Forgot your password?
typodupeerror
Android Security News

T-Mobile Wi-Fi Calling Was Vulnerable to Trivial MITM Attack 24

Posted by Unknown Lamer
from the who-do-you-trust? dept.
wiredmikey writes "A vulnerability discovered by researchers at UC Berkeley enabled attackers to eavesdrop on and modify calls and text messages sent using T-Mobile's 'Wi-Fi Calling' feature. According to Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, when an affected Android device connected to a server via T-Mobile's Wi-Fi Calling feature, it did not correctly validate the server's security certificate, exposing calls and text messages to a 'man-in-the-middle' (MiTM) attack. ... '[An attacker] could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic,' the report, released Tuesday, said. Beekman and Thompson said they notified T-Mobile of their discoveries in December 2012, and worked with the mobile operator to confirm and fix the problem. As of March 18, all affected T-Mobile customers have received the security update fixing the vulnerability, the researchers said." By 'did not correctly validate,' they mean that the certificate was self-signed and the client blindly trusted any certificate with the common name it was expecting.
This discussion has been archived. No new comments can be posted.

T-Mobile Wi-Fi Calling Was Vulnerable to Trivial MITM Attack

Comments Filter:
  • by alphatel (1450715) * on Wednesday March 20, 2013 @12:40PM (#43224901)
    MiTM=prison4u
    • by Anonymous Coward
      No prison if you only hack your own phone. Knowing when to stop is the key. Don't hack other people. Don't hack 100+ thousands of people.
  • Of course.. (Score:4, Insightful)

    by dremspider (562073) on Wednesday March 20, 2013 @01:02PM (#43225125)
    This vulnerability is in a TON of software. Python 2.X (which most people are still using) doesn't even allow you to verify the CN without adding a bunch of code to make it happen yourself. http://bugs.python.org/issue1589 [python.org] Most APIs allow you to do it both ways, but I think it is time that they stop making it optional. If you want to use SSL, use it properly otherwise it isn't worth wasting your time with it.
    • It gets a little old to hear over and over again about institutional & "enterprise-level" operations not getting digital security, or being lazy about it. I guess things like this can be mitigated somewhat on the client side by not simply trusting the first CA the client hits, but going up the chain a bit, so clients have their part to do as well.
      • by alen (225700)

        they get it, they just don't want to spend $$$$ to fix every little thing when there is no ROI

        wifi calling was a product aimed at the cheapest end of the phone market. people willing to put up with trying to find a wifi spot to make a call instead of just buying more minutes. all to save $20 or so per month.

        you don't make PROFIT by spending lots of money on your cheapest customers

    • by dgatwood (11270)

      This vulnerability is in a TON of software. Python 2.X (which most people are still using) doesn't even allow you to verify the CN without adding a bunch of code to make it happen yourself. http://bugs.python.org/issue1589 [python.org] [python.org] Most APIs allow you to do it both ways, but I think it is time that they stop making it optional. If you want to use SSL, use it properly otherwise it isn't worth wasting your time with it.

      No, that's a very different vulnerability. What you're talking about would allow any v

      • by Synerg1y (2169962)

        I take my previous comment back, somebody did understand that this is about the self-signed cert!

        I'll go ahead and simplify your post though... you can use a self-signed cert, so can I, so can a nigerian prince, the problem is nobody knows who's who and we can all authenticate against each other's certs leading to an authentication party!

    • by Synerg1y (2169962)

      Am I the only one who read self-signed cert and assumed that was the problem? DNS & SSL couldn't have less to do with this. It even states this in the last line of the article.

  • by Todd Knarr (15451) on Wednesday March 20, 2013 @01:19PM (#43225339) Homepage

    What'd've been useful: details of how/what to check to determine if your phone uses the vulnerable software, and what would indicate you've received an update. I tend not to use the WiFi calling anyway, but it'd be nice to be able to confirm the update. Looking at it my phone's still using the original release of the WiFi Calling app and hasn't had it's firmware updated since May 2012.

  • So this affects the Wifi Calling App. I wonder if those of us running Cyanogen need to upgrade to a new version of Cyanogen, or just update the Wifi calling app..
    • by dino2gnt (1072530)
      As far as I am aware, TMO's current Android implementation of Wifi calling does not exist on Cyanogen.
    • I don't believe WiFi Calling for TMOUS is available on any of the CM builds. You can get *other* WiFi calling apps (i.e. typical SIP client stuff) but nothing that will work like the TMOUS app. Please correct me if I'm wrong here because I'd love to be running CM instead of the older Sense builds I'm forced to run to use the TMOUS app.

Economics is extremely useful as a form of employment for economists. -- John Kenneth Galbraith

Working...