AT&T Employees Took Bribes to Unlock Smartphones

This wasn't a small operation:

A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US on Friday and is being detained pending trial.

An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars­ -- paying one co-conspirator $428,500 over the five-year scheme."

In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T.

Posted on August 8, 2019 at 6:22 AM • 20 Comments

Comments

TatütataAugust 8, 2019 7:07 AM

I have some difficulty summoning sympathy for the behemoth.

The bribes seem rather cheap in view of the value of an unlocked phone.

Muhammad Fahd, 34, was extradited from Hong Kong to the US on Friday and is being detained pending trial.

Is that legally possible? I thought that Snowden was relatively safe while he was there.

BTW, the refugees with whom he was hiding in the slums are still being persecuted for assisting the fugitive. Before 2013, they already couldn't stay in HK, they couldn't leave, and they couldn't work. In essence, nonpersons.


Petre Peter August 8, 2019 7:29 AM

It seems like it's more important to know how much the admins can be bribed with than to have the latest firewall installed.

PaulAugust 8, 2019 7:49 AM

Yes, Hong Kong (my home) has an extradition agreement with the USA. Quite a lot of people have been extradited from HK to the US.

All extraditions have to be approved through the HK courts - Fahd was arrested about a year ago, and it's taken that long for due process.

And like many extradition treaties this one excludes political offences and requires that offences be recognised as such in the extraditing jurisdiction as well as the destination.

The situation with Snowden was that the HK legal system really, really didn't want to have to make a judgement on whether the offence for which the USA might have requested his extradition was "political" and hence they stalled and stalled and were very happy to assist Snowden to get on a plane to Russia.

PaulAugust 8, 2019 7:51 AM

Oh, and some, but not all, of the refugees who supported Snowden here have been granted asylum in Canada. Efforts continue to secure the same for the rest of them.

Clive RobinsonAugust 8, 2019 9:56 AM

It's a funny old world,

    ... from a call center in Bothell, Washington,

I did some work for AT&T at Bothell Washington (state, King County if I remember correctly), it was the last time I ever went to the US... Oh and the flight home got delayed 24Hours because BA only flew one plane a day to Seattle, and something went wrong. So a new part had to be flown out on the next plane the following day... Wierdly BA decided to send all those passengers from the day before home on the new plane, whilst making those that were due to fly home on the "new plane" wait to fly back on the "old plane" when it had been fixed.

As for the scam with AT&T phones, there was something dodgy about AT&T's contracts / plans back then.

The way many plans worked was you pay a fee+ each month for a fixed period usually two years. At the end of which the phone was your property to do with as you saw fit... Not so AT&T at the time they insisted it was a "lease without buy option" and that at the end of the period you either had to continue paying the fee to receive service or enter a new contract with AT&T disabling the phone... In other words pure corporate greed to "lock-in" customers at inflated rates indefinately. Then there was that CarrierIQ "turd-ware" spy on the customers every key stroke installed such that it could not be removed, disabled etc.

The building I was working in had some decidedly odd features. One of which was the toilet stall doors instead of being from a few inches off the floor to six foot or more to give modesty/privacy, started two feet off of the floor and ended four and a half foot up... Thus little or no modesty effect and certainly no privacy. The canteen was "not functional" and to get out of the building and back in again took on average longer than the half hour break. Further you were not alowed to bring in "personal items" such as bags, food, drinks etc etc. Somebody there told me that AT&T could not hang onto staff (No 5h1t Sherlock...)

Further many of the staff had a habit of putting an "r" in the name when talking about the "B.othell managment" or just hyphernating the name to say they were "Bot-hell labour". Thankfully I was only there a few days, I was only schedualed for two, but issues with Sun Server kit and unavailable staff drew it out for a week, that I'm never going to be able to get back...

Denton ScratchAugust 8, 2019 10:33 AM

My heart bleeds for AT&T. The whole idea of "locking" a device that I own to a specific service provider stinks.

Don't AT&T have more pressing mobile security issues than this?

Max EntropyAugust 8, 2019 7:01 PM

I don't see any harm in this beyond what the legal system will perpetrate. Underpaid call center employees got needed bonuses, the syndicate presumably made money, and a million cell phone users got liberated from ATTyrany. I can't forgive ATT for willingly handing over call records to NSA for years. Hope they go bankrupt. Hacks like this can help.

JonAugust 9, 2019 11:10 AM

These are the same workers for the same giant corporations that Atty. Genl. Wm. Barr thinks will be perfectly secure about keeping the 'law-enforcement backdoor' capability exclusively to (US*) law enforcement. Same same, no?

J.

* What makes them think the Saudi Arabian Religious Police won't want the same access? Or the Russian FSB? Or any number of lil' dictatorships' secret police...

Gone windAugust 9, 2019 12:22 PM

Max Entropy, do you really think that they stopped sharing that data with the NSA?

bigmacbearAugust 9, 2019 3:46 PM

Clive,

FYI, the city of Bothell straddles the county line between King and Snohomish counties. Parts of the facility mentioned in the article lie on both sides of the line, within moderately easy walking distance via the North Creek Trail.

