Blog

Image reading "system hacked"

Huge Data Breach At T-Mobile

Yesterday, Joseph Cox at Motherboard reported that a hacker was trying to sell stolen data from 100 million T-Mobile customers. The compromised information isn’t trivial:

The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.

The hacker allegedly downloaded all of the data locally before losing access to T-Mobile’s servers.

Today, T-Mobile issued an evasive press release and acknowledged that its systems were compromised (emphasis mine):

We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed…We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed…Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

Bullshit. Customers’ personal data was compromised. T-Mobile knows it.

I won’t be surprised if this data breach ultimately ends up looking similar in magnitude to the infamous 2017 Equifax fiasco. T-Mobile’s stock closed today about 3% down from its closing price on Friday.1

Update:
Lawrence Abrams at BleepingComputer shared an article with additional information and rumors. Here’s one interesting bit:

The threat actor claims to have hacked into T-Mobile’s production, staging, and development servers two weeks ago, including an Oracle database server containing customer data…’Their entire IMEI history database going back to 2004 was stolen,’ the hacker told BleepingComputer.

Mint Mobile Rumored To Be Considering Sale To Altice USA

An article published by the New York Posts relies on an unnamed source to suggest Mint Mobile is looking for a buyer. Mint allegedly hopes to sell for the better part of a billion dollars. Altice USA, the company behind Optimum Mobile, is rumored to be the most likely acquirer:

Mint is shopping itself and could sell for as much as $600 million to $800 million, according to a source with direct knowledge of the situation. Altice USA, which owns cable, phone, internet, and wireless services, is said to be the lead buyer, although it’s unclear whether it will end up closing a deal.

I believe the rumor is true. I’m not sure it’s good news for Mint customers. There’s a lot to like about Mint’s business model and price structure. Things often change significantly when a carrier is acquired. However, given Mint’s solid growth, it’s possible an acquirer would be content to let Mint continue on its current path.

Actor Ryan Reynolds will make a good chunk of change if a deal goes through. The source behind the New York Post article suggests Reynolds owns 20-25% of the business.

Abstract related to the idea of data

xFi Complete, Unlimited Data, And Wacky Pricing

Many internet service providers try to rent customers combination modem/routers for $10-$20 per month. I generally advise people who are slightly tech-savvy to save money by buying their own modems and routers. There’s an exception to my advice that applies to Xfinity Internet customers.

On many Xfinity plans, there’s a 1.2TB per month cap on data use.1 The options an Xfinity customer has for removing the cap depend on whether a customer is renting an xFi modem. Customers that don’t rent a modem have to pay an extra $30 per month for unlimited data. Customers that already rent an xFi modem for $14 per month can pay an extra $11 ($25 per month) for xFi Complete. With xFi Complete, customers get unlimited data by default.

Here’s a table from Xfinity’s page on Xfi Complete that describes various options:

Table showing attributes of plans with xFi Complete, xFi standard, and self-purchased equipment

While the large majority of Xfinity customers won’t exceed 1.2TB of data use, tech-savvy customers that own their own equipment likely use more data than the average customer. Oddly enough, renting a modem with xFi Complete is cheaper than buying your own equipment and upgrading to unlimited data.2

Rocket ship

Dish Plans To Launch Postpaid Cellular in 2022

Earlier this week, Mike Dano at Light Reading shared a scoop about Dish’s plans. Dano’s article has some good insights and a handful of interesting comments from Stephen Stokols, CEO of Dish’s Boost Mobile. While Dish technically already runs a postpaid service after its acquisition of Ting, Dish plans to launch a homegrown postpaid service in 2022.

It sounds like Dish hopes to leverage both AT&T and T-Mobile’s networks rather than moving to treat AT&T as an exclusive partner for offloading:

Stokols said the company doesn’t necessarily want to replace T-Mobile with AT&T.

‘The intent is to straddle the two. The intent is to have two networks. That’s not abnormal for an MVNO of our size,’ Stokols said. MVNOs like Red Pocket Mobile and TracFone manage a number of MVNO agreements that allow them to sign up customers to whichever wireless network operator is offering the best wholesale rates. Stokols said Dish would like to do the same.

A somewhat contradictory comment from Stokols appears later in Dano’s article. I’m inclined to dismiss it as posturing:

He [Stokols] said Dish is now reconsidering using T-Mobile’s network for its mobile services. ‘It’s hard to stay on a network that literally knows your wholesale cost and comes in with retail prices below it’.

Stokols characterized some of T-Mobile’s recent behavior as anticompetitive:

Stokols said T-Mobile’s new $25-per-month prepaid promotion highlights T-Mobile’s ‘anticompetitive tone’ and ‘aggressive, combative attitude’ toward Dish. He also said T-Mobile’s new offer comes in just below what T-Mobile charges Dish for wholesale access to the T-Mobile network.

