(Bloomberg) -- Google told a U.S. lawmaker that it received a warning last May that a European technology company was “siphoning” user passcodes to aid surveillance carried out by foreign governments.
Google told U.S. Senator Ron Wyden, a Democrat from Oregon, that the company had been tipped off that Mitto AG may have been “siphoning off two-factor text messages for surveillance companies and their foreign government clients,” according to a Wyden aide.
It’s not clear who made the allegation, which, if true, could have allowed foreign governments to access personal accounts. Google said it looked into the matter but “due to a lack of visibility into telecommunications networks,” wasn’t able to confirm it, according to the disclosure to Wyden’s office, which hasn’t been previously reported. Bloomberg News has reviewed a summary of Google’s exchanges with Wyden’s office about the disclosure.
Google received the warning about seven months before Bloomberg and London-based Bureau of Investigative Journalism reported in December that a co-founder of Mitto operated a service that helped governments secretly surveil and track mobile phones, according to former employees and clients. Google told Wyden’s office last week about the warning it had received.
“Our client strongly denies that it has ever ‘siphoned-off’ clients’ messages, or intercepted them,” attorneys for Mitto said, in a Jan. 28 letter to Bloomberg, adding that there is “absolutely no credible basis on which such a claim could be made.”
A company representative said previously, in response to the December story, that Zug, Switzerland-based Mitto had no involvement in any surveillance business and had launched an internal investigation “to determine if our technology and business has been compromised” and would take corrective action if necessary.
When asked by Bloomberg about the communications with Wyden’s office, a spokesperson for Alphabet Inc.’s Google wouldn’t specifically address the allegation about Mitto. Instead, the spokesperson said the company had investigated allegations concerning a company it works with in Europe and found “no evidence of wrongdoing or any connection between the allegations and our separate work with them.”
While not commenting directly on the allegations concerning Mitto, Wyden said he was concerned about security vulnerabilities in phone networks, where there are “shady middlemen selling access to surveillance companies and anyone else with a credit card.”
“It threatens the security and privacy of nearly anyone with a phone,” Wyden said. “Telecom regulators, in the U.S. and elsewhere, need to get their acts together and rein in the ability of surveillance firms to get access to telephone networks.”
Closely held Mitto has established itself as a provider of automated text messages for such things as sales promotions, appointment reminders and two-factor security codes needed to log in to online accounts.
Google and other online services offer two-factor security codes as a second layer of security. They are widely used to protect email messages, bank accounts, crypto wallets and other sensitive personal data, and they can be sent in the form of a text message that must be entered in addition to a password when logging into an account.
Tobias Engel, a researcher who specializes in mobile phone network security, said intercepting text messages containing two-factor codes was a method that has been used “for years” to breach people’s personal accounts. ”It is not a very sophisticated attack, but one that is comparatively difficult for mobile network operators to prevent,” he said.
Google recommends physical security keys as an alternative to receiving two-factor codes by text message, according to a spokesperson.
Mitto’s website and promotional documents say it works with leading telecommunications companies to deliver text messages in bulk to billions of phones around the world. The company has attracted major technology giants as customers, including Google, Twitter Inc., Meta Platforms Inc.’s WhatsApp, Microsoft Corp.’s LinkedIn and messaging app Telegram, in addition to China-based ByteDance Ltd.’s TikTok, Tencent Holdings Ltd. and Alibaba Group Holding Ltd., according to Mitto documents and former employees.
But Mitto’s co-founder and chief operating officer, Ilja Gorelik, was also allegedly selling access to Mitto’s networks to secretly locate people via their mobile phones, and in some cases obtain their call logs, Bloomberg reported in December. The alleged venture involved exploiting weaknesses in a telecom protocol known as SS7, or Signaling System 7, a sort of switchboard for the global telecommunications industry.
Gorelik also boasted that he had connections to a national spy agency in the Middle East and was helping that country’s defense ministry, according to former employees at Mitto. In at least one instance, a phone number associated with a senior U.S. State Department official was allegedly targeted in 2019 for surveillance through the use of Mitto’s systems, Bloomberg reported.
Following the revelations in December, Mitto representatives allegedly informed some clients that Gorelik was no longer involved at the company.
Google has continued to work with Mitto, according to two people familiar with the matter. Google told Wyden that it contacted Mitto in December to ask the company whether it had been “siphoning off” Google’s two-factor messages, according to a Wyden aide. Mitto denied the allegation, Google told Wyden’s office.
In their Jan. 28 letter to Bloomberg, Mitto’s attorneys said, “Clearly if Google had any concerns (which they apparently did not) then they most certainly have the technological and legal wherewithal to establish if those are valid or not, and act accordingly.” They added, “Our client is a trusted provider to Google and any suggestion to the contrary would be entirely at odds with the actual position.”
Other Mitto customers, however, have allegedly cut ties. In recent weeks, messaging companies Kaleyra and MessageBird have both ceased commercial relationships with Mitto, according to the two people, and a third person familiar with the matter. MessageBird’s chief executive officer, Robert Vis, terminated an agreement with Mitto, citing a violation of a clause on the processing of personal data, those people said.
Kaleyra declined to comment. Vis and MessageBird didn’t respond to requests for comment.
While Mitto’s corporate headquarters are in Switzerland, most of its roughly 250 employees have been based in Germany and more recently, Serbia, according to former employees.
The company’s presence in Switzerland has attracted the attention of authorities there. Switzerland’s federal data protection and information commissioner has opened an investigation focusing on Mitto’s operations. The commissioner’s office said in a statement on Friday that it has “not yet terminated the evaluation” and declined further comment. Mitto has previously declined to comment on the Swiss probe.
The Google spokesperson, while not mentioning Mitto by name, said the company was monitoring an investigation in Switzerland and “will not hesitate to take immediate action if new facts come to light.”