ALAugust 9, 2019 5:03 PM

@Denton
Maybe I'm missing something, but why would AT&T subsidize the purchase price of the phone without recompense? Is this a mystery before people agree to the deal? And don't they unlock it after the customer fulfills their part of the bargain and use the service for the agreed length of time?

So, I don't understand why this "stinks". If it stinks, then pursue the alternative, buy an unsubsidized phone. It is really the price of these phones that "stinks".

Clive RobinsonAugust 9, 2019 6:13 PM

@ bigmacbear,

... within moderately easy walking distance via the North Creek Trail.

It's been a decade and a half, but yes I remember people talking about that trail being a future proposal for work.

It was getting close to Xmas and as I was staying in Redmond Town Center, I'd been shopping for my son who at that time was very much into the Brio wooden railway. Well there was a toy shop that was selling an equivalent for about a quater the price it was in London, so I had bought rather a lot. The lady who packed my bag slipped in a couple of leaflets one of which was for a walk that afternoon organised by the Redmond town recreation / parks team. Having a need not to sit in a hotel room I thought what the heck "fresh air and excercise" with no danger of getting lost etc. The organised walk was part way up bear creak Sammimish river trail from Redmond Town Center that had a rail (Bedford line IIRC) tressle bridge crossing part of it. I guess it was organised for families with children but hey a slightly eccentric larger than average Brit was greeted warmly enough and the usuall questions were asked and I mentioned I was doing work up at Bothell and I got chatting with one of the organisers hence the future plans got mentioned.

Admittedly it was back in happier times when 10 miles was just a "thoughtfull walk" for me, these days even a couple of miles is a bit of a pain in the shoulders due to the crutches, as for the spine and down best not to ask especially when the numbness wears off, even a bear with a sore head would give me a wide berth ;-)

Some one I know who works in Microsoft told me that King county has become quite famous for it's trails for biking, walking and even horse riding due in part to the increasing population of younger people, and that I should come over and even up the average :-S And that as every town needs a cantankerous old git telling young folk they don't know how good they've got it, I should fit right in...

Clive RobinsonAugust 9, 2019 6:27 PM

@ AL, Denton Scratch,

It is really the price of these phones that "stinks".

Well the mark up AT&T make certainly stinks more than a rotting fish in the sunshine.

Lets just say the price that AT&T get charged when it buys phones is a fraction of the retail price, and even that the person on the street would be told was the lowest price possible.

This sort of mark up pricing is not unusuall where consumers are concerned. The classic is airlines and first class pricing when compared to the price holiday operators get charged per seat, which is still a lot less than you will be able to buy as "economy". The reason is well known in the industry... and first class is priced that high to make the rip-off business class fares look good in comparison...

DavidAugust 10, 2019 4:01 AM

This just shows that people are inherently corrupt, so there's no such thing as a perfectly democratic eutopia. One way or other, you end up with a mob-rule or oligarchy (depending on your perspective) governance because democracy is prone to be hijacked as it rests on the foundation of "money". Everyone has a price.

65535August 10, 2019 9:26 PM

@ Clive Robinson

"I did some work for ATnT at Bothell Washington (state, King County if I remember correctly), it was the last time I ever went to the US.."-Clive R

Did you smell a bad odor from Hemisphere Program? Any NSA program? Any other Three letter Agencies?

"AT&T has been data-mining and willingly sharing user phone data, through its “Hemisphere” Project, which is essentially a mass surveillance program."

[and]

"the Electronic Frontier Foundation (EFF) and Pierce Bainbridge Beck Price & Hecht LLP filed a class action lawsuit today on behalf of AT&T customers in California to stop the telecom giant and two data location aggregators from allowing numerous entities—including bounty hunters, car dealerships, landlords, and stalkers—to access wireless customers’ real-time locations without authorization."-EFF

ht tps://www.eff.org/press/releases/eff-sues-att-data-aggregators-giving-bounty-hunters-and-other-third-parties-access

[links broken - the complaint]

ht t ps://www.eff.org/document/scott-v-att-geolocation-complaint

[Hemisphere_documents]

ht tps://www.scribd.com/presentation/164396378/Seattle-Hemisphere-Info

[and]

'AT&T has been data-mining and willingly sharing user phone data, through its “Hemisphere” Project, which is essentially a mass surveillance program."

ht tps://hacknews.co/news/20161031/mass-surveillance-of-cell-phone-data-by-att-service-provider.html

[and NYT on Hemisphere_]

ht tps://www.nytimes[.]com/2013/09/02/us/drug-agents-use-vast-phone-trove-eclipsing-nsas.html

[and]

ht tps://www.schneier.com/blog/archives/2006/04/att_assisting_n.html

@ All

From my understanding Hemisphere was indeed run out of ATT and probably provided a lot of data on politicians, lawyers, accountants, film stars, possible a few drone strikes and maybe a drug deal er or two. That is a large, putrid program to be involved.

I was going to give AT&T the benefit of doubt until I realized the revenue of ATT far overshadows the cell phone scam.

