Concerned about security on T2e Android 11 with no more security updates

Hey all, and more specifically, Teracube engineering:

Let me pick your brains on this. Recently, I got my T2e replaced with what was supposed to be a brand new replacement. In the past, I would always have done a wipe and firmware change out of an abundance of caution on any new device. However, I was busy and the phone seemed new/sealed and booted-up and went through fresh OOBE and showed no prior uptime. So I popped my sim card in and started using it.

Two days ago, I get a couple of SMS verification codes from Google Voice’s official SMS shortcode, which I ignored, aside from a quick visit to Google to make sure my account was secure and no logins had occurred from unknown devices. All looked good with no unauthorized activity, so I went about my business. A few hours later, I got an email from Google Voice that my cellular # had been removed from Google Voice as a forwarding number and attached to someone else’s GV account, meaning they were able to read my text messages. I re-added the number as a forward to my GV account, and verified using the SMS codes sent to me. I also sent an alert to GV support, but sending anything serious to Google expecting action is like sending a letter to the White House and expecting someone to actually do anything with it. At least in my experience haha!!

Fast forward a few days, I woke up this morning and a well-known social media app that I use had been hijacked. This app was NOT on the T2e, however this app uses a phone number (and SMS verification), with email as optional backup). Someone would have gone through SMS verification in order to gain access on another device. The email was changed by them but the phone number left alone. Meaning, they were able to sign into the service and get an SMS verification code, then change my email on the service to something else.

Given the fact that this seems to be an SMS intercept, it seems that one of the following is true:

A) on-network SMS intercept on T-Mobile’s system

B) the new T2e came with some malware installed

or

C) the new T2e became the victim of an attack, likely due to out-of-date security fixes exposing some vulnerability.

As a precaution, I wiped and re-flashed firmware on both the T2e and my other device (I don’t suspect the latter because it has no SMS capability), and re-built everything from scratch, passwords, yadda yadda yadda.

Pertinent facts:
1- I use a separate device with the bulk of my apps (wifi only, no cellular) for daily use

2- the new T2e was mostly factory-vanilla with only minor customization done to it (icons, look, etc) and had a lock code active

3- very few apps were installed on the new T2e phone and it was only being used for calls and SMS for the most part. No web sites had been pulled up on it yet, and although email was setup, the app has always been configured to not load anything outside of plaintext content from any messages.

4- No other device besides the new T2e had access to send/receive SMS on that cellular service

5- Wifi calling has always been turned-on, and that carries SMS also, I believe.

6- The new T2e was updated with all available security updates/patches, however, being on Android 11.x, those updates stopped a very long time ago.

Any ideas guys? Something I could be missing here? I’m doubtful that it was a hack on T-Mobile’s network. Before I wiped and re-flashed the T2e, I did look at all the running processes and didn’t see anything out of the ordinary. Like I said, it had very little of anything installed on it yet, as I had just started using it.

2 Likes

As Forbes noted 2.5 years ago, SMS verification is going to fail a quarter of the time, and it’s well known that the networks are often hijacked with MitM attacks which can stay dormant for extended periods of time.
If you’ve used SPflash with the known-good firmware from here, have only installed ā€˜safe’ apps, and are still getting compromised, it’s likely the infrastructure at fault rather than your phone.

2 Likes

Hi @sgray500 - sorry to hear about this situation. The issue is most likely caused by something outside the phone (carrier level maybe) as getting something on the phone would be a very-2 highly sophisticated attack and would have been public by now.

Regarding the malware part, all our units should have the bootloader locked. You can verify this by running this app.

1 Like

Thanks guys, for the input on this. Yeah, all reasonable precautions have been taken to keep the device clean, and yes I used the firmware from here and did the wipe/flash/wipe.

