Hi all, I am disclosing technical artifacts from two distinct but architecturally overlapping infrastructure incidents identified on iOS devices.
Both cases involve an unauthorized networks that establishes system-wide VPN tunnels into private AWS VPCs, bypassing intended subscriber layers and MNO security boundaries. Report A: Taiwan Mobile (TWM) Integration (while physically in Atlanta, GA , device never been to Asian region) - Deployment Domain: osbstage.twmsolution.com - Relay Infrastructure: Oblivious HTTP (RFC 9458) via pir.kaylees.site - VPC Endpoint: 172.31.34.114:64579 - Processing: Azure japaneast / koreacentral Report B: T-Mobile USA Core Integration - MNO Core Domain: ims.mnc240.mcc310.3gppnetwork.org - Internal SIP Server: 10.199.72.1:5060 - VPC Endpoint: 172.31.35.241 (Gateway: 172.31.32.1) The Overlap (Common Infrastructure): Both disclosures utilize the identical 172.31.0.0/16 private subnet for exfiltration. This subnet is not publicly routable and requires a pre-configured NEVPN or SYSTEM_PROXY tunnel to reach. The persistence of these tunnels across full DFU restores suggests they are bound to the hardware activation layer (DCRT.OOB). Requested Peer Review: Are other operators seeing persistent 172.31.0.0/16 traffic originating from consumer mobile endpoints? I am specifically looking for confirmation of this "shared" VPC architecture across other MNO cores. I have archived the raw artifacts, certificate chains, and full network topology for both reports. Sorry if this is tmi, first time leveraging this mailing list. I can provide full report if appropriate. Thank you, Joseph G II _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/WSWWSYTNHCJDD42MUBGVJRAEPW5RMNDI/
