Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

T-Mobile Security Flaw Allowed Snooping, Modification of Wi-Fi Calls, Texts

A vulnerability discovered by researchers at UC Berkeley enabled attackers to eavesdrop on and modify calls and text messages sent using T-Mobile’s “Wi-Fi Calling” feature, the researchers told SecurityWeek Tuesday.

A vulnerability discovered by researchers at UC Berkeley enabled attackers to eavesdrop on and modify calls and text messages sent using T-Mobile’s “Wi-Fi Calling” feature, the researchers told SecurityWeek Tuesday.

According to Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, when an affected Android device connected to a server via T-Mobile’s Wi-Fi Calling feature, it did not correctly validate the server’s security certificate, exposing calls and text messages to a “man-in-the-middle” (MiTM) attack.

“Without this proper verification, hackers could have created a fake certificate and pretend to be the T-Mobile server,” Beekman and Thompson explained. “This would have allowed attackers to listen to and modify traffic between a phone and the server, letting them intercept and decrypt voice calls and text messages sent over Wi-Fi Calling.”

To discover and implement the attack, the researchers said they reverse-engineered the Wi-Fi Calling feature, which uses a standard voice-over-IP (VoIP) protocol over an encrypted connection.

The easiest way to become a man-in-the-middle is for the attacker to be on the same open wireless network as the target victim, they said. Additionally, the paper noted, if the attacker knows the network parameters, they use an ‘Evil Twin’ attack, which imitates a legitimate network and tricks users into connecting to that rogue network instead, by showing up in the list of available Wi-Fi networks.

To analyze the calling process and execute the MiTM attack, Beekman and Thompson used the setup shown in the diagram below.

Man in the Middle Attack Setup

[P) Phone. (AP) Access point. (M) Man-in-the-middle. (S) Service provider.]

Advertisement. Scroll to continue reading.

When first turning on Wi-Fi, the DNS conversation requested a chain of information about wifi.msg.pc.t-mobile.com. Next, the researchers said, a TLS connection was established to the host with the port returned as sba.sipgeo.t-mobile.com:5061, which was the port number assigned by IANA for SIP-TLS.

During their analysis, Beekman and Thompson discovered that the certificate chain returned by T-Mobile’s server used a self-signed root certificate that is not included in standard Certificate Authority distributions, and used the common name of the certificate as simply the IP address of the server.

“This can meant that the root certificate was either built-in to T-Mobile’s client software, or they did not implement certificate validation correctly,” the researchers explained in their paper. “In fact, the client does not seem to have any problems with sslsniff intercepting the connection, making us conclude the latter. Analysis of the binaries confirmed that there was no trace of the root certificate.”

The client identifies itself using its phone number, IMEI and IMSI. Further messages followed normal SIP (Session Initiation Protocol) behavior, the researchers explained.

Using the decrypted SIP dialog, an attacker could record all incoming and outgoing calls and text messages, they said.

“[An attacker] could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic,” the report said.

“We verified the ability to record outgoing calls and incoming and outgoing text messages. We also verified the ability to change the destination phone number on outgoing calls by modifying sslsniff to change all occurrences of , replacing a single target phone number by a different one.”

After exploring the source code of the (open source) Android IMS stack, Beekman and Thompson said they found two vulnerable components: TlsSocketFactory, which creates a TLS socket and assigns the TestTrustManager to check the validity of certificates.

The simplest fix we suggested was to simply include the public-key of their certificate in the app and use it to verify the certificate chain of the remote endpoint,” Thompson told SecurityWeek.

According to their report, not all versions of T-Mobile Wi-Fi calling are vulnerable. The researchers noted that according to T-Mobile’s website, the IMS stack is used on the Samsung Galaxy S II, HTC Amaze 4G, myTouch and myTouch Q. The attack was tested the attack on a Samsung Galaxy S Relay 4G and a Samsung Galaxy Note 2, with other modern T-Mobile Samsung Galaxy devices also likely vulnerable. Individuals using T-Mobile Wi-Fi calling for Business may not be vulnerable, as it uses GAN, not IMS technology, the researchers noted.

Beekman and Thompson said they notified T-Mobile of their discoveries in December 2012, and worked with the mobile operator to confirm and fix the problem. As of March 18, all affected T-Mobile customers have received the security update fixing the vulnerability, the researchers said.

This is not the first time TLS/SSL issues have come to the forefront of mobile devices or applications.

Last October, researchers from two universities in Germany published a paper that exposed the state of SSL within Android applications, which revealed that many applications failed to properly implement SSL, leaving millions of users exposed to basic Man-In-The-Middle attacks.

Based on their analysis (PDF) of roughly 13,500 of the most popular free applications on Google Play at the time, eight percent (1,074) contained vulnerable SSL implementations when static testing was performed; with additional issues discovered after manual testing was performed on 100 of them. Additionally, 41 of the manually tested applications collected a substantial amount of personal information, with each one of them vulnerable to a MITM attack that would harvest said data.

“Man-in-the-middle attacks would not be as threatening if not for the proliferation of wireless technologies such as Wireless LAN (802.11)—exactly the technology that Wi-Fi calling advertises in its name,” Beekman and Thompson explained. “In wireless networks, an attacker no longer needs physical access to invade a network. If an attacker can connect to the network they can try ARP spoofing.”

The full technical report by Beekman and Thompson covering the vulnerability and their man-in-the-middle attack is available here

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.