Forgot your password?
typodupeerror
Hardware Hacking Security Linux Build

AT&T Microcell Disassembly; Security Flaws Exposed 82

Posted by Unknown Lamer
from the bind-all-the-addresses dept.
CharlyFoxtrot writes "The geeks over on the fail0verflow blog took apart an AT&T Microcell device which is 'essentially a small cell-tower in a box, which shuttles your calls and data back to the AT&T mothership over your home broadband connection.' They soon uncovered some real security issues including a backdoor : 'We believe that this backdoor is NOT meant to be globally accessible. It is probably only intended to be used over the IPSEC tunnel which the picoChip SoC creates. [...] Unfortunately, they set up the wizard to bind on 0.0.0.0, so the backdoor is accessible over the WAN interface.'"
This discussion has been archived. No new comments can be posted.

AT&T Microcell Disassembly; Security Flaws Exposed

Comments Filter:
  • Backdoor? (Score:5, Insightful)

    by Anonymous Coward on Wednesday April 04, 2012 @12:32PM (#39572867)

    AT&T's customers routinely take it in the backdoor from the company already so they just figured that no one would notice in this case.

    • by Anonymous Coward

      AT&T's customers routinely take it in the backdoor from the company already so they just figured that no one would notice in this case.

      Maybe it's a good time to point out that my T-mobile Smart phone, that I was able to purchase without a Data plan happily switches to my home wireless network for calls whenever the wi-fi is turned on. I still get the minutes deducted though.

      • by Firehed (942385)

        They charge you for using resources you're already paying for, and you're pointing this out as a good thing?

        • by tibit (1762298)

          I don't think he did point it out as a good thing :)

        • by Anonymous Coward

          No, he's telling us that he enjoys T-Mobile making him take it up the backdoor, too

      • by RicoX9 (558353)

        I had one of the earliest T-Mobile wifi phones. They used to use "no minutes used on wifi" as a selling point. It was pretty good about transitioning from wifi->wireless, but not so much the other way. That they are now dinging you for offloading their cell towers seems crappy. Still better than Verizon and AT&T though. Have to pay for the microcell and service.

        • by peragrin (659227)

          Verizon and AT&T make you pay three times for the privilege of getting better cell xoverage.

          Once for the cell phone service
          once for your (now capped) internet,
          and once for the microcell

          All forthe privillege of using them. Oh and the micro cell in each case only works for you so when family visits they also get shoddy cell reception.

        • by Anonymous Coward

          Some of the Tmobile phones could do "UMA", which is the GSM protocol over Wifi. The cool thing about this (as opposed to VoIP), is that you can hand off a UMA call to regular mobile phone tower. I don't understand why this isn't more prevalent. Perhaps it's the techinical problem: I think all the GSM stuff is done in the "baseband processor", so there would need to be a way to get the GSM packets out of the baseband processor and into the application processor and onto the wifi.

  • by clarkn0va (807617) <apt...get@@@gmail...com> on Wednesday April 04, 2012 @12:33PM (#39572883) Homepage

    The box is only ‘allowed’ to work when within the area nominally serviced by AT&T.

    Very cool would be any trick to overcome this limitation and have local cell service wherever you may be.

    • by Anonymous Coward

      Replace the GPS module by a small microcontroller that'll always provide the same location - done !

      • The article states the microcell also uses GPS for timing : "GPS is used both for radio timing and for determining the position of the box." So that might not work.

        • A little AVR chip can intercept the GPS readings, keep the time the same but substitute the long/lat just with its onboard serial.

          • by flatulus (260854)

            Hold your horses!

            Yes you can probably come up with hacks to make it possible to user your box out of the "legal" area. Here's things to keep in mind:

            1) AT&T may very well be watching the IP address from which your box is connecting into their cellular switching center. While nowhere nearly as accurate as GPS, they can certainly tell that you're in the Chicago area with your box, while your service is registered in Seattle... They could stop you cold on this.

