T-Mobile Wi-Fi Calling flaw exposed calls, text messages

Certain devices using Google's Android OS possessed a vulnerability that potentially enabled attackers to eavesdrop on and modify calls and text messages sent via T-Mobile USA's Wi-Fi Calling feature, according to SecurityWeek. The problem was uncovered by University of California, Berkeley, graduate students Jethro Beekman and Christopher Thompson.  They said that when an affected device connected to a server via Wi-Fi Calling, it did not correctly validate the server's security certificate. That failure exposed calls and text messages to what is called a "man-in-the-middle" (MiTM) attack, in which hackers create a fake certificate and pretend to be the T-Mobile server. Vulnerable devices had a particular IMS stack, which was used in the Samsung Galaxy S II, HTC Amaze 4G, myTouch and myTouch Q. Other modern T-Mobile Samsung Galaxy devices are likely also vulnerable, according to the researchers. Beekman and Thompson began working with T-Mobile in December 2012 to rectify the situation. They released their findings this week after all affected T-Mobile customers had received a security update remedying the vulnerability. For more, see this SecurityWeek article.

Suggested Articles

U.S. Cellular has awarded Samsung Electronics a commercial agreement to supply LTE and 5G network solutions.

U.S. Cellular might be able to win over some Sprint customers as the transition to the New T-Mobile occurs.

Japan’s Rakuten Mobile is teaming up with mobile operator TPG to test 5G open RAN solutions in Singapore.