Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Teenage Hacker Figured Out How To Get Free Data On His Phone (vice.com)

Posted by BeauHD on from the unlimited-data dept.

An anonymous reader quotes a report from Motherboard: Jacob Ajit is 17 and he just hacked his way to getting free phone data, presumably so that he can do whatever it is that teens do online these days without alerting his parents with overage fees. According to a Medium post Ajit posted on Wednesday, he made his discovery while playing around with a prepaid T-Mobile phone with no service. The phone was still able to connect to the network, although it would only take him to a T-Mobile portal asking him to renew the prepaid phone plan. For some reason, though, Ajit wrote that his internet speed test app still worked, albeit through a T-Mobile server. Ajit figured out that he was able to access media sent from any folder labelled "/speedtest," possibly because T-Mobile whitelists media files from speed tests regardless of the host. He tested his theory by setting up a "/speedtest" folder on his own site and filled it with media, including a Taylor Swift music video, which he was able to access. Ajit writes that he then created a proxy server that allows users to access any site with this method. All a T-Mobile user has to do is go to this page and input any URL they want to visit. "Just like that, I now had access to data throughout the T-Mobile network without maintaining any sort of formal payments or contract," Ajit wrote on Medium. "Just my phone's radios talking to the network's radios, free of any artificial shackles."

15 of 337 comments (clear)

  1. Not anymore! by WolphFang · · Score: 4, Insightful

    Not anymore! You can't tell everyone about your free access and expect it to stay that way!

    --
    leather-dog muksihs
    Blog: @muksihs
    1. Re:Not anymore! by stealth_finger · · Score: 5, Insightful

      How the fuck is that racist?

      Because apparently everything is, but only if you're white. Didn't you get the memo?

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
  2. Arrest warrent is being drawn up now by Anonymous Coward · · Score: 5, Insightful

    Note to teenage idiots: Writing online about your criminal exploits is a bad idea.

    What his kid did is called theft of communications services.

    T-Mobile probably won't press a criminal charges, but they could, and the kid would be convicted.

    1. Re:Arrest warrent is being drawn up now by postbigbang · · Score: 4, Insightful

      Hate to be a killjoy, but I think they implemented for their *paying* customers. The young man, genius that he was, found a backdoor.

      In front of a judge, finding a backdoor looks really novel, perhaps fun, and yes, criminally illegal. I wish that T-Mobile and a prosecutor could just laugh it all off, but in this nutzo world, they won't, and the result is likely to be draconian, sad as that may be.

      --
      ---- Teach Peace. It's Cheaper Than War.
    2. Re:Arrest warrent is being drawn up now by agm · · Score: 2, Insightful

      If I send a request to a server and it sends a response back, how can that be illegal? Their server was configured to do this. If I ask a server for a file and it provides it to me then I can't see how that makes me a criminal.

    3. Re:Arrest warrent is being drawn up now by Actually,+I+do+RTFA · · Score: 3, Insightful

      If I send a request to a server and it sends a response back, how can that be illegal?

      It's illegal to rob a house, even if the door is unlocked.

      I can send millions of requests to a poorly secured bank server, until I find a username password that gets a "logged in" response back. I can send a request after that to move money, and the server sends a response back with a reciept.

      These are all things the server was configured to do. But I think most people would recognize that as theft.

      --
      Your ad here. Ask me how!
    4. Re:Arrest warrent is being drawn up now by agm · · Score: 1, Insightful

      If I send a request to a server and it sends a response back, how can that be illegal?

      It's illegal to rob a house, even if the door is unlocked.

      That analogy is a poor one. It's like someone left their back door open and when asked "can I come in" they say "yes".

      I can send millions of requests to a poorly secured bank server, until I find a username password that gets a "logged in" response back. I can send a request after that to move money, and the server sends a response back with a reciept.

      These are all things the server was configured to do. But I think most people would recognize that as theft.

      It would be a poorly configured server. Again, the situation is different. Nothing is taken in the case of a server sending you files. It's not like taking money at all.

