Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

T-Mobile has a service called “Wi-Fi Calling”, which lets users make and receive calls even when without cellular service. This service is pre-installed on millions of TMobile Android smartphones. We analyze the security aspects of this service from a network perspective, and demonstrate a man-in-the-middle attack caused by a lack of TLS certificate validation, allowing an attacker to eavesdrop and even modify calls and text messages placed using the Wi-Fi Calling feature. We have worked with T-Mobile to fix this issue, and, as of 18 March 2013, they report that all affected customers have received an update fixing this vulnerability. I. EXPERIMENTAL SETUP In order to analyze T-Mobile’s Wi-Fi calling system, we used the setup shown in Figure 1. A Wi-Fi calling enabled phone P is configured to use access point AP. AP does not have any wired connections and just acts as a wireless network switch. Another machine M connected to the same network is configured as a DHCP server and NAT router. This allows us record and control all Internet traffic to and from P. We captured several Wi-Fi calling sessions. During our experiments, all traffic on both network interfaces was captured using libpcap. Any TLS connections were intercepted by sslsniff [1] running on M. sslsniff hijacks a TLS connection request, connects to the remote endpoint itself and generates a certificate based on what it receives from that endpoint. The certificate is signed with any certificate we specify and subsequently sent back to the client. We modified sslsniff to output the master-secret and client-random parameters of all established connections so that the TLS traffic in our packet traces could be decrypted. This allowed us to see how TLS-encrypted messages relate chronologically to other packets. II. NETWORK ANALYSIS When first enabling Wi-Fi, the DNS conversation in Appendix A takes place, requesting a chain of information about wifi.msg.pc.t-mobile.com. Then, a TLS connection is established to the host and port returned by DNS. These are sba.sipgeo.t-mobile.com and 5061, which is the port number assigned by IANA for SIP-TLS.