UC Berkeley grad students find, fix vulnerability in T-Mobile Wi-Fi Calling

Henry Ascencio/Staff
UC Berkeley graduate students helped T-Mobile find and fix a security issue.

Related Posts

What began as a class project for two UC Berkeley graduate students turned into a real-life software security collaboration with T-Mobile.

EECS graduate students Jethro Beekman and Christopher Thompson discovered a vulnerability in T-Mobile’s “Wi-Fi Calling” feature for Android that could potentially allow hackers to access and modify calls and messages made by T-Mobile users on certain Android smartphones.

T-Mobile’s Wi-Fi Calling feature allows customers to text and make phone calls over Wi-Fi when cellular service is unavailable, similar to the way Skype connects calls through an Internet connection.

“Jethro had just recently gotten his new phone that had this Wi-Fi calling feature,” Thompson said. “Both of us are security-minded people, and … we were thinking, ‘What can we do to look at this feature and figure out if it’s secure or not secure?’”

Beekman and Thompson began by testing network connection security on their own smartphones and discovered that the connection on an open wireless network  was extremely vulnerable to “man-in-the-middle” attacks, which allow hackers enter between the smartphone user and the T-Mobile network.

“Vulnerabilities like this are common — this is not at all unusual,” said David Wagner, a professor in the campus department of computer science whose graduate class on computer security prompted Beekman and Thompson’s investigation. “Their work falls into a broader context where other researchers have found similar vulnerabilities in other software. (Beekman and Thompson) decided to look at smartphones to see if they have the same problem.”

Over the course of their experiment, Beekman and Thompson made software modifications that enabled them to access phone lines, change the outgoing number on phone calls and view and modify outgoing text messages.

“Theoretically, an attacker could use this to change someone’s call to go to a toll number … and cost you money,” Thompson said.

The researchers found that the Samsung Galaxy S II, HTC Amaze 4G, myTouch and myTouch Q were most vulnerable to security threats due to the type of technology they use for network connection.

Beekman and Thompson explored the security issue last semester and presented their findings to T-Mobile in December.

They worked with the security team at T-Mobile to validate their findings and make sure that the problems were resolved. The company provided them with a test phone, which they used to assess vulnerability before and after the security update to ensure that the issue was fixed.

According to the researchers’ report, T-Mobile released a security update to its Android users on March 18 that resolved the issue.

“T-Mobile did a great job of responding to the vulnerability,” Wagner said. “They sent updates that will fix the problem for all their customers. That’s a model response for a computer software company to take.”

Contact Jennie Yoon at [email protected].