A 17-year-old boy successfully figured out a way by which he could get free data on his phone by accessing the national network of T-Mobile, one of the US' most prominent wireless and data services provider. Jacob Ajit hacked his way into discovering how to get free data, while fiddling with this prepaid T-Mobile phone and decided to publish his findings after determining that it did not "pose any harm to TMobile or their customers".
Ajit stressed that he has contacted T-Mobile about the "unintentional flaw" in their network. "It's a trivial fix to whitelist Speedtest servers based on their official host list, as I point out in this post, and the educational benefits of sharing with the my findings with community in this case outweighed the case for waiting for a [possible] response from TMobile," he wrote in a post.
Ajit said that he explored the idea of accessing the internet without a data plan as a "fun challenge" when he was left alone on a Friday night with a T-Mobile prepaid SIM on a spare with no service. In theory, his phone was still connected to the network but it would only redirect him to a T-Mobile portal asking him to upgrade his phone plan.
He explained that he began clicking on links and trying to escape, which resulted in some failures and some "randomly" working out. He also noted that his internet speed test app was still working. "Clearly, the app was allowed to fetch data. One thing I noticed was that it was picking a TMobile Speedtest server," he noted.
Ajit eventually figured out that he was able to access media sent from any "/speedtest," folder, which he suspected was due to T-Mobile whitelisting media files from speed tests, regardless of the host. He then tested his supposition by setting up his own "/speedtest" folder, filling it with media, including a Taylor Swift music video. Next, Ajit created a proxy server that allowed users to access any site using this technique.
"Just like that, I now had access to data throughout the TMobile network without maintaining any sort of formal payments or contract. Just my phone's radios talking to the network's radios, free of any artificial shackles," he said.
Ajit is currently a student at Thomas Jefferson High School for Science and Technology in Alexandria, Virginia, Motherboard reported. The high school student however made a valid observation in highlighting how seemingly unnoticeable vulnerabilities like these can be exploited by cybercriminals for profit.
He concluded, "It's interesting to note this is a very simple fix on TMobile's part. They simply need to make their whitelist check against the official Speedtest server list I linked to earlier. But the bigger idea here is that people make mistakes due to oversight all the time. This time, I'm getting some unexpected free stuff. What about all those darker lurking zero-days that are so simple yet some engineer assumed everything would be alright? It's a bit scary, and reminds us that all of our systems are indeed developed by humans. For now."