How one teen gained access to T-Mobile's network for free - without any data plan or contract

Student admits it would be easy to fix. The issue might have already been plugged.

Teen gains access to T-Mobile network for free - without any data plan or contract

A teenager recently found a way to gain access to T-Mobile's mobile network for free - that is, without any data plan or contracts.

Jacob Ajit, a 17-year-old student at Thomas Jefferson High School for Science and Technology, was recently alone with nothing to do on a Friday night when he got to playing with his T-Mobile phone.

His device had a prepaid SIM, meaning he could use a basic LTE connection to upgrade his phone's plan.

T-mobile screenshot

After some fiddling, Ajit discovered his Speedtest app could achieve a 20 mbps LTE connection.

That's when a question sprang into his mind. As he explains in a blog post:

"What if TMobile was simply checking for similarly formatted /speedtest folders without any real verification?"

Curious, Ajit set his own /speedtest folder and loaded it up with various files, including a Taylor Swift music video.

T mobile tay

Now he could access any pre-loaded files from wherever he wanted!

But that wasn't enough. The student wanted the internet at his fingertips, so he created a proxy server on Heroku using Glype.

To his delight, it worked!

T mobile proxy

"Just like that, I now had access to data throughout the TMobile network without maintaining any sort of formal payments or contract. Just my phone’s radios talking to the network’s radios, free of any artificial shackles. Mmm, the taste of liberty."

Overall, it wouldn't be hard for T-Mobile to fix this issue. Ajit admits the mobile service provider would simply need to make its whitelist check against Speedtest's server list found here.

It might have even already done that. One of Motherboard's journalists who is a T-Mobile customer tried to replicate Ajit's procedure on his device, but to no success. That could be because the journalist's phone didn't use a prepaid SIM card. Or it could be because the issue has since been resolved.

T-Mobile has yet to acknowledge the issue, however, so we can only assume the gates to "Free Data Land" are still open.

But like the most wonderful things in life, it'll be that way for a limited time only.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

36 Responses

  1. Frank

    September 15, 2016 at 8:13 pm #

    So, basically, he's a hi-tech crook. I hardly think this should be celebrated.

    • The real Frank in reply to Frank.

      September 15, 2016 at 8:44 pm #

      if he was a "crook" ( Who uses that term anymore….) he probably wouldn't have gone public with the discovery,and wouldn't have talked about how to fix it…

      • Jake in reply to The real Frank.

        September 16, 2016 at 3:05 am #

        Usually people who say "Crooked Hillary"

      • Thomas Dial in reply to The real Frank.

        September 16, 2016 at 5:25 pm #

        In a technical sense, Ajit almost certainly violated the Computer Fraud and Abuse act, and could be charged with a federal felony. I do not thing that would be appropriate, or that the act is what we should consider good law. However, the law is what it is, and an ambitious US Attorney might view the act, and Ajit's action, quite differently, as some have done in the past. Announcing it publicly probably was a bit unwise.

    • Alysa in reply to Frank.

      September 15, 2016 at 10:04 pm #

      If he was a "crook" he wouldn't have made it public he would have saved that info to sell to people on the street so that they had unlimited data for a pretty penny in his pocket. Also if he was a real crooked crook he would be street rich, he would be a street runner, and a con artist like Hitlery (had to).

    • Idiot in reply to Frank.

      September 15, 2016 at 10:30 pm #

      Love the generalization. For the things that this kid was able to do and might not even comprehend to you Frank.

    • Sean in reply to Frank.

      September 15, 2016 at 10:40 pm #

      Haha….obviously this person is from the older generation. Darn technology!

    • DoodleGuy in reply to Frank.

      September 16, 2016 at 12:07 am #

      So, Frank, you're basically a pessimist dumbass. I hardly think you should be allowed to be on the internet.

    • Dumb@ss Frank in reply to Frank.

      September 16, 2016 at 12:37 am #

      This kid is very smart and Frank you have racist tendencies.

    • samurai in reply to Frank.

      September 16, 2016 at 2:28 am #

      Frank is just burger flipper the low end of American Sewage, and he knows all about being crook when he gulps those burger down his throat, when nobody is looking.

    • Jonno in reply to Frank.

      September 16, 2016 at 4:30 am #

      Frank, he is smart, you have to admit it.

    • Brian Cork in reply to Frank.

