Poking at the femtocell hardware in an AT&T Microcell

Here’s a picture of the internals of an AT&T Microcell. This hardware extends the cellular network by acting as its own cell tower and connecting to the network via a broadband connection. So if you don’t get service in your home, you can get one of these and hook it up to your cable modem or DSL and poof, you’re cellphone works again. [C1de0x] decided to crack one open and see what secrets it holds.

On the board there are two System-0n-Chips, an FPGA, the radio chip, and a GPS module. There is some tamper detection circuitry which [C1de0x] got around, but he’s saving that info for a future post. In poking and prodding at the hardware he found the UART connections which let him tap into each of the SoCs which dump data as they boot. It’s running a Linux kernel with BusyBox and there are SSH and ROOT accounts which share the same password. About five days of automated cracking and the password was discovered.

But things really start to get interesting when he stumbles upon something he calls the “wizard”. It’s a backdoor which allow full access to the device. Now it looks like the developers must have missed something, because this is just sitting out there on the WAN waiting for someone to monkey with it. Responses are sent to a hard-coded IP address, but a bit of work with the iptables will fix that. Wondering what kind of mischief can be caused by this security flaw? Take a look at the Vodafone femtocell hacking to find out.

Comments

  1. dubyaohohdee says:

    I have one. It works well enough. Call quality is comparable to cell service. Range is a bit lacking though. Also, if you get real close (<3 feet or so) it will drop the call.

  2. Anonymous says:

    The “wizard” sounds like it could be an intentionally left back-door. For NSA use perhaps?

  3. EccentricElectron says:

    100% quality hack. Awesome work, looking forward to the follow ups on this!

  4. Chaemelion says:

    I wonder if the “wizard” is some sort of law enforcement tap interface..

  5. Moser says:

    It’s always good to see super locked town hardware/software opened up to do whatever is needed.

    So many people are involved with making these devices, I wonder if someone like me intentionally makes it somewhat easy to get into.

  6. fightcube says:

    Now THIS is hacking! Great work!!

    Too bad the comments will never see triple digits because it doesn’t involve an Arduino, Bikers vs. Drivers or testing the accuracy of some fake watches… yeeess…. so sad about that. [not]

    • Greenaum says:

      Yeahyeah Arduino moaning and, gods help us, “jokes”, would’ve stopped been funny 5 years ago, except they were never funny. It isn’t even true, for one thing. Half of the moaning nowadays is “not enough of a hack”, where someone uses a device for something suspiciously like it’s intended purpose.

      Apart from that, though, shut up.

  7. lk says:

    I reckon if this beauty would be fed with some fake GPS data and used through a VPN tunnel one could use it abroad making calls to the States for local rates…

  8. LAN says:

    “poof, you’re cellphone works again.”
    – I’m cellphone?

  9. GR0B says:

    I see all sorts of things that could be done with these little guys that could get me into all sorts of trouble, luckily I live on the other side of the world so not many AT&T customers or agents around here.

    Some of the hacks I would like to do would be to use an AVR to intercept and rewrite the GPS data so you could start setting up AT&T cells globally. I only see it useful if you are a AT&T customer and don’t want to pay roaming fees again.

    Another idea would be to sniff all the passing data, just because it could be nice to what you phone is upto.

    Or you could give it a bad data connection that keeps dropping or with bad latency that would cause poor cell signal symptoms.

    Some of the service provides over here sell similar hardware but I never like the idea that if I live in an area with bad signal I have to pay for one of these to get signal for myself (and for everyone else in my unit complex) at the expense of my bandwidth. I think the service providers should just provide the service you pay for but until then I’ll keep slipping the sales pamphlets for these into the mailboxes of the other residents around here and let them improve my cell signal.

  10. AB says:

    A really good hack documentation.

    Is there any known way to inhibit log in of my cell phone to such a femtocell (except switching it off)?

  11. NewCommentor1283 says:

    lol i was right, i was right, i was right!

