Researchers find privacy vulnerability in T-Mobile smartphones
A security flaw discovered by two graduate students at UC Berkeley would allow attackers to eavesdrop on and even modify calls and text messages sent via T-Mobile's "Wi-Fi Calling" feature. T-Mobile reports that as of March 18, all affected customers have received the security update fixing this vulnerability, which the students discovered during a computer security course.
March 19, 2013
A vulnerability discovered by two graduate students at UC Berkeley would allow attackers to eavesdrop on and even modify calls and text messages sent via T-Mobile’s “Wi-Fi Calling” feature. The feature, which the researchers estimate is installed on millions of T-Mobile Android smartphones, allows customers to make and receive calls and text messages even when they don’t have cellular reception.
UC Berkeley students found a security flaw in T-Mobile Android smartphones. (iStock)
Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, notified T-Mobile of their findings in December 2012, and worked with Darren Kress, T-Mobile’s senior manager for Mobile Assurance and Product Security, to confirm and fix the problem. T-Mobile reports that as of March 18, all affected customers have received the security update fixing this vulnerability.
Beekman and Thompson found that when an affected phone connected to a server via T-Mobile’s Wi-Fi Calling feature, it did not correctly validate the server’s security certificate, exposing calls and text messages to a “man-in-the-middle” attack. Without this proper verification, hackers could have created a fake certificate and pretend to be the T-Mobile server. This would have allowed attackers to listen to and modify traffic between a phone and the server, letting them intercept and decrypt voice calls and text messages sent over Wi-Fi Calling.
The simplest way to become a man-in-the-middle would be for the attacker to be on the same open wireless network as the victim, such as at a coffee shop or other public space.
To discover and implement the attack, the researchers reverse engineered the Wi-Fi Calling feature, which uses a standard voice-over-IP protocol over an encrypted connection.
The update to fix this vulnerability, verified by Beekman and Thompson, is now included with T-Mobile’s Wi-Fi Calling application.
The technical report covering the vulnerability and the man-in-the-middle attack is available online at http://www.cs.berkeley.edu/~cthompson/t-mobile/.