Sweden telecom network 'vulnerable to attack'
The Local · 24 Apr 2015, 07:25
Published: 24 Apr 2015 07:25 GMT+02:00
- Eurosport back for Swedish Telia customers (08 Apr 15)
- Thousands lose global TV channels in Telia row (01 Apr 15)
- Hackers target Swedish job centre's website (09 Feb 15)
Telia Sonera manages the majority of the Swedish copper wire telecommunications network – used by almost 3.9 million customers, including official authorities – through its daughter company Skanova. But for a number of years maintenance of its IT system has been outsourced to a consulting firm in India.
The firm has been given unique access to Telia Sonera servers in Sweden, which in theory means that it would be able to bug as well as knock out the entire telecom network, according to Swedish daily Dagens Nyheter (DN).
And according to unnamed sources quoted by the newspaper, computer user names and passwords are often exchanged via unencrypted email.
IT security expert Leif Nixon sharply cricitized the practice in an interview on Thursday. He said it is particularly serious if the passwords get emailed to customers in other countries as foreign surveillance authorities – such as the NSA in the United States and the British GCHQ – are likely to be monitoring cross border traffic.
“To send passwords by email should be a 'big no-no' to a telecom operator,” he told DN.
Håkan Kvarnström, head of security at Telia Sonera, said it does not matter if the IT system is administered from Sweden or from abroad.
“We have strict agreements regulating security requirements with all our suppliers. The same rules that apply to our own workers apply to them,” he told DN.
When asked about passwords being sent in unencrypted emails, he said: “That's nothing I'm familiar with. Emailing passwords is a violation of our security rules. It is serious. Passwords must never be sent in plain text. It absolutely must not happen.”
The Swedish Post and Telecom Authority (PTS) is the watchdog that monitors the electronic communications and postal sectors in Sweden.
“It is difficult to say at present whether the conduct has been right or wrong. When it comes to the handling of passwords it is of course important that Telia acts. There are regulations stating that passwords should be handled in a secure manner and that the people involved should have been given proper training,” Staffan Lindmark at the PTS told DN on Thursday.