A Journey Through Boring Telco Data Leaks (WHY2025)

Over the past few years, I’ve been casually poking around and stumbling upon exposed data and insecure infrastructure all across the telco ecosystem. From unsecured debug portals to full backend access, the leaks themselves might seem technically boring. In this talk, I’ll walk through a handful of real-world cases, showing how misconfigurations, sloppy code, and forgotten interfaces can lead to serious exposures. These include: * an eSIM provisioning portal exposed via unauthenticated debug web interface * full backend access to a smartphone retail platform, including CRM data and hotline audio recordings * publicly accessible SIM inventory systems, Call Data Records (CDRs), and even passport scans * "open source" telco functions running in plain PHP, sometimes with hardcoded credentials * …and more strange eSIM-related findings This isn’t a high-end 0-day story. This is about minimal-effort, boring data leaks that still manage to have a surprisingly high impact. The talk will include examples, screenshots, and recurring patterns that keep coming up. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/7A7QJV/