Researcher: T-Mobile UK is secretly disrupting secure communications, leaving customers vulnerable to spying


33 Responses to “Researcher: T-Mobile UK is secretly disrupting secure communications, leaving customers vulnerable to spying”

  1. Well THAT is deeply worrying, and probably a precedent. Unfortunately, I doubt most people in government or law enforcement are tech savvy enough to understand how intrusive that is. Hell, in the current climate, they’re probably on-board with it.

  2. So does that mean Orange do this too now?

  3. Awesome, a month after I move to T-Mobile!

    Surely there must be more to it than that though.  If a business had their emails compromised because of the way that T-Mobile handle data then I’m sure T-Mobile would be in court.  Sure, us little guys can just complain, but this seems like something business customers wouldn’t be too comfortable with.

    Would be interested to know the full story, as it seems a bit porous at the moment.

    • dragonfrog says:

      Presumably the plaintiff would have to prove that the compromise happened on T-Mobile’s network, that it was carried out in a way that worked because of how they were forced to send the email by T-Mobile, and that they would have been sending email securely otherwise.  All very difficult to prove.

  4. coffee100 says:

    Title 18 U.S.C. section 2511 would seem to be applicable to this situation.

    • retepslluerb says:

      Apart from the little fact that it happens in the U.K., I guess.

      • ffabian says:

        Wait a moment …. US law does not apply world wide? Shocking…

      • coffee100 says:

        O rly?  So this guy never connects to a server in the U.S.?  T-Mobile doesn’t do business in the U.S.?   This policy of theirs only applies to UK mail servers?

        I love it how these multinational companies are such dick-waving hotshits when they are lecturing recent layoffs about global markets, but when they shit the bed somewhere suddenly they are a roadside fruit stand.

        • dculberson says:

          So you expect a German company doing business with a British citizen in the UK to be subject to US law because the customer might connect to a US server?  that’s as scary a stance as T-mobile’s!  Actually, scarier!

          • coffee100 says:

            So you expect a German company doing business with a British citizen in the UK

             No.  That’s if this horseshit policy of theirs is limited to the UK, but nobody is stupid enough to believe that.

            Noted, though with some amusement how quickly people line up to leap to the defense of this company oh so deserving of the benefit of the doubt.

        • retepslluerb says:

          I don’t care about the companies here.

          However I do not care at all about the USA extending their reach by flimsy pretenses that they are involved.

  5. failquail says:

    I was already considering changing from t-mobile, as their service has gone downhill since the orange merger. But this is the final straw, i’m definitely changing networks now.

  6. Phil says:

    I’m going to guess that this is a cack-handed attempt to block spam from payg customers. Just shows that deep-packet inspection is off-the-shelf these days though.

  7. Adam Vollmer says:

    An ISP is limiting the competing services that can be performed on their network for a prepaid user who hasn’t signed up for their more expensive options? Why I never!

    Seriously, how is this news?

  8. awjt says:

    I hate to say it, because it has problems all its own, but I am a huge believer in port 443… instead of all this IMAP injection/interruption nonsense.

  9. I can give some insight into this.
    I use mobile data access a lot.
    I have an old tmobile sim that I have had the sense to keep around, although, whenever I call regarding it the sales people beg me to change my plan attached to it.
    It has the old unlimited data, and the “favorite fives” grandfathered in.
    It also has the free “vpn plan”.
    I don’t know if they still offer it, but, if you call them, and say that you’re having trouble using vpn for work, they’ll give you a special account that gives your phone an external IP address, and very little firewalling, so you can use PPTP.
    It doesn’t cost extra.

    That said, I’ve noticed, they now sniff for android (I think based on the IMEI number) and try to charge you more, based on what OS you use.
    Of course, you can bypass it by changing the APN, but, it’s still very insulting.
    What’s next, charging you a convenience fee for using Firefox?And, they don’t seem to mind if I use a hacked device running Android, and they will try to charge me if I have a typically android device running a different os.

  10. Oh, I was going to add, I did have problems with OpenVPN, although, I didn’t really play with it that much.
    I just use VPN over SSH now.
    Hamachi also appears to work, although, I don’t know how trustworthy hamachi is.

