Cenzic 232 Patent
Paid Advertising
web application security lab

AT&T UTMS JS Injection

This isn’t exactly an exploit, but I’m sure after reading it, some people will feel like it is, or at minimum it might make people feel uncomfortable. It appears when users connect through AT&T UTMS wireless cards, the system man-in-the-middle’s the connection, and not only does it downgrade the image quality for performance reasons but it also injects a piece of JavaScript located at http://2.2.3.4/bmi-int-js/bmi.js (not live on the Internet). If you’re anything like me and you see a piece of JS installed in your website that you know doesn’t have any JS on it at all, you’re thinking you’re owned at this point. Alas, you probably are owned, but it’s in an effort to save your bandwidth. You can download a zipped copy of this JavaScript file here.

The real questions are when and how this page gets cached, and who owns 2.2.3.4 when it’s not being MITM’d (when you switch from UTMS to another network), and on and on. Incidentally, I tried to do directory transversal and go to http://2.2.3.4/ to see what else might be on that page and it banned me from going there and to the JavaScript file for the rest of the session. Why? Probably to stop guys like me from hacking whatever server that is and MITMing everyone on AT&T’s UTMS network. Clearly reducing the size of the page, is good for them, and is good for some percentage of users who don’t care about the potential issues here. And for the rest of us, we’ll continue to tunnel our traffic so we can avoid AT&T’s MITM craziness.

Update: a few people have sent me a link that this also is happening on other networks as well.

15 Responses to “AT&T UTMS JS Injection”

  1. David Bloom Says:

    I’m pretty sure that AT&T 3G uses UMTS, not EvDO (EvDO is used by CMDA2000 providers such as Verizon and Sprint)

  2. RSnake Says:

    Thanks, David - I changed that.

  3. JP Says:

    Does the web browsing still works if the script bmi.js is blocked by NoScript? e.g are the images properly loaded?

  4. Christopher J. Pilkington Says:

    The 2.2.3.4 is currently unassigned on the internet, but the entire 2.0.0.0/8 block has been given to the RIPE NCC, which is responsible for IP address assignment in Europe.

  5. Jason Borne Says:

    Interesting read, then again every post you make is. You think you might do some new ones on Darknet along with TOR/Freenode/WASTE again vulnerabilities?

  6. ChosenOne Says:

    I can confirm this for Vodafone in Germany (though its IP was 1.2.3.4, I think)
    Finding out more about that host was as hard, as you describe in your post. :/

  7. Nicholas Weaver Says:

    Someone on such a network, could you try two sites and post the results:

    a) Web Tripwires: http://www.cs.washington.edu/research/security/web-tripwire.html

    b) Netalyzr: http://netalyzr.icsi.berkeley.edu/

  8. Nicholas Weaver Says:

    (for background, I was involved in the development of both tools)

  9. Stefan Meyers Says:

    This happens on UK T-Mobile as well.

    But they go even further, as well as the javascript mim for images they also rewrite the css of the page.

    Our site has separate css files, but T-mobile rewrite the traffic to include the css inside the head of the page rather than separate files.

    This is particularly bad for us as our designers put their email address’s in the css file (I know, Don’t get me started on that one) and with the page being XHTML strict, it chokes on the @ symbol with a well formed error. So our entire site errors on every page…..

  10. Stefan Meyers Says:

    Results from Web Tripwires over British T-Mobile 3g Broadband:

    Page Modification Detected
    We have detected that our web page was modified between leaving our server and arriving in your browser. There are many possible causes for such a modification, ranging from the use of personal firewalls to Internet Service Providers that inject advertisements.

    For your reference, the actual HTML your browser received is shown below, with the modifications highlighted in red and green.

    It looks like 90% of the page is re-written.

    Don’t think it would be appropriate to post the whole HTML here, let me know where and ill send the page.

  11. ChosenOne Says:

    A thread about the ‘web tripwires’ and ‘netalyzr’ results on sla.ckers would be agood idea. I would add results for Vodafone Germany asap.
    However, we should agree upon a webpage to make filtering/modification comparable ;)

  12. Mark Says:

    What I do not understand is how these guys are still in business. Let alone striping the HTML and javascript content breaking pages basically, they strip out the copyright headers from the stylesheets, html pages, javascripts etc., so a user doesn’t get a chance to know to whom the content belongs to.

    So you have say jquery integrated? After the mangling there it goes John Resig’s copyright notice. Or if you put your own copyright in the stylesheet poof it disappears and anyone else can claim it perhaps…Lots of “copytheft applications” that I see. Man I love modern technology.

  13. kaes Says:

    I can confirm ChosenOne, I was on a German Vodaphone UMTS two weeks ago and it did all that. Indeed I remember the JS to come from 1.2.3.4 as well, and IIRC another low-range IP as well.

    They don’t seem to make it exactly hard to circumvent (as SSH and other protocols remained unchanged), but at that moment I couldn’t quickly/easily figure out a tool that would allow me to tunnel the HTTP traffic smoothly (say, local proxy of some sorts?).
    Working on a webdev job, I would prefer if they kept their fingers of my traffic :) Especially as I was busy optimizing thumbnailing and image quality myself :) Anyone got a recommendation on how to best tunnel it? Without losing too much bandwidth, UMTS there was slow enough as it is.

  14. Picci Says:

    Vodafone in italy does proxy all connections on a few apn’s. I tend to appreciate their effort, but I do tunnel over ssh on port 110 (apparently they don’t mind me downloading GB’s/day of “email”) when I connect from my laptop via my phone’s internet sharing.
    I’ve also noticed something relatively funny and have to check if it’s due to facebook or VF’s proxy: I get a link to Vodafone Live’s portal (0.19 euro if you enter their site) at the bottom of m.facebook.com.
    I’ll check tonight if it appears also through the tunnel or not. In the second case, would il be legal on vodafone’s side?

  15. William Triest Says:

    Can anyone think of a good reason they’re using javascript to accomplish this?

    If I were thinking of this I would think of using a proxy server to do something like this. Between 3rd party browsers and people connecting laptops, I can see that they couldn’t easily force a proxy server. If you control the gateway, you have a single point for controlling connections.

    Then you can easily detect mime types of images that you know how to downscale.

    I can see some people not liking this, so I think there should be a way to opt-out. I can see for the vast majority of people this being a useful service had they implemented it better. While I generally don’t like opt-out things, I think this could have been a valuable service.