×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

T-Mobile Wi-Fi Calling Was Vulnerable to Trivial MITM Attack

Unknown Lamer posted about a year ago | from the who-do-you-trust? dept.

Android 24

wiredmikey writes "A vulnerability discovered by researchers at UC Berkeley enabled attackers to eavesdrop on and modify calls and text messages sent using T-Mobile's 'Wi-Fi Calling' feature. According to Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, when an affected Android device connected to a server via T-Mobile's Wi-Fi Calling feature, it did not correctly validate the server's security certificate, exposing calls and text messages to a 'man-in-the-middle' (MiTM) attack. ... '[An attacker] could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic,' the report, released Tuesday, said. Beekman and Thompson said they notified T-Mobile of their discoveries in December 2012, and worked with the mobile operator to confirm and fix the problem. As of March 18, all affected T-Mobile customers have received the security update fixing the vulnerability, the researchers said." By 'did not correctly validate,' they mean that the certificate was self-signed and the client blindly trusted any certificate with the common name it was expecting.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

24 comments

Y U No Tell DoJ? (2)

alphatel (1450715) | about a year ago | (#43224901)

MiTM=prison4u

Re:Y U No Tell DoJ? (1)

Anonymous Coward | about a year ago | (#43225405)

No prison if you only hack your own phone. Knowing when to stop is the key. Don't hack other people. Don't hack 100+ thousands of people.

Of course.. (3, Insightful)

dremspider (562073) | about a year ago | (#43225125)

This vulnerability is in a TON of software. Python 2.X (which most people are still using) doesn't even allow you to verify the CN without adding a bunch of code to make it happen yourself. http://bugs.python.org/issue1589 [python.org] Most APIs allow you to do it both ways, but I think it is time that they stop making it optional. If you want to use SSL, use it properly otherwise it isn't worth wasting your time with it.

Re:Of course.. (1)

interval1066 (668936) | about a year ago | (#43225271)

It gets a little old to hear over and over again about institutional & "enterprise-level" operations not getting digital security, or being lazy about it. I guess things like this can be mitigated somewhat on the client side by not simply trusting the first CA the client hits, but going up the chain a bit, so clients have their part to do as well.

Re:Of course.. (2)

alen (225700) | about a year ago | (#43225439)

they get it, they just don't want to spend $$$$ to fix every little thing when there is no ROI

wifi calling was a product aimed at the cheapest end of the phone market. people willing to put up with trying to find a wifi spot to make a call instead of just buying more minutes. all to save $20 or so per month.

you don't make PROFIT by spending lots of money on your cheapest customers

Re:Of course.. (0)

Anonymous Coward | about a year ago | (#43225765)

Wrong, WiFi calling on T-Mo still uses your minutes. It's for placed you don't have T-Mobile signal, and is especially useful for international travel (as while on WiFi calling, your phone appears to T-Mobile to be in the US, so no extra international roaming).

Re:Of course.. (1)

whoever57 (658626) | about a year ago | (#43226045)

Wrong, WiFi calling on T-Mo still uses your minutes.

Now it does, but some years ago, there was an option ($10 or $20/per month -- it changed) to make the calls made through Wifi calling free and unrestricted. There are probably some customers with this option grandfathered in.

However, you are right about international use. It's great for avoiding roaming charges.

Re:Of course.. (2)

prisoner-of-enigma (535770) | about a year ago | (#43226713)

You're both right and wrong. TMOUS customers like myself can use WiFi Calling all day long and never take a hit on minutes. The catch is you don't get this capability turned on by default; you have to call customer service and ask for it. I have it and use it even though I have the Unlimited/Unlimited/Unlimited plan for my HTC One S.

Why do I use it if I have unlimited minutes? Because I work at a nuclear power plant which, by virtue of being in the middle of nowhere *and* working inside a concrete building more akin to a bomb shelter, I can't get signal worth a damn. But Wifi Calling let's me use the plant guest WiFi. It's the main reason I'm still on TMOUS and not some other network.

Re:Of course.. (0)

Anonymous Coward | about a year ago | (#43226307)

Kinda tired of this "default insecure" model of software we have.

If we have to spend 6 months understanding the APIs to make things secure with no notion or measure of what 'secure' actually means then we're pretty screwed as developers.