  11. Paul Hayes says:

    I don’t get this today on my t-mobile contract SIM.  I can talk SSL on 465 to my email server just fine.  So I guess it’s just PAYG.

  12. USD$100 says that deep down it’s just on pay-as-you-go cards to make it easier to spy on da terrists who would use pay-as-you-go cards to avoid scrutiny.

  13. Jim Nelson says:

    So it sounds like they’re filtering based on an OpenSSL handshake – wonder what doing OpenVPN on port 443 would do. I’ve had to play port-based games for a long time – people with “clever” firewalls blocking all kinds of things, requiring tricks right out of the black-hat bible.

    I’m so glad I don’t deal with hospitals any more.

  14. Ito Kagehisa says:

    One of the reasons I switched from comcast to FIOS for my Intertubes connection is that Verizon breaks my crypto connections a lot less frequently.  I could set my watch by Comcast’s poisoning of secure traffic to my home systems – it hit every 30 minutes, reliably, on my segment.

    Using Verizon, the disconnects are less frequent and less predictable, and they almost never touch pure SSH (port 22) traffic.

    Invoking Ockham’s razor, I attribute the behaviour of large commercial network providers to greed, carelessness and incompetence, rather than malice.  They aren’t actually trying to screw you, they just don’t care if they do.

    • awjt says:

      It’s probably the inverse of them trying to screw you.  Everything they do is protective of profits and there is no other motive.  Inefficiency creeps in, but the actual DIRECTIVE is maximal profit.

      • Ito Kagehisa says:

        Yeah, I’m sure you’re right, but organizations like Comcast are so short-sighted they routinely pass up titanic profits next week in order to make a tiny profit this very minute.  For example, they are too cheap to hire a serious crew of highly-paid network architects, so the very few smart people they have are overworked and underpaid, so they fail to maximize the profit-making potential of the network.

  15. Bink Binkerson says:

    T-Mob UK has long dicked around with GPRS data.   Their PAYG data service in the UK is SOOOO slow and spotty as to be nearly useless anyway.    I would not dream of slapping a TCP-based tunnel over that, it would be absolutely worthless.   The author is married to TCP VPNs, which suck under all but perfect conditions.   GPRS, et al is always a crap environment for this.

    • taras says:

      Must be a different T-Mobile UK to the one I’m on. 

      I’ve been on PAYG with them for years, always get extremely good speeds for data, and always get a 2+ Mbit HSDPA connection at my folks’ house out in the countryside, where even the landline broadband maxes out at 0.5 Mbit.

  16. technogeekagain says:

    This is part of why I don’t want a smartphone. I want a phone, and a WiFi-enabled palmtop. It would be nice if they can communicate with each other to share phonebook info and the like — if you wanted to get really fancy, put bluetooth in the palmtop so it can act as a handset for the phone, so you don’t have to handle two devices — but I have absolutely no interest in sending data through the cellular network.

  17. dpg says:

    I raised this issue on the T-Mobile “support” forums after I spotted I could no longer send TLS-secured email around October last year. After several weeks of banging my head against the wall and getting nowhere with the official technical support channels (and some unofficial ones), I can report that today they lifted the block on TLS handshakes. Hurrah!

    The person I spoke to today told me the block was due to misconfigured equipment, and that the previous information I had been given about a deliberate policy being rolled out to combat spam was incorrect.

    So, I’m not sure what the truth is or whether the publicity from Mike’s blog and elsewhere helped them find the misconfiguration, but it is “fixed” now.

    The news isn’t so good for PAYG customers, though. T-Mobile are still blocking their SSL-secured SMTP on port 465 with TCP resets – which I can confirm – and Mike reports that OpenVPN over TCP is also being killed.

  18. stumo says:

    According to there were 2 separate issues, both of which were oversights – and should be fixable.

    Conspiracy or cock up? I could believe either… 

  19. Hello, 
    one of our translators has translated this article into Spanish, we hope that this translation will serve to support the spread of this information. Regards. 

Leave a Reply