launched an internal investigation “to determine whether our technology and our business have been compromised” and would take corrective action. if necessary.
Asked by Bloomberg about communications with Wyden’s office, a Google spokesperson from Alphabet Inc. did not specifically address the allegation about Mitto. Instead, the spokesperson said the company investigated allegations about a company it works with in Europe and found “no evidence of wrongdoing or any connection between the allegations and our separate work.” with them”.
Without commenting directly on the allegations about Mitto, Wyden said he was concerned about security vulnerabilities in the phone networks, where there are “shady intermediaries selling access to surveillance companies and anyone else with a credit card”.
“It threatens the security and privacy of almost anyone with a phone,” Wyden said. “Telecommunications regulators, in the United States and elsewhere, need to get their act together and limit the ability of surveillance companies to access telephone networks.”
The private company Mitto has established itself as a provider of automated text messages for things like sales promotions, appointment reminders and the two-factor security codes needed to log into online accounts.
Google and other online services offer two-factor security codes as a second layer of security. They are widely used to protect email messages, bank accounts, crypto wallets and other sensitive personal data, and they can be sent as a text message that must be entered in addition to a password when login to an account.
Tobias Engel, a researcher specializing in mobile phone network security, said intercepting text messages containing two-factor codes was a method that had been used “for years” to breach people’s personal accounts. “This is not a very sophisticated attack, but relatively difficult for mobile network operators to prevent,” he said.
Google recommends physical security keys as an alternative to receiving two-factor codes via text, according to a spokesperson.
Mitto’s website and promotional materials say it works with major telecommunications companies to send bulk text messages to billions of phones around the world. The company has attracted major tech giants as customers, including Google, Twitter Inc., Meta Platforms Inc.’s WhatsApp, Microsoft Corp.’s LinkedIn. and messaging app Telegram, in addition to ByteDance Ltd.’s TikTok, Tencent Holdings Ltd. and Alibaba Group Holding Ltd., according to documents from Mitto and former employees.
But Mitto co-founder and COO Ilja Gorelik also reportedly sold access to Mitto’s networks to secretly locate people via their cellphones and, in some cases, obtain their call logs, Bloomberg reported in December. The alleged venture involved exploiting weaknesses in a telecommunications protocol known as SS7, or Signaling System 7, a sort of standard for the global telecommunications industry.
Gorelik also boasted of having ties to a national spy agency in the Middle East and helping that country’s Defense Ministry, according to former Mitto employees. In at least one instance, a phone number associated with a senior US State Department official was allegedly targeted in 2019 for surveillance through the use of Mitto’s systems, Bloomberg reported.
Following the December revelations, representatives of Mitto reportedly informed some customers that Gorelik was no longer involved in the business.
Google continued to work with Mitto, according to two people familiar with the matter. Google told Wyden that it reached out to Mitto in December to ask the company if it had “siphoned off” Google’s two-factor messages, according to an aide to Wyden. Mitto denied the allegation, Google told Wyden’s office.
In their Jan. 28 letter to Bloomberg, Mitto’s attorneys said, “Clearly if Google had any concerns (which they apparently did not), then they most certainly have the technological and legal means to establish whether these are valid or not, and act accordingly. They added: “Our client is a trusted Google vendor and any suggestion to the contrary would be completely at odds with the actual position.”
However, other customers of Mitto would have cut the bridges. In recent weeks, messaging companies Kaleyra and MessageBird have both ceased business relationships with Mitto, according to the two people, and a third person familiar with the matter. MessageBird chief executive Robert Vis terminated an agreement with Mitto, citing a breach of a clause on the processing of personal data, these people said.
Kaleyra declined to comment. Vis and MessageBird did not respond to requests for comment.
While Mitto is headquartered in Switzerland, most of its roughly 250 employees are based in Germany and, more recently, Serbia, according to former employees.
The presence of the company in Switzerland has drawn the attention of the authorities. Switzerland’s Federal Data Protection and Information Commissioner has opened an investigation into Mitto’s operations. The commissioner’s office said in a statement on Friday that it had “not yet completed the assessment” and declined further comment. Mitto previously declined to comment on the Swiss investigation.
Google’s spokesperson, while not mentioning Mitto by name, said the company was monitoring an investigation in Switzerland and “will not hesitate to take immediate action if new facts come to light.”