T-Mobile Fixes Wi-Fi Calling Security Flaw
A screen grab from the T-Mobile website showing phones with Wi-Fi Calling availability.
CREDIT: T-Mobile USA, Inc.
T-Mobile's Wi-Fi Calling feature is meant to keep its customers connected even in areas where cellular service is spotty or unavailable.
Until a couple of days ago, the feature could also have been used to hijack calls and text messages from certain T-Mobile Android smartphones.
The vulnerability was discovered by Jethro Beekman and Christopher Thompson, graduate students at the University of California, Berkeley's department of electrical engineering and computer sciences department.
Beekman and Thompson informed T-Mobile, a division of Deutsche Telekom, of the flaw in December.
But it wasn't until Monday (March 18) that T-Mobile was able to resolve the issue for all affected phone models. Beekman and Thompson released their paper the next day.
"While it would have been challenging to execute the particular scenario found by researchers, we provided an update to 100 percent of the devices, and we are not aware of any customers that were affected," T-Mobile spokesman Glenn Zaccara told Kaspersky Lab's Threatpost blog. "We thank the UC Berkeley researchers for their responsible disclosure."
According to the T-Mobile website, four T-Mobile smartphones have the Wi-Fi Calling feature: the HTC One S, the Samsung Galaxy S III, the HTC Amaze and the Samsung Galaxy S Blaze.
If exploited, the vulnerability could have let hackers perform man-in-the-middle (MiTM) attacks on calls and texts transmitted using the Wi-Fi Calling feature.
In their research paper, Beekman and Thompson explained how they were able to impersonate the T-Mobile server that operates the Wi-Fi Calling application and perform MiTM attacks on other T-Mobile phones that had the feature.
The researchers used counterfeit transport layer security (TLS) certificates to impersonate the T-Mobile server. The spoof was possible due to the lack of a proper certificate validation process between the server and the mobile device.
The certificate chain that T-Mobile sent Android devices contained several weaknesses that Beekman and Thompson were able to exploit.
First they noticed that the initial certificate was the IP address of the server, and then, after searching, they found that the self-signed root certificate was not included in standard Certificate Authority distributions.
This meant that the certificate validation had not been fully implemented, which left T-Mobile's server open to MiTM attacks.
By impersonating the Wi-Fi Caller server, the researchers were able to establish TLS connections with Android devices using the open wireless network.
The researchers could thereby record and impersonate incoming and outgoing calls and texts made using the application. They could also record, block, and reroute session initiation protocol (SIP) traffic and spoof sender identification or message content.
Other carriers around the world have similar features enabled on some smartphones, including Rogers Wireless in Canada and Orange in Britain.
Orange calls its version "Signal Boost" and offers it for BlackBerry, Nokia and Android phones.
It wasn't clear whether T-Mobile's flaw similarly affected the other carriers' phones.