It just amazes me how widespread these attacks are getting now. I have a port-lock on my number with the carrier, so i’ll cross my fingers and keep playin the drums!! :stuck_out_tongue_closed_eyes:

1 Like

I had nearly the exact same thing happen to me recently, also with a warranty-replacement phone that appeared to be brand new. In my case, a Venmo code was received just prior to the Google Voice takeover. Then new PayPal, Microsoft, and many other accounts were opened using my phone number as a verification method. Although the Lookout security app didn’t detect anything, I concluded the phone itself was hacked after getting a new SIM card from AT&T did nothing to stop the SMS interceptions, and then getting a 2nd new SIM card from AT&T but putting it into my older Teracube (still running Android 10) immediately stopped the problem.

Based on my experience, I’m not totally satisfied with the responses from this thread, and believe that scenario A did not occur, and that it is more likely scenario B or C.

How confident is Teracube that the factory making its phones right now is not installing malware on them?
How confident is Teracube that the Teracube 2e with the latest Android v11 cannot be hacked when it connects to a public Wi-Fi (or spoofed Wi-Fi) at an international airport, or when a prepaid SIM card bought on Amazon is inserted and used in SIM slot 2, alongside a SIM card from a major American carrier such as AT&T?

Same situation has only gotten worse for me since that post. Every week, I am dealing with purely-SMS-based attacks. Last week, they gained access to my Facebook account (which I thankfully don’t actively use anymore), but did so through SMS verification. Accounts are being created with my phone number all over the place. Like, I could believe an isolated incident, but I just can’t sit here and believe that the carriers’ networks have been taken over by hackers and they are just letting it happen. I am desperately looking for a replacement for Teracube that I can believe in and count on. The mere fact that this same phone from 2020 is still advertised as for-sale on the website with Android 11 (with no security updates in two years), tells me this is the end of the road for the project.

Unless something is embedded in the individual components’ firmware, whatever is causing this has to be in the main OS image. Along with that initial post, I did the ā€œwipe-flash-wipeā€ using Teracube’s official firmware, so I wouldn’t think anything could survive that, unless it’s embedded deeper in the device itself.

Again, there is just no way that the carriers networks are to blame on this… American companies are lazy, but come on. Something that widespread would be on the national news by now.

Two days ago, I had to say enough is enough! I’m done with Teracube. DONE. DONE. DONE!

Whatever this underlying malware problem is, they’re obviously aware of it yet they have not asked to inspect the device or ask any questions. ā€œMust be the carrier.ā€ Yeah right…give me a break…widespread hacking of a national carrier’s network over and over like that??? That leads me to conclude that Teracube has no clue or control whatsoever what is coming from the factories where they are having these things made, and they are just passing along the devices without good quality control. The engineers at Teracube should have access to all code running on the hardware, even on embedded portions.

There is NO EXCUSE whatsoever for this to be happening on shipped hardware. NO EXCUSE!

Hi @sgray500 - we have newer security updates available on our Android 13 build.

We have been asking for security patches for a while now, but it seems like Teracube doesn’t care for users to have a stable and secure device. They instead focus their efforts in releasing buggy alpha and beta versions of the newer Android versions.

This SMS hijacking situation should be addressed by them with the utmost highest priority, but instead they brush it off as being the fault of the network provider.

Why do we need to force upgrade to an unstable beta Android 13 build to get the latest security patches? It’s ridiculous. With each new Android release comes a long list of bugs, performance issues and features that no longer work. Not to mention that you need to be tech savvy in order to upgrade. There’s also the risk of losing your data with every upgrade.

I have completely lost all trust in Teracube

A stable certified (Android 13) update is live, here

1 Like

Any update on this? Was the problem with malware being installed on the refurbished devices before being sent to customers?
I never heard about a vulnerability in Android, so while it’s great that Android 13 is available, that doesn’t help if you vendor in China is hacking the phones while refurbishing them.
Do you guys have your chain of custody under lockdown now?

