Ethiopian Telecoms System Has Critical Security Flaws

Uploaded on 2020-12-14 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A white-hat hacker has recently found a critical security flaw on Ethiopia’s Ethio Telecom servers that makes it possible for a hacker to control the entire Ethiopian GSM communication system.

'Sisay Sorsa' is a security researcher and white-hat hacker who has found a critical security flaw on Ethio Telecom servers. He told Cyber Security Intelligence that he accessed the system by writing a python script to make a proof of concept and that now he can exploit the entire Ethio Telecom network and has explained that she now will help the company reduce the risks and help them solve the problem. 

The hacker says it is possible to almost completely access each and every SIM cards (phone numbers) and to steal by making money transfers, pay bills and buy packages from every phone number. All of this is an extremely dangerous vulnerability on the apparently secured Ethio Telecom infrastructure.

Current news reports claim Ethiopia is planning to sell a 45% stake in Ethio Telecom, the monopoly player at the centre of the country’s ICT liberalisation strategy. The latest development, reported by Reuters, quoted an adviser to the state minister of finance, who confirmed that the sale is back on the table. The transaction is expected to take nine months and tenders for two new operating licences will be issued in December, a process in itself expected to take three to four months. “It is 40% to all interested bidders and 5% will be dedicated to Ethiopians. The 55% will remain with the government of Ethiopia,” Brook Taye, senior adviser at the ministry of finance, told media.

The telecom service was introduced in Ethiopia by Emperor Menelik II in 1894 during the commencement of the telephone line installation from Harar to Addis Ababa. Then the inter-urban network was expanded in all other directions from the capital and many important centers in the Empire were interconnected by landlines to facilitate long-distance communications with the help of intermediate operators acting as verbal human repeaters.

Ethio telecom was created in November 2010, with the aim of helping the steady growth of the country and now has over 48 million users.

Sisay Sorsa told us "My next move would be to help them to patch these critical security flaws before they are exploited and attacked by other cyber-terrorist or blackhat hackers"  ​

UPDATE:  Sisay Sorsa has since contacted us to say that to date he has had no response to his report to the Ethiopian Informatiom Network Security Agency (INSA), which included a screenshot of the vulnerable server host IP address. He says that Ethio Telecom has now shutdown its service for every client side application, used by almost 48 million  users. "...the  vulnerability still exist. This is too weird they decided to shut down the service instead of patching the security flaw and making there customers safe and secure."

Ethio Telecom:      Capacity Media:      The Africa Report:  

You Might Also Read:  

Who Do You Trust With Your Personal Data?

 

« US Government Agencies Under Attack
The Personal Data Being Used To Get Your Vote »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Indelible Data

Indelible Data

Indelible Data is an established information security and technology consultancy and a Cyber Essentials Certification Body.

ACIS Professional Center

ACIS Professional Center

ACIS provides training and consulting services in the area of information technology, cybersecurity, IT Governance, IT Service management, information security and business continuity management.

Cybercom Group

Cybercom Group

Cybercom offers strategic advice, testing & quality assurance, security solutions, system development, integration, management and operation services.

Recorded Future

Recorded Future

Recorded Future arms security teams with threat intelligence powered by patented machine learning to lower risk.

Cyber Security Agency of Singapore (CSA)

Cyber Security Agency of Singapore (CSA)

The CSA is the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development.

bwtech@UMBC

bwtech@UMBC

The bwtech@UMBC Cyber Incubator is an innovative business incubation program that delivers business and technical support to start-up and early-stage cybersecurity/IT products and services companies.

National Cyber Security Centre (NCSC) - Ireland

National Cyber Security Centre (NCSC) - Ireland

The National Cyber Security Centre (NCSC) is the operational side of the Department of Communications in regard to network and information security in the Republic of Ireland.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

MagicCube

MagicCube

MagicCube is a device independent IoT security platform that protects against on-device, cloud, and network attacks.

Anitian

Anitian

The Anitian Compliance Automation platform builds, configures, and monitors cloud environments to accelerate compliance for standards such as FedRAMP, PCI, ISO/GDPR and CJIS.

ValidSoft

ValidSoft

ValidSoft is a security software company, providing telecommunications-based multi-factor authentication, identity and transaction verification technology.

Aujus Cybersecurity

Aujus Cybersecurity

Aujas is a pure-play cyber security services company with deep expertise in Identity and Access Management, Managed Security and Security Testing services.

InsightCyber

InsightCyber

InsightCyber is on a mission to keep the world’s critical infrastructure, supply chains, and manufacturing operations cyber-safe, helping to prevent attacks that can have catastrophic impacts.

Schweitzer Engineering Laboratories (SEL)

Schweitzer Engineering Laboratories (SEL)

SEL specializes in creating digital products and systems that protect, control, and automate power systems around the world.

Smoothstack

Smoothstack

Smoothstack is a technology talent incubator whose immersive training program kick starts IT careers and delivers a fresh source of IT talent.

TRM Labs

TRM Labs

TRM enables risk management and compliance for a global community of financial institutions, cryptocurrency businesses and government agencies.