Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile Wi-Fi Calling Was Vulnerable to Trivial MITM Attack

Posted by Unknown on from the who-do-you-trust? dept.

wiredmikey writes "A vulnerability discovered by researchers at UC Berkeley enabled attackers to eavesdrop on and modify calls and text messages sent using T-Mobile's 'Wi-Fi Calling' feature. According to Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, when an affected Android device connected to a server via T-Mobile's Wi-Fi Calling feature, it did not correctly validate the server's security certificate, exposing calls and text messages to a 'man-in-the-middle' (MiTM) attack. ... '[An attacker] could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic,' the report, released Tuesday, said. Beekman and Thompson said they notified T-Mobile of their discoveries in December 2012, and worked with the mobile operator to confirm and fix the problem. As of March 18, all affected T-Mobile customers have received the security update fixing the vulnerability, the researchers said." By 'did not correctly validate,' they mean that the certificate was self-signed and the client blindly trusted any certificate with the common name it was expecting.

5 of 24 comments (clear)

  1. Y U No Tell DoJ? by alphatel · · Score: 2

    MiTM=prison4u

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  2. Of course.. by dremspider · · Score: 3, Insightful

    This vulnerability is in a TON of software. Python 2.X (which most people are still using) doesn't even allow you to verify the CN without adding a bunch of code to make it happen yourself. http://bugs.python.org/issue1589 Most APIs allow you to do it both ways, but I think it is time that they stop making it optional. If you want to use SSL, use it properly otherwise it isn't worth wasting your time with it.

    1. Re:Of course.. by alen · · Score: 2

      they get it, they just don't want to spend $$$$ to fix every little thing when there is no ROI

      wifi calling was a product aimed at the cheapest end of the phone market. people willing to put up with trying to find a wifi spot to make a call instead of just buying more minutes. all to save $20 or so per month.

      you don't make PROFIT by spending lots of money on your cheapest customers

    2. Re:Of course.. by prisoner-of-enigma · · Score: 2

      You're both right and wrong. TMOUS customers like myself can use WiFi Calling all day long and never take a hit on minutes. The catch is you don't get this capability turned on by default; you have to call customer service and ask for it. I have it and use it even though I have the Unlimited/Unlimited/Unlimited plan for my HTC One S.

      Why do I use it if I have unlimited minutes? Because I work at a nuclear power plant which, by virtue of being in the middle of nowhere *and* working inside a concrete building more akin to a bomb shelter, I can't get signal worth a damn. But Wifi Calling let's me use the plant guest WiFi. It's the main reason I'm still on TMOUS and not some other network.

      --
      In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
  3. How to check? by Todd+Knarr · · Score: 2

    What'd've been useful: details of how/what to check to determine if your phone uses the vulnerable software, and what would indicate you've received an update. I tend not to use the WiFi calling anyway, but it'd be nice to be able to confirm the update. Looking at it my phone's still using the original release of the WiFi Calling app and hasn't had it's firmware updated since May 2012.