T-Mobile Wi-Fi Calling flaw exposed calls, text messages

Certain devices using Google's Android OS possessed a vulnerability that potentially enabled attackers to eavesdrop on and modify calls and text messages sent via T-Mobile USA's Wi-Fi Calling feature, according to SecurityWeek. The problem was uncovered by University of California, Berkeley, graduate students Jethro Beekman and Christopher Thompson.  They said that when an affected device connected to a server via Wi-Fi Calling, it did not correctly validate the server's security certificate. That failure exposed calls and text messages to what is called a "man-in-the-middle" (MiTM) attack, in which hackers create a fake certificate and pretend to be the T-Mobile server. Vulnerable devices had a particular IMS stack, which was used in the Samsung Galaxy S II, HTC Amaze 4G, myTouch and myTouch Q. Other modern T-Mobile Samsung Galaxy devices are likely also vulnerable, according to the researchers. Beekman and Thompson began working with T-Mobile in December 2012 to rectify the situation. They released their findings this week after all affected T-Mobile customers had received a security update remedying the vulnerability. For more, see this SecurityWeek article.

Suggested Articles

Dish Network is making progress on its one-of-a-kind open RAN in the U.S. and isn't wasting time trying to convert skeptics.

Verizon and Amazon Web Services (AWS) are bringing 5G mobile edge compute (MEC) to Boston and the Bay Area.

The FCC today approved a Public Notice that outlines details for bidders in the C-band auction.