More than 2m AT&T phones illegally unlocked by bribed insiders

The US has indicted a 34-year-old citizen of Pakistan, accusing him of being the leader of a conspiracy to illegally unlock more than 2 million AT&T cell phones for profit – a conspiracy that led to the phones slipping loose from their phone service and/or payment plans and which has cost the company millions in revenue.

The Department of Justice (DOJ) announced on Monday that Hong Kong police arrested Muhammad Fahd on 4 February 2018 and, at the request of the US, extradited him on 2 August 2019 (last Friday). He appeared in federal court in Western Washington on Monday to face 14 counts, which are outlined in this indictment.

A web of insiders

According to the indictment, Fahd allegedly paid more than $1 million in bribes to AT&T workers to plant malware and misuse the company’s computer networks to illegally unlock cellphones. To do that, the insiders disabled proprietary software that locked AT&T phones and prevented them from being used on other carriers’ systems. Unlocked phones are a hot commodity: they can be resold and used on any compatible network around the world.

When people slip out of the proprietary locking software, they’re also slipping out of the long-term service contracts that bind them to AT&T’s wireless network. That’s a lot of lost profit for AT&T, as in, millions of dollars. As the indictment describes, the company subsidizes expensive phones – top-end iPhone models, for example, sell for over $500 – by subsidizing the purchase price or allowing customers to buy them on interest-free installment plans. Either way, customers agree to enter into one of those long-term service plans.

Fahd allegedly recruited and paid AT&T insiders to use their computer credentials and access to disable the locking software that kept customers tied to the network and/or the payment plans. He allegedly paid them hundreds of thousands of dollars, with one co-conspirator making $428,500 over the five years Fahd allegedly ran this scheme.

The scheme also involved planting malware that could be used to issue bogus unlock requests.

What happened?

Between 2012 and 2017, Fahd allegedly recruited AT&T employees at the company’s call center in Bothell, Washington. Some of the early recruits were paid to point out other employees who could be bribed and who would be good candidates for participating in the scheme. The DOJ says that so far, three of those co-conspirators have pleaded guilty, admitting they were paid thousands of dollars for helping out with Fahd’s alleged scheme.

Fahd allegedly started out by sending the bribed employees batches of international mobile equipment identity (IMEI) numbers for cell phones, none of which were eligible to be removed from AT&T’s network. The insiders would then unlock the phones. Some of the employees got fired, so the next step was for the remaining co-conspirators to work with Fahd to allegedly develop and then install tools that would enable Fahd to remotely get into AT&T computers and unlock cell phones. Fahd and a second co-conspirator (who the DOJ says is now deceased) allegedly dropped off bribes to the insiders in person or via payment systems such as Western Union.

Starting around April 2013, the alleged ringleader bribed employees to plant malware on AT&T computers so that he could gather information on how the company’s network and software worked. Using that information, he and his conspirators allegedly developed malware that could generate bogus unlock requests – requests that Fahd and others could generate remotely.

Then, from November 2014 to September 2017, the conspirators allegedly bribed insiders to install hardware such as wireless access points (WAPs) in AT&T’s physical facilities. The hardware was used to process those unauthorized unlock requests. Both the malware and the hardware relied on the use of insiders’ network credentials.

Up to 20 years

Fahd has been charged with conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act (CFAA), four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act. If convicted, he’ll be looking at up to 20 years in prison, though maximum sentences are rarely handed down.

Stomping on bugs

The day after the DOJ announced Fahd’s extradition, AT&T announced the launch of a new public bug bounty program on the HackerOne bug-reporting/bug bounty platform.

There’s far more to AT&T than phones, of course, which is reflected in the new bug bounty’s program guidelines: it applies to “security vulnerabilities found within AT&T’s Environment, which includes, but is not limited to, AT&T’s websites, exposed APIs, mobile applications, and devices.”

According to Bleeping Computer, AT&T launched the program in July. It was initially invite-only, with AT&T reaching out to between 100 and 150 researchers whom it’s worked with in the past on the AT&T Developer API Platform.

Since its launch, AT&T has received 49 submitted bug reports and paid out a total of $8,150 in bug bounties. The average bounty is currently at $150, with the highest hitting $750.

This is what the telecom giant is paying for varying levels of bug severity:

• Critical: $2,500
• High: $750
• Medium: $300
• Low: $150

HackerOne told BleepingComputer that AT&T is the first communications company of its size to launch a public bug bounty program of this scale with HackerOne.