Researcher: T-Mobile UK is secretly disrupting secure communications, leaving customers vulnerable to spying


Mike Cardwell claims that T-Mobile UK are silently disrupting VPNs and secure connections to mail-servers, using packet-injection techniques more often found in the Great Firewall of China. He documents his findings in detail, and has found someone on the T-Mobile customer forums who claims that a senior technician there stated that it was a deliberate policy decision at T-Mobile to keep mail from being sent through any servers apart from their own.

The consequence of this is that you must communicate over T-Mobile's 3G network in a way that allows them to snoop on you and read your email. And since 3G security has been compromised for years, it also means anyone within range of your cell tower can also snoop on you. Mike borrowed techniques from those who fight the Great Firewall of China to build a system that lets him tunnel securely and keep his sensitive data secret, but unless you run your own servers, you're screwed if you're a T-Mobile customer.

Mike's SIM is a pay-as-you-go SIM, and his previous SIM, which came with a contract, didn't experience this filtering. Either this is the result of different filtering schemes for different customers or it's a new policy. I hope T-Mobile clarifies (and terminates) this policy soon.

I run my own Linux server, and self-host several services. I use SSL whenever possible. If I connect to my mail submission service with immediate encryption on port 465, T-Mobile instantly sends a spoofed RST TCP packet to both my server and my client in order to disrupt/disconnect the connection. I ran tcpdump on both ends of the connection to verify that this was happening. They also do the same for mail submission port 587. This time, they let you connect, but as soon as you send a STARTTLS command, the RST packets appear, and the connection drops. This isn't just for my mail server, I experienced the same problems using smtp.gmail.com as well...

I route all of my Internet traffic over an OpenVPN to my Linode.com VPS. This has always worked fine with my original SIM. With the new SIM, no matter which port I configure OpenVPN on, the RST packets appear. IMAP over SSL on port 993 works fine, but if I switch that off and configure OpenVPN to listen on port 993, it is blocked. So the blocks aren't even port based. They've got some really low level deep packet inspection technology going on here. The Great Firewall of China uses the exact same technique of sending RST packets to disrupt connections.

Punching through The Great Firewall of T-Mobile