T-Mobile has admitted that it intercepted secure email sent from its customers' mobile phones for over three months, as the result of a technical error.
T-Mobile has confirmed that it intercepted secure email sent from its customers' mobile phones for three months, following a misconfigured software upgrade.Image credit: tomylees/Flickr
Customers using encrypted SMTP to connect to a mail server other than T-Mobile's had their data traffic intercepted and disrupted by the operator following a misconfigured software upgrade, T-Mobile said on Wednesday.
"We would like to reassure our customers that we do not use our network to access the content of their emails, nor are we doing anything that would jeopardise their data security," T-Mobile said in a statement.
"Following a firmware upgrade, we were made aware of a fault by a small number of our customers in December," it added. "This fault was mistakenly preventing certain SMTP traffic. We have worked with our supplier to fix this issue, and it has now been resolved."
T-Mobile blocks unauthorised SMTP traffic as a security measure. That measure was erroneously extended to other SMTP traffic by the upgrade in September, ZDNet UK understands.
The issue was raised by Nottingham-based web developer and security researcher Mike Cardwellin a blog post on 5 January. Cardwell discovered his secure email traffic was being blocked after buying a new PAYG SIM card.
We would like to reassure our customers that we do not use our network to access the content of their emails.
Cardwell, who runs his own Linux server, found that when he tried to connect to his mail submission service using SSL over 3G, T-Mobile sent a reset (RST) packet to both his server and his client to interrupt the connection. Cardwell said he had problems with traffic on ports 465 and 587.
"This isn't just for my mail server, I experienced the same problems using smtp.gmail.com as well," said Cardwell.
"IMAP over SSL on port 993 works fine, but if I switch that off and configure OpenVPN to listen on port 993, it is blocked. So the blocks aren't even port based," said Cardwell in the blog post. "They've got some really low-level deep-packet inspection technology going on here."
Deep-packet inspection technology (DPI) involves an organisation looking at the contents of data packets. ZDNet UK understands that T-Mobile uses DPI to enforce contractual terms such as 'fair-use' agreements, to monitor for illegal content, and to enforce other terms and conditions.
T-Mobile said the software upgrade had not affected VPNs. Customers could have problems with VPNs if they have older contracts, or if VPNs infringe on fair-use agreements, it said.
"The majority of our customers are able to access VPNs providing the proposition they have bought has been set up in this way," T-Mobile said. "Customers requiring VPN access can check with us before making a purchase, all details will also be included in the terms and conditions."