Researcher: T-Mobile UK is secretly disrupting secure communications, leaving customers vulnerable to spying

Mike Cardwell claims that T-Mobile UK are silently disrupting VPNs and secure connections to mail-servers, using packet-injection techniques more often found in the Great Firewall of China. He documents his findings in detail, and has found someone on the T-Mobile customer forums who claims that a senior technician there stated that it was a deliberate policy decision at T-Mobile to keep mail from being sent through any servers apart from their own.

The consequence of this is that you must communicate over T-Mobile's 3G network in a way that allows them to snoop on you and read your email. And since 3G security has been compromised for years, it also means anyone within range of your cell tower can also snoop on you. Mike borrowed techniques from those who fight the Great Firewall of China to build a system that lets him tunnel securely and keep his sensitive data secret, but unless you run your own servers, you're screwed if you're a T-Mobile customer.

Mike's SIM is a pay-as-you-go SIM, and his previous SIM, which came with a contract, didn't experience this filtering. Either this is the result of different filtering schemes for different customers or it's a new policy. I hope T-Mobile clarifies (and terminates) this policy soon.

I run my own Linux server, and self-host several services. I use SSL whenever possible. If I connect to my mail submission service with immediate encryption on port 465, T-Mobile instantly sends a spoofed RST TCP packet to both my server and my client in order to disrupt/disconnect the connection. I ran tcpdump on both ends of the connection to verify that this was happening. They also do the same for mail submission port 587. This time, they let you connect, but as soon as you send a STARTTLS command, the RST packets appear, and the connection drops. This isn't just for my mail server, I experienced the same problems using as well...

I route all of my Internet traffic over an OpenVPN to my VPS. This has always worked fine with my original SIM. With the new SIM, no matter which port I configure OpenVPN on, the RST packets appear. IMAP over SSL on port 993 works fine, but if I switch that off and configure OpenVPN to listen on port 993, it is blocked. So the blocks aren't even port based. They've got some really low level deep packet inspection technology going on here. The Great Firewall of China uses the exact same technique of sending RST packets to disrupt connections.

Punching through The Great Firewall of T-Mobile


  1. Well THAT is deeply worrying, and probably a precedent. Unfortunately, I doubt most people in government or law enforcement are tech savvy enough to understand how intrusive that is. Hell, in the current climate, they’re probably on-board with it.

  2. Awesome, a month after I move to T-Mobile!

    Surely there must be more to it than that though.  If a business had their emails compromised because of the way that T-Mobile handle data then I’m sure T-Mobile would be in court.  Sure, us little guys can just complain, but this seems like something business customers wouldn’t be too comfortable with.

    Would be interested to know the full story, as it seems a bit porous at the moment.

    1. Presumably the plaintiff would have to prove that the compromise happened on T-Mobile’s network, that it was carried out in a way that worked because of how they were forced to send the email by T-Mobile, and that they would have been sending email securely otherwise.  All very difficult to prove.

      1. O rly?  So this guy never connects to a server in the U.S.?  T-Mobile doesn’t do business in the U.S.?   This policy of theirs only applies to UK mail servers?

        I love it how these multinational companies are such dick-waving hotshits when they are lecturing recent layoffs about global markets, but when they shit the bed somewhere suddenly they are a roadside fruit stand.

        1. So you expect a German company doing business with a British citizen in the UK to be subject to US law because the customer might connect to a US server?  that’s as scary a stance as T-mobile’s!  Actually, scarier!

          1. So you expect a German company doing business with a British citizen in the UK

             No.  That’s if this horseshit policy of theirs is limited to the UK, but nobody is stupid enough to believe that.

            Noted, though with some amusement how quickly people line up to leap to the defense of this company oh so deserving of the benefit of the doubt.

        2. I don’t care about the companies here.

          However I do not care at all about the USA extending their reach by flimsy pretenses that they are involved.

  3. I was already considering changing from t-mobile, as their service has gone downhill since the orange merger. But this is the final straw, i’m definitely changing networks now.

  4. I’m going to guess that this is a cack-handed attempt to block spam from payg customers. Just shows that deep-packet inspection is off-the-shelf these days though.

  5. An ISP is limiting the competing services that can be performed on their network for a prepaid user who hasn’t signed up for their more expensive options? Why I never!

    Seriously, how is this news?

  6. I hate to say it, because it has problems all its own, but I am a huge believer in port 443… instead of all this IMAP injection/interruption nonsense.