    I TOLD YOU SO !!! haha!
    (not *you* guys, so relax:)

    the day i read about theses in the news… i was right!

    they DO mean the end of
    “Cell towers are always more secure then my home router.”

    i was right that the new feminine aka femtocell routers allow rape of their main towers, its all a matter of digging deeper into that very box.

    then the cell tower (within reach) is now in the total control of the peasent / public / anyone over 8 years old? maybe younger.

    btw my original quote,
    (not a posted quote, something i said in person to maybe ppl)
    was this:

    “those new cell-over-ip boxes mean the end of security for ALL cell network operators and eventually either the fall of the new fangled boxes, or the end of cell towers.
    operator’s choice ;)”

    PS: THATs why he isnt showing us the tamper switch workaround, cuz if he does…
    Anonymous will …

    “have thier fun” … == very very very bad, mmmmkay?

  12. Robert Paulson says:

    You still need a valid login for the cell network, right? Can’t just fake gps and hack email/pw combinations… I hope.

    • Oh, contrary…

      Spoofing GPS & cracking emails/passwords are easier then you think…

      To OP, was the two passwords you cracked default to ALL the femtocells? Usually, if the password was set OEM then its universal…

      OMG if it is…

    • NewCommentor1283 says:

      the cell login is already inside it and setup, all you need is to getinside the box’s main root settings,,, this article showing us that…

      in terms of security, what this means is you no longer have to do one of the following 4, in order to do major screwing with the celltower:

      1) breakinto and screw with central telco servers, get caught
      -or-
      2) hackinto and screw with central telco servers, probably get caught
      -or-
      3) hack through a cellphone itself, within minutes they WILL kick the phone off the network and you get caught.(EDIT: traced)
      -or-
      4) climb all the way up a celltower, being careful to not get cooked by radiation (100’s, maybe 1000’s of watts, like in an oven), and hackinto the box(see: multiple UARTs, multiple USB-rs232 and a USB hub) while hanging off the tower, and holding onto your laptop, this one will DEFINATELY get you caught, and put in a mental hospital! lol :P

      (no word on if the interference would fu** up the cheapo unshielded usb cables)

      —OOORRRRRRR—

      4) just buy this box for like, what? 100$ and then… oh its linux? … that means…

      remember linksys anyone?

      PS: and yes im nuts, in general, but the implications are still very serious, because if the commands are coming from an authorized box using an authorized login, and simultaneusly carrying a tonne of public services (normal calls ect) then they dont pay attention, but if a cellphone itself tell another cellphone to… thats not allowed ever anyway so the system might autokick (in mins or seconds) a phone doing abnormal things…

      and this box im sure could be setup to “get internet” from like say a hotspot, where there might already be another identical box…

      • Greenaum says:

        Why would a cell tower have hundreds of watts of transmit power? Never mind kilowatts? They only need as much power, per transmitter, as a mobile phone itself has. Multiply it by, what, a hundred? couple of dozen? clients served by each tower, and there’s your feature. Plus the smoke coming from your ears will tip you off before serious damage occurs.

        These boxes aren’t cell towers, and don’t even connect to cell towers. It’s a short hop from the phone in your hand, whatever the range is, through the line in your wall to Vodafone or whoever. It’s not like that episode of South Park where they re-booted the Internet by turning it off and on again.

  13. Daniel Labarowski says:

    What are the legalities of these companies building closed hardware around open software? As an EE student, I feel I should know these things. It seems to be a common practice in the industry and definitely allows engineers to produce a better product with less effort – but is it legal? And, if not, why are so many reputable companies doing it?

    • NewCommentor1283 says:

      if it reeeally IS true linux, then for about (lawer fees)$, you can force the telco to upload the source to the box on thier website for EVERYone to see.

      very unwise to base a box such as this on linux, telco’s smoking (insert something here)

      thats almost like posting the wiring diagram of a car ignition on the outside of a steering column, easier for theves to hotwire without needing a flashlight or multimeter!

      • Jonathan Wilson says:

        Even though its Linux based, only the code for those pieces that are actually open source (like the kernel and busybox) have to be released.
        The proprietary stuff for handling the cellular stuff does not have to be assuming it doesn’t link with GPL code.

        • Greenaum says:

          I’d gave thought one of the RTOSes companies can readily buy would be much more suitable than Linux, legal reasons only being a tiny part of it. The realtime being more important, and even the lack of the intimate familiarity that hackers have with Linux would help. RTOS bugs don’t get published nearly as often.

          Even something like this, you’d think would be well within the mental resources of a mobile phone company’s programmers. To start an OS from scratch, along whatever principles the Big Brains have decided are most secure for these purposes.

          I know Linux is “free” but if they’re planning to sell a lot of these they might consider making the effort.