            2) The timing issue, while not so much a

            • #2 would be an interesting issue to investigate in more detail.

              With an AVR you could calculate the exact amount of time it takes to process the signal and either make it fully compatible (e.g. a very specific delay for the signal) or also alter the timing by the exact amount.

    • by DarkOx (621550)

      I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.

      So you are pretty much a VPS host someplace and GRE tunnel away.

      • by X0563511 (793323)

        Or why not just murder the geoIP database, so all IPs fall within the covered area? Either that, or just wrap it in NAT so it thinks it's on a network that it actually is not?

        Self contained! :D

      • by TFoo (678732) on Wednesday April 04, 2012 @12:45PM (#39573029)
        Actually, you're incorrect in your thinking. They were required to put GPS in it for E911 to work and the device will not function until the GPS location is verified. As the owner of a microcell I can tell you that GPS reception is the biggest #$@!@# pain in the ass for the thing in general. I have a metal roof at home and the microcell will only activate for me if I hang the device in the skylight.
        • How to spoof GPS indoors?
          Let it pick up a signal for an arbitrary location.

        • by YackoYak (153131)

          I have a metal roof at home too. The [cool | pain in the ass thing] is that it only uses GPS on startup or whenever the power is cut. I added an extra long Ethernet cable and extension cord and just drag it to the window whenever it needs to phone home. So far it's only been about once a month.

          • by henrym (414280)

            It actually has a port on the back for an external GPS antenna...I ran a cheapo from e-bay outside, and have the microcell in my basement where I needed the signal the most.

        • Actually, you're incorrect in your thinking. They were required to put GPS in it for E911 to work and the device will not function until the GPS location is verified. As the owner of a microcell I can tell you that GPS reception is the biggest #$@!@# pain in the ass for the thing in general. I have a metal roof at home and the microcell will only activate for me if I hang the device in the skylight.

          Actually, the GPS is most likely there to provide a precise time reference...required by GSM.

        • Re:Improved Roaming (Score:5, Informative)

          by tcampb01 (101714) on Wednesday April 04, 2012 @01:59PM (#39574131)

          It' does have a GPS, but it's not for E911.... you could register the location if that were all it was.

          They won't allow the device to use unlicensed spectrum. Since the frequencies that a company has licensed will vary from place to place, they want the device to know where it's located. It can then determine which frequencies it is licensed to use in that particular area. You'd think a reverse-IP location would be adequate, but the FCC apparently "requires" that they do this with GPS. I had read stories that some customers were allowed to request a bypass (AT&T would remotely program the device location and tell it to ignore the GPS and work anyway) but the FCC forced them to put an end to that practice (the FCC is always so "helpful" like that. )

          There are more ironies... not only does the device need to be near a window where it can pick up a GPS lock, it also tests the signal strength of the standard AT&T towers. It dials it's own signal strength back IF it thinks that the outside signal strength should be good enough. And since the device now has to be located in a window, it'll get better signal than you could realistically get inside your home. And of course being at a window, you cannot locate the device in a central location to offer coverage to most of the home. The result is that this makes the micro-cell transmit the weakest possible signal (and of course you bought it SPECIFICALLY to overcome the problem of weak signals) and if you're not relatively close, the device is worthless.

          It gets worse. AT&T allows a hand-off of a call from micro-cell to regular towers, but it can't do a hand-off in the other direction. And since towers vary their signal strength regularly and the micro-cell is now using it's wimpiest transmit power, it takes very little to make the phone think that it needs to switch to an outside tower. The result is that if you get an outside tower boost from... say 1 bar to maybe 3 bars, your phone will switch to the outside tower. A few moments later the outside tower drops back to it's more typical 1 bar signal strength. Since the call cannot do a hand-off back to the micro-cell... the call just drops.