Revenue increase [to] US$170.756 billion (2018) [171,000,000,000 USD].

ht tps://wikipedia.org/wiki/AT&T

I will get out my air violin and play them a sad song /

I note that a member of the ring died before being extradited from Hong Kong. Does anybody have any idea if he died of natural causes or something else?

"The DOJ also charged Ghulam Jiwani, one of Fahd's alleged co-conspirators. Jiwani was arrested in Hong Kong, "but died prior to being transferred to United States custody," a court document said. The charges against him were dropped as a result of his death."-

ht tps://arstechnica.com/tech-policy/2019/08/att-employees-took-bribes-to-unlock-phones-and-plant-malware-doj-says/

[Excuse all the mistakes I had to kick this out Moderator feel free to delete dups]

Clive RobinsonAugust 11, 2019 1:19 AM

@ 65535,

Did you smell a bad odor from Hemisphere Program? Any NSA program? Any other Three letter Agencies?

I was not alowed anywhere near the core. Which is why what should have been a simple job of at most half a day stretched out over a week.

It got as silly as me sitting in an empty cubical telling the person in the next cubical what to type, but not alowed to see what came up on the screen or even getting told...

A mistake was made and I don't know how but the "init" program got deleted...

The software that was being installed was designed to track the geographical movments of all the mobile phones at any given point in time and to build up mobile traffic flow information that could then be packaged up and marketed to various people in various ways. Officially this would be to the likes of municiple entities to do civic planning and real time traffic flow to limit or even prevent traffic congestion.

Officially the data was anonymized that is mobile phone data went into the system with all the device and user identifing information in plain text, which was then anonymized befor being output into files and other output.

However as some here will know there is a considerable "art" in anonymizing such data. Which is why most people doing similar just use simple hashing and only add a salt or similar when there is not "durational data" that exceeds certain bounds.

However when you consider what simple hashing is even with a crypto grade hash it is in reality just a simple substitution cipher with only an encrypt map from plaintext to ciphertext. Which means if you know the input to the hash for a given user and device then you can encipher that and track that in the output datasets.

Stopping what is a known plaintext attack on anonyomizing systems is actually a very very hard problem except for anything other than single fully independent data inputs. Which is why it is rarely if ever done.

65535August 11, 2019 2:25 PM

@ Clive Robinson

"I was not alowed anywhere near the core. Which is why what should have been a simple job of at most half a day stretched out over a week."-Clive R.

That sounds highly compartmentalized.

"A mistake was made and I don't know how but the "init" program got deleted..." Clive R.

Hence, you could not boot-strap the kernel? That is not good.

"The software that was being installed was designed to track the geographical movments of all the mobile phones at any given point in time and to build up mobile traffic flow information that could then be packaged up and marketed to various people in various ways. Officially this would be to the likes of municiple entities to do civic planning and real time traffic flow..."-Clive R.

I guess this project was possibly ethical... or just another cover story for something more nefarious?

"However as some here will know there is a considerable "art" in anonymizing such data." -Clive R.

Yes, that is now clear.

"...most people doing similar just use simple hashing and only add a salt or similar when there is not "durational data" that exceeds certain bounds."- Clive R.

I hear you. I have never worked with anything but a hash or salted hash.

"Which means if you know the input to the hash for a given user and device then you can encipher that and track that in the output datasets."- Clive R.

I see. If you know enough parameters of a Data Set you can Identify Certain individual data points... Such, as deducing International mobile equipment Identity numbers [IMEI] and International Mobile Subscriber Identity numbers [IMSI] and other radio interface ID numbers - or hashes as they move around the city... and park at banks, doctor's offices, lawyer's office and so on.

"Stopping ...a known plaintext attack on anonyomizing systems is actually a very very hard problem except for anything other than single fully independent data inputs. Which is why it is rarely if ever done."- Clive R.

That is a very good point.

I gather what you are saying is a dual purpose data sets, first bear data combined to make so called "anonyomized data" is actualy very eazy to crack - or abuse.

I will take the subject to another level- not to get into politics. Do you think the huge AT&T 's monopoly position [and somewhat regulated position] justifies protection from the government?

If AT&T were not protected from their monopoly "semi-regulated" position and broken-up would that be of help to average Jane/Joe?

The problem we have as in the past AT&T was broken up yet re-grouped into basically the big 3 or big 4 entities in the nation. Will this breakup and reformation process replay itself over and over?

Certianly, the fact the AT&T was interwoven with the military under "National Security" concerns leading AT&T to transfere extreemly sensitive personal information in real time with some results for uniform wearing Russia - yet failed with individual terrorists - should AT&T be barred from dealing with the military?

Many people point to the fact the huge monomploy corporations - yet regulated - are essentially feeding off the US Treasurey via the military. Could removing that incentive to jump in bed with the military remedy some or all the personal data leakage?

Would it help the poor privacy situation we have? Would it be a net positive?

AnthonyAugust 12, 2019 4:04 AM

@65535 wrote, "I was going to give AT&T the benefit of doubt until I realized the revenue of ATT far overshadows the cell phone scam."

If you don't know this already, ATT had been rebranded as a media corporation with ownerships of entities such as Turner broadcasting. This is particularly disturbing because not only do they watch what we say they can proactively alter what we think thru media bombardments.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.