What is the issue?
A Russian security researcher named Leonid Evdokimov uncovered that SORM hardware equipment used by Russian law enforcement authorities to intercept internet traffic had been exposing surveillance data of hundreds of Russians.
- A Russian security researcher uncovered 30 SORM devices installed on the network of 20 Russian ISPs that were running FTP servers that were not secured with a password.
- The unprotected FTP servers contained traffic logs from surveillance operations collected by Russian law enforcement agencies.
The big picture
SORM (System for Operative Investigative Activities) devices are hardware equipment that allows Russian law enforcement agencies to log details such as IP addresses, IMEI and IMSI codes, MAC addresses, ICQ usernames, and email addresses spotted in POP3, SMTP or IMAP4 traffic, or in connections to various webmail providers.
Evdokimov at the Chaos Constructions security conference said that he found 30 SORM devices installed on the network of 20 Russian ISPs that were running FTP servers that were not secured with a password. He also published his presentation on his website.
He added that he discovered the leaky devices in April 2018 and started working with ISPs to secure them in June 2018. However, as of August 25, 2019, six IP addresses remained unclosed and were closed only after his presentation from the Chaos Constructions conference being published.
What information was exposed?
The unprotected FTP servers contained traffic logs from past law enforcement surveillance operations, which include:
- GPS coordinates for residents of Sarov (formerly Arzamas-16), a closed town, and Russia’s center for nuclear research
- ICQ instant messenger usernames, IMEI numbers, and telephone numbers for several hundred mobile phones across Moscow
- Router MAC addresses and GPS coordinates for residents of Novosilske
- GPS coordinates from smartphones running outdated firmware
The documents were found on an unprotected backup drive owned by an employee of Nokia Networks (formerly Nokia Siemens Networks), which through a decade-long relationship maintains and upgrades MTS’s network — and ensures its compliance with SORM.
Russia – network on internet companies – SORM surveillance
2012 – 2014 – The Russian Prime Minister Dmitry Medvedev has signed a decree that will extend the use of SORM-2 to social network surveillance. It’s known that the Russian Government is applying a strict surveillance on the Internet within the country, the Kremlin has developed a system code named “SORM-2” to monitor Russian citizens.
The Russian law and surveillance system SORM is becoming more and more frequently used. In fact several “-stan-countries”, eastern Europe and Asian countries have more or less copied the Russian law and system, implementing it into their own laws and regulations. According to statistics published by a NGO on the Russian Supreme Court, the number of legal telephone and email intercepts in Russia have doubled, from about 266,000 intercepts in 2006 to almost 540,000 in 2012.
Reference Note on Russian Communications Surveillance – 2018. James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies (CSIS). Before joining CSIS, he worked at the Departments of State and Commerce as a Foreign Service officer and as a member of the Senior Executive Service.