T-Mobile Wi-Fi Calling flaw exposed calls, text messages

Certain devices using Google's Android OS possessed a vulnerability that potentially enabled attackers to eavesdrop on and modify calls and text messages sent via T-Mobile USA's Wi-Fi Calling feature, according to SecurityWeek. The problem was uncovered by University of California, Berkeley, graduate students Jethro Beekman and Christopher Thompson.  They said that when an affected device connected to a server via Wi-Fi Calling, it did not correctly validate the server's security certificate. That failure exposed calls and text messages to what is called a "man-in-the-middle" (MiTM) attack, in which hackers create a fake certificate and pretend to be the T-Mobile server. Vulnerable devices had a particular IMS stack, which was used in the Samsung Galaxy S II, HTC Amaze 4G, myTouch and myTouch Q. Other modern T-Mobile Samsung Galaxy devices are likely also vulnerable, according to the researchers. Beekman and Thompson began working with T-Mobile in December 2012 to rectify the situation. They released their findings this week after all affected T-Mobile customers had received a security update remedying the vulnerability. For more, see this SecurityWeek article.

Suggested Articles

DoCoMo believe this to be the world's first realization of this level of multi-vendor interoperability in 4G and 5G base station equipment.

Deploying 5G outdoors is one thing, but for indoor 5G deployments, the complexity expands exponentially by the fragmented nature of stakeholders involved.

There’s a Citizens Broadband Radio Services (CBRS) event today that’s garnering attention from large and small wireless carriers alike.