According to Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, when an affected Android device connected to a server via T-Mobile's Wi-Fi Calling feature, it did not correctly validate the server's security certificate, exposing calls and text messages to a "man-in-the-middle" (MiTM) attack.
In short, by executing a MiTM attack, and using decrypted SIP (Session Initiation Protocol) dialog, an attacker could record all incoming and outgoing calls and text messages. “[An attacker] could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic,” the report, released Tuesday, said.
Beekman and Thompson said they notified T-Mobile of their discoveries in December 2012, and worked with the mobile operator to confirm and fix the problem. As of March 18, all affected T-Mobile customers have received the security update fixing the vulnerability, the researchers said.
This is not the first time TLS/SSL issues have come to the forefront of mobile world. Last October, researchers from two universities in Germany published a paper (PDF) that exposed the state of SSL within Android applications, which revealed that many applications failed to properly implement SSL, leaving millions of users exposed to basic Man-In-The-Middle attacks.