Not every smartphone exploit is a life-or-death matter of security. Some are just fun. Take, for example, what 17-year-old Jacob Ajit accomplished with just a little spare time and ingenuity.
By using a simple command and a proxy server, Ajit bypassed T-Mobile’s internet-activation process and found a way to surf the net for free — until he graciously notified the company of the flaw, that is.
Ajit is a student at Thomas Jefferson High School for Science and Technology in Fairfax, Virginia. Like any high school student with a smartphone and some time to kill, he decided to fool around with the handset -- an unspecified model of iPhone, judging by Ajit's screenshots, with a prepaid SIM card -- and see if there was anything fun he could accomplish. Ajit found that although he did not have an internet data plan on his phone, it did offer a limited LTE connection for the exclusive purpose of accessing the phone's billing information.
If the phone could access billing information online, could it access other things, Ajit wondered? By clicking links in the billing menus, he eventually found his way out onto the T-Mobile website and realized that the phone could indeed access the internet, plan or no plan. He ran a Speedtest app and discovered that the phone had an active 20 Mbps connection.
After connecting to mitmproxy (which allows users to monitor traffic on a network) on his Mac, Ajit found that if Speedtest could connect to the Internet, T-Mobile must be whitelisting its own servers on phones without paid data plans. From there, he simply designed his own fake Speedtest folder and found that his phone treated it just like a legitimate Speedtest server. Instead of testing Internet speeds, though, Ajit’s Speedtest server took him to a Taylor Swift music video.
The experiment worked, but unless Ajit wanted to program fake Speedtest servers for every site on the Internet, it didn’t have much practical use. That’s where Heroku, a proxy server program, came in handy. Ajit created his own Glype-based proxy system, which tricked T-Mobile’s browser into thinking that every site he visited had its own Speedtest folder to go along with it. The whole Internet was at his fingertips.
Rather than use his finding for evil, however, Ajit turned the information over to T-Mobile, which quickly corrected the error. However, it's not necessarily a happy ending; T-Mobile has refused to speak to either Ajit or the press about its faux pas, making the company seem rather ungrateful for a very easy and rather important fix. In the world of mobile carriers, no good deed goes unpunished.