The issue is some old CVE being exploited by apps you might have installed (Could also be a normal Play store app, Google keeps banning these apps with adnetworks) while upgrading to Android 13 brings in latest security patches which makes these apps not able to expolit it anymore. It’s highly recommended to upgrade to Android 13 to keep your device usable and secure.

How do you explain then that the SMS hack occurred only after receiving a refurbished phone? Since Teracube doesn’t provide an easy way to image devices, I made every effort to replicate the image on the ā€œnewā€ phone. I installed only the same apps I already had on the old phone. So, same apps, same version of Android, same SIM card…but only 1 of the 2 phones forwarded the SMS codes.

Again unpatched CVEs, there are no security updates available for Android 11 it’s vulnerable to several CVEs as of today. (We offer tools to fresh install the device by easy one click)

First, you guys say it’s something outside of the phone, at the carrier level. Now you blame unspecified exploits in Android 11. Which unpatched CVE allowed for forwarding of SMS? Can you provide a link to a webpage which documents a CVE that allowed this? And how does the CVE only manage to be exploited on the refurbished phone with fewer apps (and no additional apps)?

And instead of just brushing off our concerns about chain of custody by saying the bootloader is locked, how about actually explaining what controls you have over the chain of custody? A bootloader can be unlocked, a custom ROM with an exploit could be installed, and then the bootloader could be locked again, correct?

Refusing to provide answers to reasonable questions, makes it just look like you are pretending that the issue doesn’t really exist, which doesn’t build credibility. You are a niche company with a tiny % of the Android market share. Your credibility is really all you have, right?

Surprised i’m still getting notices on this two years later, but after reading the continued blame on Google and the app store, I just have to jump in here and rebut those claims. The phone I was sent was infected with malware at a low-level. It was NOT something that occurred from installing other apps or interacting with the play store, as Teracube erroneously suggests. Without installing any apps or even connecting to the app store, the malware went to work IMMEDIATELY UPON INSERTION OF SIM CARD, intercepting and requesting text messages (especially ones from Google services).

The lack of responsibility/accountability and Teracube’s cavalier attitude over such a serious breach, led me to immediately ditch the phone, replace my sim card and switch to another commercial phone. Not surprisingly, the problem went away except for the damage that had been done with the previously-intercepted text messages. I probably should have demanded that Teracube return and refund the device that was sent to me, and/or reported it to the authorities for knowingly continuing to sell and not address the embedded malware after being made actively aware of the problem. There’s no telling how many people out there may still be victims of their devices behavior, especially with no official recall or published acknowledgement of the issue!

In any event, I was overloaded at the time and did not engage any further. Obviously every other phone manufacturer ā€œhas their stuff togetherā€ and do not have such a massive breach of security of their devices, regardless of Android version. To think for a moment that Teracube doesn’t feel it’s responsible for shipping out phones with malware embedded in them, should be cause for an investigation alone! I would note that I have other-branded backup devices with Android 9 through 11 on them and they have never exhibited such behavior any time I have to use them. The move to try and shift blame to Google/Android would be laughable if it was not so ridiculous!

Hi! I am sorry for what you been through. Teracube has issued upgrade to Android 13 and currently all active users have moved to Android 13 and didn’t hear about security issues ever since. Teracube is aware about your incident and concluded its either an external cause or the lack of security patches on Android 11 with an open source tool vanir it was identified 400+ vulnerabilities in the firmware. It’s more feasible to just upgrade them to newer up to date Android 13. The firmware is secure boot checked and it won’t boot in locked bootloader with a custom firmware unless compiled by Teracube. Regarding blame for Google and App Store that’s not the case because there are some fishy apps they go through google reviews and google eventually bans then you can google it but here’s a recent post I found online Google bans 180 apps from Play Store over links to widespread fraud scheme. Teracube is a small team and pushing updates is challenging for a small vendor however they still putting in efforts to keep the software update to date and after this incident they are more aware and pushing out bi monthly security patches to Android 13 and will move to future Android version in coming months. I hope that answers your worries.