          After months of frustration, I discovered the solution. There's an external antenna jack on the back. If you ask AT&T about it, they can't tell you anything about it. They don't sell any accessories or even know what sort of antenna would work with this. You can get an external GPS antenna with a long cord (I bought one with a 25' cord.) This allows you to get the micro-cell away from the window and closer to the center of the house. BUT.. the micro-cell also varies its own transmit power based on whether it's able to detect much outdoor AT&T signal. It's in your best interest to make sure the micro-cell gets the weakest signal you can manage. I located my micro-cell to my basement... in a small closet under the stairs. The GPS antenna is in a basement window. Now the micro-cell still gets the GPS lock, but it doesn't get any outside AT&T signal... consequently it's actually willing to put out a much stronger signal and it works all around the house.

          You won't be able to buy the antenna from AT&T. You'll need do a search for a GPS antenna that works with the AT&T micro-cell. I found one via Amazon for $30... one of the best $30 I ever spent. Now the device actually works as intended.

      • by deKernel (65640)

        I don't believe that to be the case. I have one (not used anymore since they just put a tower in close by), and it does not come online unless it is able to sync with GPS. I had to actually move it from the basement because it wasn't able to sync to the satellites.

      • You obviously don't have one of these. There is in fact a GPS inside, and they specifically instruct you to put it near a window if the GPS LED doesn't go solid. There have been various complaints on other boards about this fact, with tips on where to find GPS antennas and connectors (yes, there is an antenna jack on the back of the unit) so that the MicroCell can be used in a more convenient place while still getting a GPS signal.
      • Actually, I have one, and I'm led to believe it is a real GPS. You need to keep the unit near a window. It's ostensibly for 911 purposes.
        • Just read TFA... it is, in fact, actual GPS for not only positioning, but also time synchronization.
      • by ender- (42944)

        I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.

        So you are pretty much a VPS host someplace and GRE tunnel away.

        There is a GPS on the device. I have one and it won't work until it gets a GPS lock. It won't get a GPS lock unless it is near a window, and this information is clearly stated in the documentation.

      • by ncc74656 (45571) *

        I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.

        The Sprint Airave I used to have came with a GPS antenna on a long cable that you were supposed to put next to a window. It needed GPS not for location purposes, but because CDMA requires a highly-accurate clock to work properly.

      • by Hovsep (883939)

        It, like the microcells for Sprint and Verizon, has a GPS radio. I've set several of these up and have had to always put the unit close to an exterior wall/window/door in order for it to pick up a GPS signal. Sprint in the very first AirRaves included an antenna with a 30' cord to allow placement of the unit further inside, but I never really saw a need for it. If I'm going to run the antenna cable that far, I can run the Ethernet that far too.

        Recently a friend was complaining that his AT&T mico-cell

    • by cpu6502 (1960974)

      I don't see the point. The device hooks into your DSL or Cable internet. So why not just use a Wifi device, and avoid ATT's extra fees?

      • by clarkn0va (807617)
        You're right in that I don't see what this offers over a good voip service except maybe the convenience of not having to set it up. For those that do though, I think voip offers way better service at a way better price.
      • Because then you are not using your existing cell phone anymore with your existing ATT number. You would have a second phone number for your wifi device, so you would have to set up call forwarding to the phone you are using when you are using the other one. Also you wouldn't be able to receive text messages when your cell phone doesn't have service. I get around this by using Google Voice with a variety of phone services, only giving out my Google Voice number.
      • by e_hu_man (1277028)
        also remember that att often is the dsl or cable internet and they can bundle things. part of this sales pitch is saying, though not necessarily providing, an overall discount. another part is offering a microcell for free as long as you stay for 2 years. i'm sure there's more, but you get the idea.
  • If they're pricey, insecure, and can't be used outside of the normal AT&T range, what's the point, really? About the only usage I can think of would be providing interior building cell phone service in massive structures, such as conference hotels, where the signal from outside is too weak to penetrate twenty layers of concrete.
    • by X0563511 (793323)

      Our company phones are all verizon, and we have a local repeater on our floor since this building is somehow repellant to all forms of RF (seriously, I can pick nothing up cleanly from 0.5 to 1.0ghz)

      It has it's uses, I'm sure.