      September 16, 2016 at 11:05 pm #

      Frank… Frank! The young genius found the problem, tested it, verified it, then reported it to T-Mobile, and shut-down his test. He was a curious young engineer that ended-up doing T-Mobile a favor while showing both integrity and ingenuity.

  2. Alan

    September 15, 2016 at 8:47 pm #

    What I take from this is T-mobile rigging the speed test, throttling everything except the speed test sites.

    • Zero in reply to Alan.

      September 15, 2016 at 11:23 pm #

      You're quite right! Even if they're not deliberately throttling it, anything under "speedtest" was set up to bypass checks that slow ordinary activity down.

      • Fabio in reply to Zero.

        September 16, 2016 at 12:07 am #

        This brings up an interesting point, if that's the case with T-Mobile, I wonder if other internet data providers might be doing this with Speedtest. So even if you're paying for the service and you complain that your speeds are too low and they ask you to run a speed test to verify. After running the tests the speeds come up normal because their servers are rigged to throttle up when when they "see" a speed test but in reality you're stuck a lower speeds everywhere else.

        • B.Ryan in reply to Fabio.

          September 16, 2016 at 1:00 am #

          all of them do… set QoS on routers to give you the 'best' bandwidth possible to 'speedtest.net'…

          • RobR in reply to B.Ryan.

            September 16, 2016 at 12:32 pm #

            Please step by step instructions to get better speeds. what is QoS.

        • One in reply to Fabio.

          September 16, 2016 at 5:25 am #

          Volkswagen!

  3. fredjohnson

    September 15, 2016 at 10:14 pm #

    He's not a very smart crook for all his blabbering of what he did.

    • Bob in reply to fredjohnson.

      September 15, 2016 at 10:58 pm #

      He's not a crook, he's bringing an issue to light after having some fun with it. Such a pessimist.

      • dele in reply to Bob.

        September 16, 2016 at 8:14 am #

        he was being sarcastic

    • samurai in reply to fredjohnson.

      September 16, 2016 at 2:31 am #

      @fredjohson…It is wrong for you to publicly announce your "low life Profession". Go to sleep this is not your cup of tea.

  4. Johnny

    September 15, 2016 at 10:28 pm #

    Or it could be that he totally faked the issue, and is lying about his 'idea'.

  5. Justice

    September 15, 2016 at 10:42 pm #

    Of course he was alone on a Friday night LMAO…

    • Bob in reply to Justice.

      September 15, 2016 at 10:59 pm #

      Don't worry, when he's making millions and you're flipping burgers at McDonald's, he'll be the one laughing.

      • Leo in reply to Bob.

        September 15, 2016 at 11:08 pm #

        Bob Well said. Hats off…

  6. ALR

    September 15, 2016 at 11:29 pm #

    Hats off to this young man for having the intelligence of finding a hole in T-Mobile's network and the scruples to come forward so that it can be corrected. I hope T-Mobile recognize him with an award and a summer internship.

  7. Life

    September 16, 2016 at 12:00 am #

    AT&T didn't recognize it, because there was nothing to recognize.

  8. then there\'s #3

    September 16, 2016 at 12:39 am #

    You left out a third possibility: maybe his hack never worked in the first place

  9. Islanderwaab

    September 16, 2016 at 1:26 am #

    One Word: NEO

  10. NLJ2

    September 16, 2016 at 2:07 am #

    all the work to be on t-mobile's shitty network…

  11. John

    September 16, 2016 at 4:41 am #

    Who thinks like that?…""What if TMobile was simply checking for similarly formatted /speedtest folders without any real verification?"…."created a proxy server on Heroku using Glype" Im like what? I'm in IT and have no idea what Heroku and Glype is.

    Someone give this kid something to do. Go to the mall and hang out with your friends. Are you sure Ajit isn't a robot?

  12. rafe

    September 16, 2016 at 5:44 am #

    tmobile cheats and has been rigging the speedtest website and app. If you setup what this kid did you will get high speed data all the time not 3g and 2g once your data cap is finished. T mobile does not believe in net neutrality.

  13. Peter

    September 16, 2016 at 1:06 pm #

    What's all this hassle about a 20 millibits per seconde connection?

  14. Big Tits Magillicoughty

    September 16, 2016 at 7:42 pm #

    All I see is some kid who needs to find better shit to do on a Friday night.

  15. Bigtits Magillicoughty

    September 16, 2016 at 7:43 pm #

    17 years old, Friday night, and this is all he could find to do huh?

Leave a Reply