The Bureau of Investigative Journalism, in collaboration with Bloomberg News, reveals that the co-founder of a Swiss company that Google and Twitter trusted to send security codes via SMS to millions of users also managed a surveillance service used by governments to secretly locate cell phones.
The Bureau and Bloomberg News investigation is based on interviews with more than two dozen people, including former Mitto employees, surveillance industry insiders, cybersecurity professionals, as well as emails and documents describing surveillance services.
She reveals that the co-founder of the company, Ilja Gorelik, also offered another service, unbeknownst to Mitto: reselling access to its networks to secretly locate people via their mobile phones to surveillance companies who, in turn, have passed away. contracts with government agencies.
Established in 2013, Mitto AG has established itself as a provider of automated text messages for things like sales promotions, security codes and appointment reminders, building relationships with telecom operators in more than 100 countries.
Its deals have allowed it to send text messages to billions of phones, including in countries that are otherwise difficult for Western companies to penetrate, such as Iran and Afghanistan.
Its customers include many tech giants, such as Google, Twitter, WhatsApp, LinkedIn, Telegram, TikTok, Tencent and Alibaba, according to documents from Mitto and former employees. The company, which bills itself as the industry’s “ most reliable ” text messaging service provider, claims it offers these services “ without any threat or potential risk ”.
But Gorelik exploited the weaknesses of a telecommunications protocol known as SS7, or Signaling System 7, which contains many vulnerabilities known to have been exploited in the past to locate phones. Gorelik’s association with the surveillance industry was a well-kept secret within Mitto, according to former employees.
- SS7: after SMS interceptions, the security of the mobile networks in question
Responding to questions from the Bureau, Mitto issued a statement indicating that the company was not involved in any surveillance firm: “ We are shocked by the assertions against Ilja Gorelik and our company ”.
She launched an internal investigation “ to determine if our technology and our activities had been compromised “, and specifies that she “ would take corrective action if necessary ”.