  7. I can give some insight into this.
    I use mobile data access a lot.
    I have an old tmobile sim that I have had the sense to keep around, although, whenever I call regarding it the sales people beg me to change my plan attached to it.
    It has the old unlimited data, and the “favorite fives” grandfathered in.
    It also has the free “vpn plan”.
    I don’t know if they still offer it, but, if you call them, and say that you’re having trouble using vpn for work, they’ll give you a special account that gives your phone an external IP address, and very little firewalling, so you can use PPTP.
    It doesn’t cost extra.

    That said, I’ve noticed, they now sniff for android (I think based on the IMEI number) and try to charge you more, based on what OS you use.
    Of course, you can bypass it by changing the APN, but, it’s still very insulting.
    What’s next, charging you a convenience fee for using Firefox?And, they don’t seem to mind if I use a hacked device running Android, and they will try to charge me if I have a typically android device running a different os.

  8. Oh, I was going to add, I did have problems with OpenVPN, although, I didn’t really play with it that much.
    I just use VPN over SSH now.
    Hamachi also appears to work, although, I don’t know how trustworthy hamachi is.

  9. I don’t get this today on my t-mobile contract SIM.  I can talk SSL on 465 to my email server just fine.  So I guess it’s just PAYG.

  10. So it sounds like they’re filtering based on an OpenSSL handshake – wonder what doing OpenVPN on port 443 would do. I’ve had to play port-based games for a long time – people with “clever” firewalls blocking all kinds of things, requiring tricks right out of the black-hat bible.

    I’m so glad I don’t deal with hospitals any more.

  11. One of the reasons I switched from comcast to FIOS for my Intertubes connection is that Verizon breaks my crypto connections a lot less frequently.  I could set my watch by Comcast’s poisoning of secure traffic to my home systems – it hit every 30 minutes, reliably, on my segment.

    Using Verizon, the disconnects are less frequent and less predictable, and they almost never touch pure SSH (port 22) traffic.

    Invoking Ockham’s razor, I attribute the behaviour of large commercial network providers to greed, carelessness and incompetence, rather than malice.  They aren’t actually trying to screw you, they just don’t care if they do.

    1. It’s probably the inverse of them trying to screw you.  Everything they do is protective of profits and there is no other motive.  Inefficiency creeps in, but the actual DIRECTIVE is maximal profit.

      1. Yeah, I’m sure you’re right, but organizations like Comcast are so short-sighted they routinely pass up titanic profits next week in order to make a tiny profit this very minute.  For example, they are too cheap to hire a serious crew of highly-paid network architects, so the very few smart people they have are overworked and underpaid, so they fail to maximize the profit-making potential of the network.

  12. T-Mob UK has long dicked around with GPRS data.   Their PAYG data service in the UK is SOOOO slow and spotty as to be nearly useless anyway.    I would not dream of slapping a TCP-based tunnel over that, it would be absolutely worthless.   The author is married to TCP VPNs, which suck under all but perfect conditions.   GPRS, et al is always a crap environment for this.

    1. Must be a different T-Mobile UK to the one I’m on. 

      I’ve been on PAYG with them for years, always get extremely good speeds for data, and always get a 2+ Mbit HSDPA connection at my folks’ house out in the countryside, where even the landline broadband maxes out at 0.5 Mbit.

  13. This is part of why I don’t want a smartphone. I want a phone, and a WiFi-enabled palmtop. It would be nice if they can communicate with each other to share phonebook info and the like — if you wanted to get really fancy, put bluetooth in the palmtop so it can act as a handset for the phone, so you don’t have to handle two devices — but I have absolutely no interest in sending data through the cellular network.

  14. I raised this issue on the T-Mobile “support” forums after I spotted I could no longer send TLS-secured email around October last year. After several weeks of banging my head against the wall and getting nowhere with the official technical support channels (and some unofficial ones), I can report that today they lifted the block on TLS handshakes. Hurrah!

    The person I spoke to today told me the block was due to misconfigured equipment, and that the previous information I had been given about a deliberate policy being rolled out to combat spam was incorrect.

    So, I’m not sure what the truth is or whether the publicity from Mike’s blog and elsewhere helped them find the misconfiguration, but it is “fixed” now.

    The news isn’t so good for PAYG customers, though. T-Mobile are still blocking their SSL-secured SMTP on port 465 with TCP resets – which I can confirm – and Mike reports that OpenVPN over TCP is also being killed.

Comments are closed.