Some of Russia's surveillance tech leaked data for more than a year

Security researcher finds that some of Russia's SORM wiretapping equipment had been leaking user data.

russia data center

A Russian security researcher has found that hardware equipment meant to be used by Russian authorities to intercept internet traffic had been leaving data exposed on the internet.

The leaky equipment were SORM devices. These are hardware wiretaps that all Russian internet service providers and mobile telecoms must install in their data centers to comply with local legislation.

When translated from Russian, SORM stands for System for Operative Investigative Activities. SORM devices are hardware equipment that support the SORM technical specification passed in the mid-90s in Russia, and which allows Russian law enforcement agencies to connect to devices, set up filtering and logging rules, and then retrieve logged data at later points.

According to the specification's most recent version, SORM-3, SORM devices can log details such as IP addresses, IMEI and IMSI codes, MAC addresses, ICQ usernames, and email addresses spotted in POP3, SMTP or IMAP4 traffic, or in connections to various webmail providers.

30 SORM devices have leaked surveillance data

But in a talk at the Chaos Constructions security conference last Sunday, on August 25, a Russian security researcher named Leonid Evdokimov revealed that some of these wiretapping devices have been leaking data.

Evdokimov said he found 30 SORM devices installed on the network of 20 Russian ISPs that were running FTP servers that were not secured with a password.

These FTP servers contained traffic logs from past law enforcement surveillance operations. Some of the data that had been left on the FTP servers of these SORM devices included:

-GPS coordinates for residents of Sarov (formerly Arzamas-16), a closed town, and Russia's center for nuclear research;
-ICQ instant messenger usernames, IMEI numbers, and telephone numbers for several hundred mobile phones across Moscow;
- router MAC addresses and GPS coordinates for people living in the village of Novosilske;
- and countless GPS coordinates from smartphones running outdated firmware, from various locations.

Evdokimov said he discovered the leaky devices in April 2018 and started working with ISPs to secure the SORM wiretaps in June 2018.

Despite his best efforts, six of the 30 SORM devices remained open until last Sunday, when Evdokimov delivered his presentation. However, the six devices were secured by Monday, a day after the researcher's presentation.

Evdokimov said that some of the leaky SORM devices were manufactured by MFI Soft, a local hardware equipment maker. But, some SORM devices appeared to have been produced by other vendors, so there's no solid evidence to support a theory that the leak was caused by a default configuration mishap in certain equipment.

The leak, and Evdokimov's presentation, were first reported earlier this week by Meduza, a Russian news site.