SORM equipment leaks surveillance data of Russian internet users

• A Russian security researcher uncovered 30 SORM devices installed on the network of 20 Russian ISPs that were running FTP servers that were not secured with a password.
• The unprotected FTP servers contained traffic logs from surveillance operations collected by Russian law enforcement agencies.

What is the issue?

A Russian security researcher named Leonid Evdokimov uncovered that SORM hardware equipment used by Russian law enforcement authorities to intercept internet traffic had been exposing surveillance data of hundreds of Russians.

The big picture

SORM (System for Operative Investigative Activities) devices are hardware equipment that allows Russian law enforcement agencies to log details such as IP addresses, IMEI and IMSI codes, MAC addresses, ICQ usernames, and email addresses spotted in POP3, SMTP or IMAP4 traffic, or in connections to various webmail providers.

Evdokimov at the Chaos Constructions security conference said that he found 30 SORM devices installed on the network of 20 Russian ISPs that were running FTP servers that were not secured with a password. He also published his presentation on his website.

He added that he discovered the leaky devices in April 2018 and started working with ISPs to secure them in June 2018. However, as of August 25, 2019, six IP addresses remained unclosed and were closed only after his presentation from the Chaos Constructions conference being published.

What information was exposed?

The unprotected FTP servers contained traffic logs from past law enforcement surveillance operations, which include:

• GPS coordinates for residents of Sarov (formerly Arzamas-16), a closed town, and Russia's center for nuclear research
• ICQ instant messenger usernames, IMEI numbers, and telephone numbers for several hundred mobile phones across Moscow
• Router MAC addresses and GPS coordinates for residents of Novosilske
• GPS coordinates from smartphones running outdated firmware