Verizon Data Plan Hackable?

08 Jun 2006

I’m loving my new Moto Q with it’s unlimited data plan but I’m wondering just how robust their service is.

I was using my Windows Mobile 5 version of Internet Explorer to check the mobile-formatted layout on one of my websites when I got curious and went looking for it’s IP in my log files. I thought I’d see what services were running on my phone:

$ ping [my_phone_ip]

PING [my_phone_ip] ([my_phone_ip]) 56(84) bytes of data.
64 bytes from [my_phone_ip]: icmp_seq=1 ttl=105 time=244 ms
64 bytes from [my_phone_ip]: icmp_seq=2 ttl=105 time=415 ms
64 bytes from [my_phone_ip]: icmp_seq=3 ttl=105 time=250 ms
64 bytes from [my_phone_ip]: icmp_seq=4 ttl=105 time=256 ms

--- [my_phone_ip] ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3104ms
rtt min/avg/max/mdev = 244.003/291.695/415.518/71.624 ms

This showed moderate latency (1.2ms) and worked perfectly.

On to a port scan:

$nmap [my_phone_ip]

Starting Nmap 4.03 ( ) at 2006-06-08 16:18 PDT
Interesting ports on 1.sub-[my_phone_ip] ([my_phone_ip]):
(The 1655 ports scanned but not shown below are in state: closed)
22/tcp    filtered ssh
42/tcp    filtered nameserver
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
179/tcp   filtered bgp
445/tcp   filtered microsoft-ds
1023/tcp  filtered netvenuechat
1433/tcp  filtered ms-sql-s
1434/tcp  filtered ms-sql-m
1720/tcp  filtered H.323/Q.931
3306/tcp  filtered mysql
4444/tcp  filtered krb524
4899/tcp  filtered radmin
6101/tcp  filtered VeritasBackupExec
8000/tcp  open     http-alt
10000/tcp filtered snet-sensor-mgmt

Nmap finished: 1 IP address (1 host up) scanned in 67.776 seconds

There are only two explanations for this:

  • My phone is very insecure and for some reason is running a LOT of strange services (unlikely)
  • My phone is routed through a proxy during web requests - a proxy that is running a LOT of services (likely)

Either way, it looks like Verizon’s data network is running MS software with boatloads of open ports. I’m particularly interested in why they’re running ms-sql server and mysql at the same time (presumably, they could have remapped the ports).

Please if you found this post helpful or have questions.