We discovered a vulnerability which would allow attackers to eavesdrop on and even modify calls and text messages sent via T-Mobile's "Wi-Fi Calling" feature. The feature, which we estimate is installed on millions of T-Mobile Android smartphones, allows customers to make and receive calls and text messages even when they don't have cellular reception.
We notified T-Mobile of our findings in December 2012, and have worked with Darren Kress, T-Mobile's senior manager for Mobile Assurance and Product Security, to confirm and fix the problem. T-Mobile reports that, as of March 18, all affected customers have received the security update fixing this vulnerability.
We are Jethro Beekman and Christopher Thompson, current UC Berkeley graduate students in EECS. In the course of our analysis of the Wi-Fi Calling feature, we found that when an affected phone connected to a server via T-Mobile's Wi-Fi Calling feature, it did not correctly validate the server's security certificate, exposing calls and text messages to a "man-in-the-middle" attack. Without this proper verification, hackers could create a fake certificate and pretend to be the T-Mobile server. This would allow attackers to listen to and modify traffic between a phone and the server, allowing them to intercept and decrypt voice calls and text messages sent over Wi-Fi Calling.
The simplest way to become a man-in-the-middle would be for the attacker to be on the same open wireless network as the victim, such as at a coffee shop or other public space.
To discover and implement the attack, we reverse engineered the Wi-Fi Calling feature, which uses a standard voice-over-IP protocol (SIP) over an encrypted connection (TLS).
The update to fix this vulnerability, which we have independently verified, is now included with T-Mobile's Wi-Fi Calling application.
We have made a technical report covering the vulnerability and the man-in-the-middle attack in more detail available online.
To cite this technical report:
J. Beekman and C. Thompson, "Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling," EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2013-18, March 2013.
Or use this bibtex file.
Additionally, we have submitted a vulnerability report to CERT, VRF#HEGTS9F4
Jethro Beekman, UC Berkeley graduate student researcher, firstname.lastname@example.org
Christopher Thompson, UC Berkeley graduate student researcher, email@example.com
Questions for T-Mobile can be directed to their media relations line: (425) 383-4002.