I’m not sure whether “anticompetitive” or “hypercompetitive” is a better description of T-Mobile’s behavior.

Calendar with a date pinned

Sprint’s LTE Network Retirement Set For June 2022

Mike Dano of Light Reading recently reported that T-Mobile plans to shut down Sprint’s LTE network by June 30, 2022.

Ever since T-Mobile’s acquisition of Sprint, I’ve been wondering when Sprint’s LTE network would go offline entirely. I’m not convinced the June 30 date will stay in place. These sorts of deadlines tend to get pushed back. Often repeatedly.

As we get closer to the final days of Sprint’s LTE network, I expect we’ll gradually see the network lose power as T-Mobile repurposes Sprint’s assets for T-Mobile’s own network.

Power washing

Altice Mobile Rebranding To Optimum Mobile

In a press release today, Altice USA announced that Altice Mobile will rebrand as Optimum Mobile. The change is slotted to take place this Sunday, July 25.

It looks like the rebrand is part of a broader effort to consolidate Altice USA’s businesses under the Optimum name:

This transition represents the first step in the Company’s plan to align its brands under one national Optimum brand, representing a commitment to delivering a consistent and reliable connectivity experience to all customers.

While I’ve been critical of some of the marketing behind Altice Mobile, I expect Alice/Optimum Mobile’s subscriber base will continue to see significant growth.

5G Phone Idea

20% Of Verizon Customers Have 5G Devices

Today, Verizon shared a press release highlighting strong revenue numbers and a significant number of added lines in the second quarter of 2021. For me, the most interesting part of the press release was this line:

Consumer ended second-quarter 2021 with approximately 20 percent of wireless phone customers having 5G-capable devices.
I’d been wondering how much penetration 5G had in the U.S. market. Verizon is something of a premium carrier, so it probably has a higher proportion of customers on 5G-capable phones than the wider market. Based on Verizon’s statement, I’d guess at least 10% of U.S. consumers, probably closer to 15%, are now using 5G-capable phones.

Hands shaking

Dish And AT&T Announce Network Services Agreement

Today, AT&T and Dish announced that they are entering into a Network Services Agreement (NSA).1 Here’s the key bit from Dish’s press release:

[DISH announced a] Network Services Agreement (NSA) with AT&T, making AT&T the primary network services partner for DISH MVNO customers. Through this agreement, DISH will provide current and future customers of its retail wireless brands, including Boost Mobile, Ting Mobile and Republic Wireless, access to best-in-class coverage and connectivity on AT&T’s wireless network, in addition to the new DISH 5G network.

SEC Filing Insights

An SEC filing provides more insights than Dish’s press release. The deal between AT&T and Dish involves a minimum payment of five billion dollars over ten years.

DISH has agreed to pay AT&T at least $5 billion over the course of the ten-year term of the NSA, subject to certain terms and conditions.

People are already suggesting that Dish got a bargain by striking this deal for only five billion. They may be misunderstanding the arrangement. I expect the amount Dish pays to AT&T will depend on how heavily Dish relies on AT&T’s network. While five billion dollars is a minimum Dish, I think it’s likely Dish will end up paying more.2

Network Access

Dish has committed to activating a certain portion of its subscribers on AT&T’s network, but the SEC filing suggests Dish is permitted to activate some subscribers on other networks:

Under the NSA, AT&T becomes the primary network services provider for DISH, as DISH has committed to activate on AT&T’s network at least a minimum percentage of certain of its MVNO subscribers in the U.S. who receive services through a third-party network and to cause no less than a specified percentage of certain of its domestic roaming data usage for DISH’s MNO subscribers to be on AT&T.

Roaming

It looks like most of AT&T’s roaming agreements may be extended to Dish (emphasis mine):

AT&T will provide DISH with…services in all U.S. geographic areas…where AT&T or any AT&T affiliate has the right to use another wireless service provider’s network and is authorized to extend such right to DISH.
I’m unsure how often AT&T is prohibited from extending its roaming agreements to other parties. Further, it’s possible Dish won’t take advantage of some of AT&T’s roaming arrangements due to cost considerations.3

Prioritization

The SEC filing briefly touches on prioritization:

Under the NSA, AT&T will provide DISH postpaid and prepaid customers with similar quality of service as compared to certain AT&T postpaid and prepaid customers.
While the phrasing is vague, I expect it indicates Dish subscribers will have a QCI of 8 for regular data use on AT&T’s LTE network. That’s the same QCI for regular data received by the large majority of consumers on AT&T-branded plans.

