Over a year ago. A friend, that we will call John. Found a backdoor into the network of a large multi-state telecom company, Midcontinent Communications. They are a major telecom company serving several states in the northern midwest USA. The backdoor John found could allow him, or any number of tech savvy individuals to run a macro script shutting down 90% of the internet connections provided by Midco within hours. This type of backdoor attack would be devastating to any major telecom company. Especially ones now utilizing VoIP for telephone networking. Theoretically, the backdoor could have been used to shut down 90% of internet and phone communications across multiple states. Or could have been used to highly modify or disable systems in specific areas.
This means, your internet connection could have just gone offline. For hours, maybe days without reason, and without warning. Perhaps even your phone service could have been disconnected. And if you contacted the Midco office, you may be one of thousands doing the same. It could have taken weeks to restore service reprogramming and/or replace equipment affected.
When John learned of this backdoor flaw in the network. He spent hours researching through telecommunication manuals and details on other companies similar to Midco. Trying to find a reason for the flaw, and a possible solution to fix it. After learning all he could from indirect research, he wrote a detailed study about the issue. How the flaw can be found, how it could be exploited, why it might be exploited, why it might exist, and how is might be fixed.
Because large corporations do not like to be found vulnerable. John figured if he gave this information to Midco, they may simply try to shift the limelight or blame onto John. He provided the information via a data disc to a Midcontinent Drop-Off box after hours hoping technicians would follow the instructions and read the report he burned to the disc.
After several months of waiting and while the backdoor was still open and vulnerable to attack, John decided to go in search of a media reporter to publicly report his findings in hopes Midco would then listen and take the necessary steps to correct the flaw. But none of the reporters contacted John back.
Soon after, John decided to contact Midco online through various contact means, and hopefully find somebody to listen to his report. After several communications back and forth, and after threatening to take the information public, he got in contact with the head of IT Security with Midcontinent Communications. He subsequently set up a telephone conference with their head of IT Security.
During the telephone conference the head of security confirmed he had read the report by John, and reported that he was and had been aware of the vulnerability for some time. He claimed his security staff had been working on ways to correct the issue, and had multiple ways of doing so, but issues to overcome with equipment. He said he was "scared" of somebody exploiting the backdoor, and it was "luck" that nobody had exploited it as of yet.
The head of security didn't give any dates or information about a time table for fixing the issue and John was advised to take any future information directly to the head of IT security. After nearly a year after the telephone conference, the network flaw has been apparently "patched". It may not be completely gone, but the backdoor is not openly accessible with some basic testing done. But apparently it took years for this issue to be fixed.
Thankfully, this issue was never exploited on a massive scale, and should not be easy to exploit in the near future. But, in the future, I think you will agree with John, that telecom companies should take issues more seriously when brought to their attention. Perhaps having a means for a individual to report a network flaw such as this in a faster way.