A vulnerability discovered by two graduate students at UC Berkeley would allow attackers to eavesdrop on and even modify calls and text messages sent via T-Mobile’s “Wi-Fi Calling” feature. The feature, which the researchers estimate is installed on millions of T-Mobile Android smartphones, allows customers to make and receive calls and text messages even when they don’t have cellular reception.
Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, notified T-Mobile of their findings in December 2012, and worked with Darren Kress, T-Mobile’s senior manager for Mobile Assurance and Product Security, to confirm and fix the problem. T-Mobile reports that as of March 18, all affected customers have received the security update fixing this vulnerability.
Beekman and Thompson found that when an affected phone connected to a server via T-Mobile’s Wi-Fi Calling feature, it did not correctly validate the server’s security certificate, exposing calls and text messages to a “man-in-the-middle” attack. Without this proper verification, hackers could have created a fake certificate and pretend to be the T-Mobile server. This would have allowed attackers to listen to and modify traffic between a phone and the server, letting them intercept and decrypt voice calls and text messages sent over Wi-Fi Calling.
The simplest way to become a man-in-the-middle would be for the attacker to be on the same open wireless network as the victim, such as at a coffee shop or other public space.
To discover and implement the attack, the researchers reverse engineered the Wi-Fi Calling feature, which uses a standard voice-over-IP protocol over an encrypted connection.
The update to fix this vulnerability, verified by Beekman and Thompson, is now included with T-Mobile’s Wi-Fi Calling application.
The technical report covering the vulnerability and the man-in-the-middle attack is available online at http://www.cs.berkeley.edu/~cthompson/t-mobile/.