AT&T Microcell Disassembly; Security Flaws Exposed 82
Posted
by
Unknown Lamer
from the bind-all-the-addresses dept.
from the bind-all-the-addresses dept.
CharlyFoxtrot writes "The geeks over on the fail0verflow blog took apart an AT&T Microcell device which is 'essentially a small cell-tower in a box, which shuttles your calls and data back to the AT&T mothership over your home broadband connection.' They soon uncovered some real security issues including a backdoor : 'We believe that this backdoor is NOT meant to be globally accessible. It is probably only intended to be used over the IPSEC tunnel which the picoChip SoC creates. [...] Unfortunately, they set up the wizard to bind on 0.0.0.0, so the backdoor is accessible over the WAN interface.'"
Backdoor? (Score:5, Insightful)
AT&T's customers routinely take it in the backdoor from the company already so they just figured that no one would notice in this case.
Re: (Score:1)
AT&T's customers routinely take it in the backdoor from the company already so they just figured that no one would notice in this case.
Maybe it's a good time to point out that my T-mobile Smart phone, that I was able to purchase without a Data plan happily switches to my home wireless network for calls whenever the wi-fi is turned on. I still get the minutes deducted though.
Re: (Score:2)
They charge you for using resources you're already paying for, and you're pointing this out as a good thing?
Re: (Score:2)
I don't think he did point it out as a good thing :)
Re: (Score:2)
It is a bit tacky to charge you full minutes though since they're leeching your bandwidth to complete the call.
Re: (Score:1)
No, he's telling us that he enjoys T-Mobile making him take it up the backdoor, too
Re: (Score:2)
I had one of the earliest T-Mobile wifi phones. They used to use "no minutes used on wifi" as a selling point. It was pretty good about transitioning from wifi->wireless, but not so much the other way. That they are now dinging you for offloading their cell towers seems crappy. Still better than Verizon and AT&T though. Have to pay for the microcell and service.
Re: (Score:2)
Verizon and AT&T make you pay three times for the privilege of getting better cell xoverage.
Once for the cell phone service
once for your (now capped) internet,
and once for the microcell
All forthe privillege of using them. Oh and the micro cell in each case only works for you so when family visits they also get shoddy cell reception.
Re: (Score:1)
Some of the Tmobile phones could do "UMA", which is the GSM protocol over Wifi. The cool thing about this (as opposed to VoIP), is that you can hand off a UMA call to regular mobile phone tower. I don't understand why this isn't more prevalent. Perhaps it's the techinical problem: I think all the GSM stuff is done in the "baseband processor", so there would need to be a way to get the GSM packets out of the baseband processor and into the application processor and onto the wifi.
Improved Roaming (Score:3)
The box is only ‘allowed’ to work when within the area nominally serviced by AT&T.
Very cool would be any trick to overcome this limitation and have local cell service wherever you may be.
Re: (Score:1)
Replace the GPS module by a small microcontroller that'll always provide the same location - done !
Re: (Score:2)
The article states the microcell also uses GPS for timing : "GPS is used both for radio timing and for determining the position of the box." So that might not work.
Re: (Score:2)
A little AVR chip can intercept the GPS readings, keep the time the same but substitute the long/lat just with its onboard serial.
Re: (Score:3)
Hold your horses!
Yes you can probably come up with hacks to make it possible to user your box out of the "legal" area. Here's things to keep in mind:
1) AT&T may very well be watching the IP address from which your box is connecting into their cellular switching center. While nowhere nearly as accurate as GPS, they can certainly tell that you're in the Chicago area with your box, while your service is registered in Seattle... They could stop you cold on this.
2) The timing issue, while not so much a
Re: (Score:2)
#2 would be an interesting issue to investigate in more detail.
With an AVR you could calculate the exact amount of time it takes to process the signal and either make it fully compatible (e.g. a very specific delay for the signal) or also alter the timing by the exact amount.
Re: (Score:1)
I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.
So you are pretty much a VPS host someplace and GRE tunnel away.
Re: (Score:2)
Or why not just murder the geoIP database, so all IPs fall within the covered area? Either that, or just wrap it in NAT so it thinks it's on a network that it actually is not?