      • Aye, they'd do best targeting this toward the commercial market. If they are even thinking of aiming it to consumers, well, that's another layer of fail on the device.
        • by afidel (530433)
          Nope, the device has a list of allowed phone numbers and it's a fairly short list. These devices are absolutely aimed at consumers and business users who have a weak signal either at their office or home.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You obviously don't have AT&T. If you did you would see the foolishness in your question.

    • I live in an area where my signal is finicky... usually at 1 bar, sometimes 2, just as often 0. I was experiencing a lot of dropped calls and delayed SMS delivery in my apartment, so I went to the store and told them that I was switching providers (I go way back to the Cingular days) unless they gave me a microcell. They did. It works pretty well, but isn't perfect. I don't know if I'd pay $200 for one, but it's pretty easy to bully the people at carriers' store fronts into giving you accessories and st
    • by skywire (469351) *

      You failed to think of the tiny regions scattered through each cell provider's high-level coverage area that happen to be, say, blocked by a hill from the nearest tower. No layers of concrete, or anything else, is necessary to get an unreliable signal in those locations. Take a look at AT&T's detailed coverage map for any city and you will see them. This is precisely what these boxes were designed to address.

    • by NevarMore (248971)

      Don't forget that when providing cellular signals to locations with poor radio reception that it somehow has to get a GPS signal. Thats a feature.

    • by sjames (1099)

      It's just an extension of the carrier's usual policy of expecting us to pay handsomely for the privilege of building out their inadequate infrastructure in order to have the privilege of paying them handsomely for barely adequate service.

  • Brought to you by the same guys charged with domestic evesdropping: http://www.wired.com/science/discoveries/news/2006/01/70126 [wired.com]

  • The most interesting thing I thought was that the device uses an IP multicast address for the backdoor reply. This makes it possible to search for all Microcell devices across the network, as long as its not behind a router that blocks IP multicast.
  • by Nyder (754090) on Wednesday April 04, 2012 @03:31PM (#39575597) Journal

    Joshua

    Sorry, could resist for all the peeps, who like me, first heard of backdoors in Wargames. I was just a young peep who discovered the world of computers and was hooked, then saw wargames and thought, hmm, there's some shit i didn't think of.

  • I'm a Rogers customer out of Ontario with a wifi-capable cell phone. Reception in my neck of the woods sucks. However, my phone (a Blackberry Curve) has built-in wifi and supports UMA. For $5 / month extra, I can piggyback my calls over broadband internet and they simply get billed against my minutes. I can use this with any wifi hotspot in Ontario (and probably in Canada).

    Pros: no hassles with GPS, placing equipment near windows; portability (don't have to take a microcell with me); cost

    Cons: used to be a

  • by Anonymous Coward

    Having done a bunch of reversing work on similar and other platforms, most of this can be taken by extracting the interesting binaries from the firmware images then running them on an emulated image of the OS.

    There is a backdoor to almost every system I have tested. You can bet that if it has an OS, it has a backdoor from either the chip fab, the OEM, the software developer or the vendor, often more than one they aren't aware of. It's not a conspiracy, it's just human nature.

  • All voice communication should be handled over a data connect and handed off to WiFi when available...
  • Anyone notice that if you are home all day, and your phone is associated exclusively to the Microcell, your phone battery is dead before the end of the day. Whereas if I am away from home the whole day, my battery will last all the way to the next day (almost twice as long) I've come to the conclusion that the Microcell kills the battery while paying attention to actual phone use, for example only 1hr of actual talk time, data usage only for syncing email via Exchange. In all my tests bluetooth is always of

You are an insult to my intelligence! I demand that you log off immediately.

Working...