Re:Of course.. (1)

dgatwood (11270) | about a year ago | (#43227417)

This vulnerability is in a TON of software. Python 2.X (which most people are still using) doesn't even allow you to verify the CN without adding a bunch of code to make it happen yourself. http://bugs.python.org/issue1589 [python.org] [python.org] Most APIs allow you to do it both ways, but I think it is time that they stop making it optional. If you want to use SSL, use it properly otherwise it isn't worth wasting your time with it.

No, that's a very different vulnerability. What you're talking about would allow any valid certificate for site A to pose as site B, which means that there is almost no security, but if you can determine whose valid cert is being used, you are likely to have at least some idea who was responsible for it. There's at least a partial audit trail, in other words.

This vulnerability, by contrast, is that any self-signed certificate for site A can pose as site A. The common name must match, but everything else can be complete garbage, including the signature on the cert. This means that there is exactly zero security and zero audit trail.

This is the sort of security I'd expect from someone who knew nothing at all about SSL, and who just thought it was a magic box that made things secure.... :-/ Unfortunately, this class of mistake is painfully common, particularly in the mobile app space. Anyone who is considering overriding SSL chain validation really needs to read the following articles:

Given how many news reports we see about this sort of thing, I think it is clear that Android needs to do a better job of messaging the importance of doing SSL chain validation right. IMO, it's telling that Android's networking training area does not appear to even mention the need for security anywhere, as far as I could tell. In fact, I'm really not finding any big-picture documentation for Android networking at all. It reminds me of learning POSIX networking by reading the UNIX Socket FAQ. And this is why we keep seeing these sorts of news reports. Just saying.

Re:Of course.. (1)

Synerg1y (2169962) | about a year ago | (#43228415)

I take my previous comment back, somebody did understand that this is about the self-signed cert!

I'll go ahead and simplify your post though... you can use a self-signed cert, so can I, so can a nigerian prince, the problem is nobody knows who's who and we can all authenticate against each other's certs leading to an authentication party!

Re:Of course.. (1)

Synerg1y (2169962) | about a year ago | (#43228329)

Am I the only one who read self-signed cert and assumed that was the problem? DNS & SSL couldn't have less to do with this. It even states this in the last line of the article.

How to check? (2)

Todd Knarr (15451) | about a year ago | (#43225339)

What'd've been useful: details of how/what to check to determine if your phone uses the vulnerable software, and what would indicate you've received an update. I tend not to use the WiFi calling anyway, but it'd be nice to be able to confirm the update. Looking at it my phone's still using the original release of the WiFi Calling app and hasn't had it's firmware updated since May 2012.

WTF (0)

Anonymous Coward | about a year ago | (#43225595)

Who the hell are these clowns hiring to create their secure infrastructure? Using a self-signed cert and just validating the CN? That's just plain ignorant. And no audit caught this? IT management needs a shake-up over this.

Cyanogen (1)

chevelleSS (594683) | about a year ago | (#43225893)

So this affects the Wifi Calling App. I wonder if those of us running Cyanogen need to upgrade to a new version of Cyanogen, or just update the Wifi calling app..

Re:Cyanogen (1)

prisoner-of-enigma (535770) | about a year ago | (#43226735)

I don't believe WiFi Calling for TMOUS is available on any of the CM builds. You can get *other* WiFi calling apps (i.e. typical SIP client stuff) but nothing that will work like the TMOUS app. Please correct me if I'm wrong here because I'd love to be running CM instead of the older Sense builds I'm forced to run to use the TMOUS app.

Re:Cyanogen (0)

Anonymous Coward | about a year ago | (#43227105)

You can in fact use T-Mobile WiFi calling with CyanogenMod -- it's included in the ROM. That is at least true for the HTC Sensation, HTC G2 and Nexus One on T-Mobile.

Re:Cyanogen (1)

dino2gnt (1072530) | about a year ago | (#43227331)

Is this the current Movial IMS-based implementation, or the previous UMA implemenation? The TMO/Movial IMS service isn't available on any non-TMO builds i've ever discovered.

Re:Cyanogen (1)

prisoner-of-enigma (535770) | about a year ago | (#43237439)

Are you referring to official CM ROM's or one-offs? Because I've never seen *any* CM ROM with the TMOUS WiFi Calling app included. How could they when it's a proprietary app owned and controlled by TMOUS?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...