A 17-year-old from Virginia, Jacob Ajit, tweaked a T-Mobile prepaid device into giving him unlimited access to 4G internet for no charge whatsoever. According to the teen, the method is so simple that he is shocked that nobody found the loophole until now.
T-Mobile has previously taken steps to eliminate the data cap for all its plans through its T-Mobile One initiative.
The teenager, who is studying at Virginia's Thomas Jefferson High School for Science and Technology in Alexandria, realized that he could get unlimited free data on his handset by logging into T-Mobile's national network. After pondering and deciding that his findings would pose no harm to T-Mobile and its customers, Ajit went public with his feat.
He also points out that he reached out to T-Mobile and informed the carrier about its security flaw.
"It's a trivial fix to whitelist Speedtest servers based on their official host list," Ajit says.
He goes on to add that going on the web without a data plan was a "fun challenge" to him, and explains that he stumbled on the exploit while fiddling with a prepaid SIM card of T-Mobile.
By loading the prepaid SIM, Ajit was able to connect the phone to the T-Mobile network, but it showed no service. It would constantly redirect him to a T-Mobile portal that urged him to upgrade his data plan.
As he started clicking on random links, Ajit noticed that some of them mysteriously opened up. He observed that the app that gauged his internet speed was up and running, which led him to the conclusion that the app was able to fetch data.
"One thing I noticed was that it was picking a T-Mobile Speedtest server," he affirms.
Ajit connected the dots and realized he could access media sent from any "/speedtest" folder. This is most likely due to whitelisting that T-Mobile put in place for speed test media files, but the interesting thing is that they work regardless of the host.
To test his theory, Ajit created his separate "/speedtest" folder online and packed it with media. He was able to access them easily. The teenager then proceeded to create a proxy server, virtually allowing users to access any site by tapping into his technique. He explains that this permits users to circumvent "any artificial shackles" and allows the phone's radios to talk to the network's radios unbridled.
By using a small security trick, Ajit managed to get free data from T-Mobile, without making any payments or having any binding contract with the data company.
He underlines the dangers of unnoticed and downplayed security flaws that can be easily be used by malicious users such as hackers. Also, he emphasized that fixing the issue would take very little effort on T-Mobile's part. Ajit explains that all the carrier needs to do is check their whitelist against the official Speedtest server list.
He goes on to add that the broader picture involves security specialists making errors "due to oversight." Ajit did manage to surf the web without paying for traffic, which is pretty innocuous, but his exploit underlines the existence of numerous zero-day vulnerabilities that are dangerous and yet remain unaddressed.
Ajit admits that the thought that all software systems are vulnerable is "a bit scary," but he seems confident that the liabilities will be removed sooner than later.
