Customers of Google Fi have been notified that SIM switching attacks are allowed as a result of the exposure of personal data owing to a data breach at one of its primary network providers.
Google Fi, formerly Project Fi, is an MVNO (Mobile Virtual Network Operator) telecommunications service by Google that provides telephone calls, SMS, and mobile broadband using cellular networks and Wi-Fi. Google Fi uses networks operated by T-Mobile and U.S. Cellular.
Customers of Google Fi received notifications from Google this week that their phone numbers, SIM card serial numbers, account status (active or inactive), account activation date, and information about mobile service plans had been compromised.
Further, Google said that the compromised systems did not contain sensitive information such as full names, email addresses, payment card numbers, SSNs, tax IDs, government IDs, account passwords, or call and SMS contents.
“Our incident response team undertook an investigation and determined that unauthorized access occurred and have worked with our primary network provider to identify and implement measures to secure the data on that third party system and notify everyone potentially impacted,” according to the notice to customers.
“There was no access to Google’s systems or any systems overseen by Google.”
Google Fi uses networks operated by T-Mobile and U.S. Cellular. Although Google Fi uses a combination of T-Mobile and US Cellular for network connectivity, the company has not identified the network provider responsible for the hack.
In response, T-Mobile disclosed another vulnerability recently that allowed a malicious actor to access the information of about 37 million customers through an API.
“This is another example of where subcontracting services to others can result in problems for the main organization. While this practice is fairly common when issues arise, the results can still be significant”, Erich Kron, security awareness advocate at KnowBe4.
“Given the history of breaches related to T-Mobile, it would have been wise for Google to require additional and more stringent security measures than perhaps T-Mobile currently has in place.”
Hackers Targeting With the SIM-Swapping Attack
Unfortunately, threat actors were able to carry out SIM swap attacks on some Google Fi customers as a result of the exposed technical SIM data. One customer even claimed that the hackers had gained access to their Authy MFA account.
Threat actors use SIM swapping attacks to get mobile carriers to port a customer’s phone number to a SIM card they control.
Through the use of social engineering, the threat actor mimics the identity of the victim in these assaults and asks that the number be ported to a different device for some reason.
Further, they disclose sensitive personal information that could be used in phishing scams and data breaches in order to persuade the mobile carrier that they are the customer.
When contacting a mobile customer support representative, the Google Fi data breach would have been even more convincing given that it contains phone numbers, which are easily linked to a customer’s identity, and the serial number of SIM cards.
The threat actors would then have access to the victim’s text messages, including MFA codes, enabling them to access online accounts or take control of services protected by a person’s phone number.
Customers affected by SIM swap attacks received a separate notification from Google revealed that the attackers briefly managed to migrate their phone numbers to another SIM. However, there was no compromise of user voicemail.
“On January 1, 2023, for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.” – Google.
“The hacker used this to take over three of my online accounts — my primary email, a financial account, and the Authy authenticator app, all because they were able to receive my SMSes and therefore defeat SMS-based 2-fac,” according to Google Fi customer.
Network Security Checklist – Download Free E-Book