Self contained! :D
Re:Improved Roaming (Score:5, Insightful)
Ask Slashdot "how to spoof GPS" indoors. (Score:2)
How to spoof GPS indoors?
Let it pick up a signal for an arbitrary location.
Re: (Score:2)
It wouldn't be fun? Huh? It should fit in 100-200 lines of C on most any decent microcontroller with hardware UARTS. It's almost a no-brainer.
Re: (Score:2)
Bingo - I posted on this earlier in this article (different sub-thread).
GPS is used to discipline the radio's oscillator to about 2,000 times greater precision than your garden-variety oscillator. This is NOT part of any serial port protocol. It is done with a dedicated logic signal, generally emitting one pulse per second.
Bad things will happen if the radio doesn't get rock-solid timing on this input. Like drifting out of your assigned RF channel and splattering on neighbor cells - oh and more important
Re: (Score:1)
I have a metal roof at home too. The [cool | pain in the ass thing] is that it only uses GPS on startup or whenever the power is cut. I added an extra long Ethernet cable and extension cord and just drag it to the window whenever it needs to phone home. So far it's only been about once a month.
Re: (Score:2)
It actually has a port on the back for an external GPS antenna...I ran a cheapo from e-bay outside, and have the microcell in my basement where I needed the signal the most.
GPS (Score:2)
Actually, you're incorrect in your thinking. They were required to put GPS in it for E911 to work and the device will not function until the GPS location is verified. As the owner of a microcell I can tell you that GPS reception is the biggest #$@!@# pain in the ass for the thing in general. I have a metal roof at home and the microcell will only activate for me if I hang the device in the skylight.
Actually, the GPS is most likely there to provide a precise time reference...required by GSM.
Re:Improved Roaming (Score:5, Informative)
It' does have a GPS, but it's not for E911.... you could register the location if that were all it was.
They won't allow the device to use unlicensed spectrum. Since the frequencies that a company has licensed will vary from place to place, they want the device to know where it's located. It can then determine which frequencies it is licensed to use in that particular area. You'd think a reverse-IP location would be adequate, but the FCC apparently "requires" that they do this with GPS. I had read stories that some customers were allowed to request a bypass (AT&T would remotely program the device location and tell it to ignore the GPS and work anyway) but the FCC forced them to put an end to that practice (the FCC is always so "helpful" like that. )
There are more ironies... not only does the device need to be near a window where it can pick up a GPS lock, it also tests the signal strength of the standard AT&T towers. It dials it's own signal strength back IF it thinks that the outside signal strength should be good enough. And since the device now has to be located in a window, it'll get better signal than you could realistically get inside your home. And of course being at a window, you cannot locate the device in a central location to offer coverage to most of the home. The result is that this makes the micro-cell transmit the weakest possible signal (and of course you bought it SPECIFICALLY to overcome the problem of weak signals) and if you're not relatively close, the device is worthless.
It gets worse. AT&T allows a hand-off of a call from micro-cell to regular towers, but it can't do a hand-off in the other direction. And since towers vary their signal strength regularly and the micro-cell is now using it's wimpiest transmit power, it takes very little to make the phone think that it needs to switch to an outside tower. The result is that if you get an outside tower boost from... say 1 bar to maybe 3 bars, your phone will switch to the outside tower. A few moments later the outside tower drops back to it's more typical 1 bar signal strength. Since the call cannot do a hand-off back to the micro-cell... the call just drops.
After months of frustration, I discovered the solution. There's an external antenna jack on the back. If you ask AT&T about it, they can't tell you anything about it. They don't sell any accessories or even know what sort of antenna would work with this. You can get an external GPS antenna with a long cord (I bought one with a 25' cord.) This allows you to get the micro-cell away from the window and closer to the center of the house. BUT.. the micro-cell also varies its own transmit power based on whether it's able to detect much outdoor AT&T signal. It's in your best interest to make sure the micro-cell gets the weakest signal you can manage. I located my micro-cell to my basement... in a small closet under the stairs. The GPS antenna is in a basement window. Now the micro-cell still gets the GPS lock, but it doesn't get any outside AT&T signal... consequently it's actually willing to put out a much stronger signal and it works all around the house.
You won't be able to buy the antenna from AT&T. You'll need do a search for a GPS antenna that works with the AT&T micro-cell. I found one via Amazon for $30... one of the best $30 I ever spent. Now the device actually works as intended.
