Observed: Persistent MNO-core bypass and overlapping 172.31/16 VPC tunnels (T-Mobile/TWM)

[International Auditor via NANOG <nanog () lists nanog org>]

Hi all,

I am disclosing technical artifacts from two distinct but architecturally overlapping infrastructure incidents 
identified on iOS devices.

Both cases involve an unauthorized networks that establishes system-wide VPN tunnels into private AWS VPCs, bypassing 
intended subscriber layers and MNO security boundaries.

Report A: Taiwan Mobile (TWM) Integration (while physically in Atlanta, GA , device never been to Asian region)

-

Deployment Domain: osbstage.twmsolution.com

-

Relay Infrastructure: Oblivious HTTP (RFC 9458) via pir.kaylees.site

-

VPC Endpoint: 172.31.34.114:64579

-

Processing: Azure japaneast / koreacentral

Report B: T-Mobile USA Core Integration

-

MNO Core Domain: ims.mnc240.mcc310.3gppnetwork.org

-

Internal SIP Server: 10.199.72.1:5060

-

VPC Endpoint: 172.31.35.241 (Gateway: 172.31.32.1)

The Overlap (Common Infrastructure): Both disclosures utilize the identical 172.31.0.0/16 private subnet for 
exfiltration. This subnet is not publicly routable and requires a pre-configured NEVPN or SYSTEM_PROXY tunnel to reach. 
The persistence of these tunnels across full DFU restores suggests they are bound to the hardware activation layer 
(DCRT.OOB).

Requested Peer Review: Are other operators seeing persistent 172.31.0.0/16 traffic originating from consumer mobile 
endpoints? I am specifically looking for confirmation of this "shared" VPC architecture across other MNO cores.

I have archived the raw artifacts, certificate chains, and full network topology for both reports.

Sorry if this is tmi, first time leveraging this mailing list. I can provide full report if appropriate.

Thank you,
Joseph G II
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/WSWWSYTNHCJDD42MUBGVJRAEPW5RMNDI/