    5. Re: Arrest warrent is being drawn up now by Xest · · Score: 5, Insightful

      As much as all this might have sounded good in your head, when you wrote it, I outright guarantee you that a judge, and jury would trivially be persuaded that your attempt to twist the language has absolutely no legal validity.

      This is why we have lawyers, to advise on reality of such things, unfortunately you're clearly not one, so you should probably stop pretending you are in case you give someone completely misguided advice and get them into trouble.

      You obviously haven't been keeping track of trends in law relating to digital issues, if you had you'd know that there is no get out clause in the law that allows for wishful thinking posted on the internet by a random non-lawyer.

      Like it or not, theft of services is a thing, and this kid would be guaranteed to have been found guilty of it regardless of how desperately you may wish to try and mis-read the law in your favour.

      I know this because such cases have been brought and won succesfully since at least the time of the widespread use of phreaking in the 80s. If you want to argue this guy wouldn't be caught you'd need to explain why this guy's bypass of the security measures in place is somehow different to anyone elses. I think you'll struggle though, simply because it's really not.

  3. Prioritizing Speed Test by ninthbit · · Score: 4, Insightful

    Everyone always assumes the networks are filtering speed tests to make the results seem faster than normal traffic, but this pretty much confirms they are routing that data different.

  4. Re:I think you have them all wrong by Anonymous Coward · · Score: 2, Insightful

    The only thing T-Mobile rolls is right over net neutrality....

  5. The real reason it works: by quenda · · Score: 5, Insightful

    Why would T-mblie want you to do speedtest on an inactivated SIM? They don't.

    It is a side-effect of them cheating on the speed test. What happens is that speed-test traffic is given #1 priority over everything else.
    The first thing the network checks is "is this a speed-test?" If so, it bypasses everything else non-essential, including the accounting system.

    So this is not just a way to get free data, but to get faster data, if you have a decent proxy.
    But surely a large corporation would never cheat on product performance tests? [cough]VW , Samsung, LG, ...[cough]. Can anyone test this?

  6. Re: Now that this has attracted media coverage... by bestweasel · · Score: 4, Insightful

    Dunno. T-Mobile tried to game the system and Ajit gamed them back. If there was any cheating it was by T-Mobile, white-listing speed test servers.

  7. Here comes a bill by RubberDogBone · · Score: 3, Insightful

    Since every KB is tracked and recorded, what he REALLY hacked is T-Mobile's latent power to bill his sorry butt for the data he used. And I am sure they will do just that.

    And if he refuses to pay, it becomes theft of service just like stealing electricity or cable TV and his sorry butt will end up in jail.

    Smart move there Einstein.

    --
    Sig for hire.
  8. unauthorized access device by raymorris · · Score: 4, Insightful

    > > (b) uses, without consent, an existing, canceled or revoked access device;

    > Neither canceled nor revoked

    It sounds like service was cancelled when the bill wasn't paid, but in any event it's certainly an EXISTING access device. The law says "existing, cancelled, or revoked", and it is certainly existing.

    > "an unauthorized, false, or fictitious name, identification, telephone number, or access device"

    And that device is not authorized to be using their network. It's an unauthorized access device.

    More to the point, judges are not in fact robots, nor are they dictionaries. Any human, including a judge, can see that there is a law against taking services without permission and without paying for them, and can see that he took services without permission and without paying for them. Trying to play word games will only annoy the judge, not persuade them.

  9. Re: Now that this has attracted media coverage... by Puff_Of_Hot_Air · · Score: 4, Insightful

    Many years ago, back in the days of very small quota's but the exciting new prospect of mp3's, your author did something very similar via his University and its habit of allowing all requests that contained the university URL as part of the address. This was very nearly the end for our young adventurer, as the university in question had plans for expulsion, civil, and possibly even criminal charges! (There may have been one or two other indiscretions of a network related nature). Fortunately in this story, the Dean of Engineering saved the day with a general "boy's will be boy's" attitude and a stern warning, so the hero was not thrown to the legal wolves. The point of this is to say that you should never ever assume that your "one cool trick" won't land you in serious hot water.