Ethiopian Telecoms System Has Critical Security Flaws

A white-hat hacker has recently found a critical security flaw on Ethiopia’s Ethio Telecom servers that makes it possible for a hacker to control the entire Ethiopian GSM communication system.

'Sisay Sorsa' is a security researcher and white-hat hacker who has found a critical security flaw on Ethio Telecom servers. He told Cyber Security Intelligence that he accessed the system by writing a python script to make a proof of concept and that now he can exploit the entire Ethio Telecom network and has explained that she now will help the company reduce the risks and help them solve the problem. 

The hacker says it is possible to almost completely access each and every SIM cards (phone numbers) and to steal by making money transfers, pay bills and buy packages from every phone number. All of this is an extremely dangerous vulnerability on the apparently secured Ethio Telecom infrastructure.

Current news reports claim Ethiopia is planning to sell a 45% stake in Ethio Telecom, the monopoly player at the centre of the country’s ICT liberalisation strategy. The latest development, reported by Reuters, quoted an adviser to the state minister of finance, who confirmed that the sale is back on the table. The transaction is expected to take nine months and tenders for two new operating licences will be issued in December, a process in itself expected to take three to four months. “It is 40% to all interested bidders and 5% will be dedicated to Ethiopians. The 55% will remain with the government of Ethiopia,” Brook Taye, senior adviser at the ministry of finance, told media.

The telecom service was introduced in Ethiopia by Emperor Menelik II in 1894 during the commencement of the telephone line installation from Harar to Addis Ababa. Then the inter-urban network was expanded in all other directions from the capital and many important centers in the Empire were interconnected by landlines to facilitate long-distance communications with the help of intermediate operators acting as verbal human repeaters.

Ethio telecom was created in November 2010, with the aim of helping the steady growth of the country and now has over 48 million users.

Sisay Sorsa told us "My next move would be to help them to patch these critical security flaws before they are exploited and attacked by other cyber-terrorist or blackhat hackers"  ​

UPDATE:  Sisay Sorsa has since contacted us to say that to date he has had no response to his report to the Ethiopian Informatiom Network Security Agency (INSA), which included a screenshot of the vulnerable server host IP address. He says that Ethio Telecom has now shutdown its service for every client side application, used by almost 48 million  users. "...the  vulnerability still exist. This is too weird they decided to shut down the service instead of patching the security flaw and making there customers safe and secure."

Ethio Telecom:      Capacity Media:      The Africa Report:  

You Might Also Read:  

Who Do You Trust With Your Personal Data?

 

« US Government Agencies Under Attack
The Personal Data Being Used To Get Your Vote »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CloudSigma

CloudSigma

CloudSigma, a pure-cloud IaaS provider offers flexible and innovative cloud hosting solutions for companies of all sizes both in Europe and the US.

Proofpoint

Proofpoint

Proofpoint provide the most effective cybersecurity and compliance solutions to protect people on every channel including email, the web, the cloud, social media and mobile messaging.

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Simeio Solutions

Simeio Solutions

Simeio is a complete Identity and Access Management (IAM) solution provider that engages securely with anyone, anywhere, anytime.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

CyberProof

CyberProof

CyberProof aims to give clarity and confidence to businesses worldwide using a new risk-based approach to cyber security services.

Trinity Cyber

Trinity Cyber

Trinity Cyber’s patent-pending technology stops attacks before they reach internal networks,reducing risk and increasing cost to adversaries.

Dellfer

Dellfer

Dellfer secures connected cars and other IOT devices through Intrinsic protection, enabling the most sophisticated cybersecurity attacks to be seen instantly and remediated with precision.

Phosphorous Cybersecurity

Phosphorous Cybersecurity

Phosphorus has fully automated remediation of the two biggest IoT vulnerabilities, out of date firmware and default credentials.

RISE

RISE

RISE is an independent, State-owned research institute, which offers unique expertise and over 100 testbeds and demonstration environments for future-proof technologies, products and services.

NightDragon

NightDragon

NightDragon is a venture capital firm investing in innovative growth and late stage companies within the cybersecurity, safety, security, and privacy industry.

Lattice Semiconductor

Lattice Semiconductor

Lattice Semiconductor solves customer problems across the network, from the Edge to the Cloud, in the growing communications, computing, industrial, automotive and consumer markets.

BriskInfosec Technology & Consulting

BriskInfosec Technology & Consulting

BriskInfosec provides information security services, products and compliance solutions to our customers.

Feroot Security

Feroot Security

Feroot Security secures client-side web applications so that businesses can deliver a flawless user experience to their customers. Our products help organizations protect their client-side surface.

Purple Team

Purple Team

Purple Team is an expert cybersecurity and managed security service provider focused on arming your IT infrastructure with both red team and blue team services.

Techmentum

Techmentum

At Techmentum, our mission is to utilize technology to help companies succeed. Our expertise includes fully managed IT services, cybersecurity, cloud, and custom technology solutions.