User claims to have accessed the T-Mobile network for free

Mobile / Security / Tech
T-Mobile Network

“Just like that, I now had access to data throughout the TMobile network without maintaining any sort of formal payments or contract.”

Wireless carriers have been in a war for years — a war for users and their wallets. Buying a smartphone these days almost always entails signing up for some wireless service even if you’re on a plan like Project Fi. While wireless carriers have been at war for years, savvy hackers have also been trying to, well, hack things. One user is claiming that he was able to access the T-Mobile network for free. Jacob Ajit claims he was able to use an old prepaid T-Mobile sim card and a non-active smartphone to gain access to the T-Mobile network without calling in to activate the card.

He details his method in a Medium post which consisted of manipulating the T-Mobile portal which prompts users to add time to their pre-paid sim. When you put a prepaid sim into a phone it automatically connects to whatever network that sim is assigned to. In this case, the T-Mobile network was being pinged and the network recognizes that that sim has not purchased service. So T-Mobile redirects any browser activity to a landing page that requests the user to buy more. Ajit clicked links within that landing page and was able to get to T-Mobile’s website so he knew the network was active, but only showing T-Mobile content. He then opened up his Speedtest app to see if it would work and it did.

I was onto something, or was I? I assumed they must be whitelisting Speedtest-affiliated servers in some way, perhaps using the official list? I wasn’t too familiar with how Speedtest actually worked, so I decided to do some fieldwork with my phone connected to mitmproxy running on my Mac.

I was getting a better understanding of Speedtest works, looking at it download large 30×30 images, etc. These files were hosted on various URLs, the only similarity between them being the /speedtest folder with its appropriate contents. I confirmed all of this by looking through Ookla’s documentation. Just for kicks, I loaded up one of these images through Safari, figuring the requests would be served the same way.

Just like that, I now had access to data throughout the TMobile network without maintaining any sort of formal payments or contract. Just my phone’s radios talking to the network’s radios, free of any artificial shackles. Mmm, the taste of liberty.

Now whether or not this story is factual is up for debate but it was an interesting experiment. Ajit says T-Mobile can fix the problem by making their whitelist check against the official Speedtest server list he linked to.

But the bigger idea here is that people make mistakes due to oversight all the time. This time, I’m getting some unexpected free stuff. What about all those darker lurking zero-days that are so simple yet some engineer assumed everything would be alright? It’s a bit scary, and reminds us that all of our systems are indeed developed by humans. For now.

We’re reaching out to T-Mobile for comment and will update if we can.

  Source: Medium
To Top