Re:Improved Roaming (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
I don't believe that to be the case. I have one (not used anymore since they just put a tower in close by), and it does not come online unless it is able to sync with GPS. I had to actually move it from the basement because it wasn't able to sync to the satellites.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.
So you are pretty much a VPS host someplace and GRE tunnel away.
There is a GPS on the device. I have one and it won't work until it gets a GPS lock. It won't get a GPS lock unless it is near a window, and this information is clearly stated in the documentation.
Re: (Score:1)
The Sprint Airave I used to have came with a GPS antenna on a long cable that you were supposed to put next to a window. It needed GPS not for location purposes, but because CDMA requires a highly-accurate clock to work properly.
Re: (Score:1)
It, like the microcells for Sprint and Verizon, has a GPS radio. I've set several of these up and have had to always put the unit close to an exterior wall/window/door in order for it to pick up a GPS signal. Sprint in the very first AirRaves included an antenna with a 30' cord to allow placement of the unit further inside, but I never really saw a need for it. If I'm going to run the antenna cable that far, I can run the Ethernet that far too.
Recently a friend was complaining that his AT&T mico-cell
Re: (Score:2)
I don't see the point. The device hooks into your DSL or Cable internet. So why not just use a Wifi device, and avoid ATT's extra fees?
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Not true at all, we had some indoor repeaters installed by a bunch of idiots (they were not our vendor choice, our selection was overruled by management) and between the amp and the yagi antenna we were putting out enough signal strength to blind one quadrant on the tower we were pointing at. Verizon not only sent out a tech but he climbed the tower to figure out the source of the interference and then came to our location to talk to
So what incentive do people have to get these? (Score:2)
Re: (Score:3)
Our company phones are all verizon, and we have a local repeater on our floor since this building is somehow repellant to all forms of RF (seriously, I can pick nothing up cleanly from 0.5 to 1.0ghz)
It has it's uses, I'm sure.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
You obviously don't have AT&T. If you did you would see the foolishness in your question.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
You failed to think of the tiny regions scattered through each cell provider's high-level coverage area that happen to be, say, blocked by a hill from the nearest tower. No layers of concrete, or anything else, is necessary to get an unreliable signal in those locations. Take a look at AT&T's detailed coverage map for any city and you will see them. This is precisely what these boxes were designed to address.
Re: (Score:2)
Don't forget that when providing cellular signals to locations with poor radio reception that it somehow has to get a GPS signal. Thats a feature.
Re: (Score:2)
It's just an extension of the carrier's usual policy of expecting us to pay handsomely for the privilege of building out their inadequate infrastructure in order to have the privilege of paying them handsomely for barely adequate service.
Not surprising (Score:2)
Brought to you by the same guys charged with domestic evesdropping: http://www.wired.com/science/discoveries/news/2006/01/70126 [wired.com]
Using IP multicast for the backdoor (Score:1)
backdoor password: (Score:3)
Joshua
Sorry, could resist for all the peeps, who like me, first heard of backdoors in Wargames. I was just a young peep who discovered the world of computers and was hooked, then saw wargames and thought, hmm, there's some shit i didn't think of.
Re: (Score:2)
What is the benefit of Microcells over UMA? (Score:2)
I'm a Rogers customer out of Ontario with a wifi-capable cell phone. Reception in my neck of the woods sucks. However, my phone (a Blackberry Curve) has built-in wifi and supports UMA. For $5 / month extra, I can piggyback my calls over broadband internet and they simply get billed against my minutes. I can use this with any wifi hotspot in Ontario (and probably in Canada).
Pros: no hassles with GPS, placing equipment near windows; portability (don't have to take a microcell with me); cost
Cons: used to be a
everything is backdoored. (Score:1)
Having done a bunch of reversing work on similar and other platforms, most of this can be taken by extracting the interesting binaries from the firmware images then running them on an emulated image of the OS.
There is a backdoor to almost every system I have tested. You can bet that if it has an OS, it has a backdoor from either the chip fab, the OEM, the software developer or the vendor, often more than one they aren't aware of. It's not a conspiracy, it's just human nature.
All VoIP (Score:2)
Battery life suffers (Score:1)