Spectrum Use

Dish has extensive spectrum holdings that AT&T may take advantage of:

The NSA also provides an avenue for AT&T to deploy portions of DISH’s spectrum to support DISH customers on the AT&T network, by allowing AT&T the right, but not the obligation, to request to use portions of DISH’s spectrum.

Other Brands

The filing makes it clear that access to AT&T’s network is available for both existing and future brands under Dish (emphasis mine):

[The agreement provides] customers of Boost, Ting and Republic Wireless and all future DISH brands coverage on AT&T’s network.

Speculation

My hunch is that this deal is good news for both AT&T and Dish. For a while, I’ve heard people express skepticism about whether Dish actually intends to build its own network. I’m finding the skepticism less plausible as time goes on. With the backing of AT&T, Dish can focus on building out a 5G network in dense areas while offloading to AT&T for more extensive coverage.

The new agreement is probably bad news for T-Mobile. The company’s stock closed today a bit over 3% down from its opening price.4

Up arrows

AT&T Unlimited Elite Plan Gets Upgrades

Today, AT&T published a press release announcing upgrades for the Unlimited Elite plan, the most premium plan AT&T offers normal consumers.

Three major changes are taking effect:

  • Subscribers using over 100GB of data in a month will no longer be deprioritized.
  • The mobile hotspot data allotment will increase from 30GB to 40GB.
  • Video can now stream in resolutions up to 4k.

I’m unsure what’s going on with video resolution. As I noted in my Unlimited Elite Review, AT&T used to throttle video to about 480p by default. However, Unlimited Elite subscribers could opt out of throttling in their account settings. It could be that AT&T will no longer require subscribers on the Elite plan to opt out of video throttling. Alternatively, it might be that there used to be a secondary limit (1080p?) that affected customers who opted out of the standard, 480p throttle.

Don’t Buy The Hype

With these latest upgrades, it looks like AT&T is trying to match what T-Mobile did a few months ago when it dropped the deprioritization threshold on its most premium, consumer-grade plan. Here’s a bit I wrote at the time:

T-Mobile is slightly degrading service quality for tens of millions of users in order to improve service for a tiny fraction of the company’s heaviest data users. In my view, it’s a bad tradeoff.

When T-Mobile made its announcement, industry journalists praised the company. I expect we’re going to see something similar following AT&T’s announcement. Don’t buy the hype. Network capacity is a limited resource. It doesn’t come from nowhere. If you give some subscribers more, other subscribers get less.

SIM Swapping Issues At Mint Mobile

Yesterday, Mint Mobile’s co-founder, Rizwan Kassim, posted to Reddit acknowledging recent security issues. Here’s the key excerpt:

We’ve been reading your inquiries around the recent security concerns. Despite deeply wanting to respond to your questions, we haven’t been able to due to some pretty rigid compliance regulations around what we can share publicly, especially while we engage with law enforcement.

So what happened? We can’t share much, but in short, Mint Mobile was the victim of a social engineering incident last month that impacted a small number of subscribers. We have been in contact with impacted subscribers and quickly restored their services. We also continue to investigate this incident.

The post is sparse on details, and I don’t entirely accept Mint’s claims about being unable to share further information. However, Mint deserves credit for making the post and pinning it to the top of the r/MintMobile subreddit.

As best as I can tell, something happened almost a month ago that led to Mint subscribers becoming victims of SIM swap attacks. At least two reports surfaced to Reddit. I’m suspicious a significantly larger number of customers were affected, and I’ve asked Mint to clarify.

About a month ago, Mint also had an incident where a large number of subscribers received unexpected password reset notifications. I think that incident was unrelated to the recent SIM swapping, but I’m not sure.

Mint’s Ticking Time Bomb

Mint walked into its latest security troubles. I wrote the bit below over a year ago:

A Reddit user suggests Mint Mobile’s policies may leave subscribers vulnerable to SIM-swap attacks. I haven’t dug into it, but it looks like a real issue.

While searching through old Reddit posts this morning, I realized Mint subscribers were regularly talking about this security issue for at least two years. Lots of Reddit posters have asked Mint to implement two-factor authentication or secure PINs for porting numbers. Here’s one notable example from six months ago:

Mint does NOT have pins to protect against SIM swap attacks, sadly. It’s really their only defect, and it’s a massive one.

Mint really, really, really needs to add the ability to have a user-set PIN (that they store in their system as a hash, so no one inside can ever see the PIN plaintext, just confirm that you have the right one)…It is totally mystifying to me and other security professionals why r/rizwank [Rizwan Kassim, Mint co-founder] is setting himself and the otherwise-great company he created up for massively bad publicity and legal expenses when his users get hacked en masse by eastern european mafiosos. As Mint grows this is inevitable as long as Mint refuses to implement PINs.

For quite a while, Mint has claimed to be interested in adding security features. The latest issues may lead the company to prioritize actually releasing something.