  14. mattadamsnet says:

    Very Nice, I have been waiting for this.

  15. cde says:

    Two things, one, these boxes are supposed to be drop in and use. No real setup is needed for them (aside from being tied to an account). They do not block users, but you can in general setup white/preferred access lists. You (Att techs) can make changes to increase/decrease the power, but it is carefully done due to fcc regulations and all.

    Two, these things are hacks in it of themselves. The reason you can’t just stop picking these up (in crowded populated areas) is because they had to be designed to act like cell towers. The GSM protocol never had these in mind, so without forcing people to upgrade all phones ever, they were made in the best way possible (Halfassing).

  16. xorpunk says:

    MITM tool in 5..4..3..2

  17. lk says:

    I see, HD censors like Chinese communists :) Let the amateurs speak rubbish, silence the rest…

    • Greenaum says:

      Try posting again. Computers don’t always… work. Try again, then again a while later, then come back if you’re convinced you’re being censored. I’ll keep an eye out to make sure you don’t “disappear”.

      If they make you confess, and they videotape it, blink your left eye in backward Morse code.

  18. AussieTech says:

    Demonstrating once again that security through secrecy ‘ain’t no security at all.

    Very well done OP.

  19. asselinpaul says:

    This is a quality hack, agree that interesting hacks could be made on this.

  20. AB says:

    How far away are these from IMSI Catchers which are already in use? Following the description ist seems to incorporate all features needed.

    The security flaws of the device are obviously described by reading the approach and not purely specific to linux. “Wizards” and root logins in the final product, allowing successful brute force within 3 days means asking for trouble.

    I guess the manufacturer has the usual attitude of having a tamper-proof housing is sufficient in regard of warranty issues, not for putting privacy at risk. It seems to be a problem that the existence of one flawed or unprotected device renders all others insecure during specification stage.

    On the other hand this raises attention that rather cheap devices are able to compromise privacy and almost anyone is able to make use of it.

    • Greenaum says:

      True that is kinda shocking you can brute force it in 3 days. The tech’s been round for ages to make brute-forcing take longer than the expected lifespan of the Universe, assuming you’d converted half the matter in the Universe into computers, and burned the other half to power them. Only takes a few more bits in the passcode. Encryption is much much easier to do than brute-force decryption.

  21. l34f says:

    The site seems to be offline, I’t might be a local thing (since I’m in the Netherlands) or AT&T is trying to silence it. Mysterious…?

    I like the hack though, something that looks rather unbeatable is brought down to it’s knees in a couple of days. “true l33t skills!”

  22. I’m far more interested in seeing these with high gain antennas and linear amplifiers so I can use them to build a private VOIP/data cell network. OpenBTS is awesome, but software radios are expensive. Any ideas?

    • Seconded. I’d like to see the software replaced with a Asterisk soft PBX network friendly interface so I can build my own low gain 100-800 meter range PBX / Cell network. We’re going to have to wait till someone breaks the software and can replace it. Any word on that?

  23. Phil says:

    I just want to know if a femtocell can force all nearby phones to connect to it without needing to connect to a telco – in other words so I can bring this into the movie theater and stop everyone’s phones from ringing in the middle of the movie!

    • Greenaum says:

      You can already get jammers, you just need to pump out a load of crap on the right frequencies. The old analogue gold, still good for something! They fit in your pocket, and you can even recharge some through a USB cable. Just keep the power down, and hope the cinema is well shielded externally, and that no alarm systems are gonna freak out when their internal cellphones stop working.

  24. Mark5575 says:

    Dos any one knows how to arrange the jumpers? my fell from second floor and spill all the jumpers all over the inside.

  25. blue says:

    since i first heard about that thing i knew it was a rip off. you’re paying att for a box that will be draining your internet connection while they sit back and laugh because you’re not wasting their cell tower bandwidth anymore. you now basically have a really expensive voip phone.

    • skar23 says:

      you really would be hard pressed to be more wrong… the box does exactly what it is supposed to do adds cell coverage in areas ( like mine) where a cell will not normally work – in my case it is because of the landscape and architecture of my domicile.

  26. John Carter says:

    The backdoor only gets you into the router chip and nowhere near the actual software. All you’ll see is encrypted packets which contain the voice and data. There’s another system running on the main SOC which has it’s term/ssh port permanently disabled.

  27. Mike says:

    I have a Microcell and received it for free. I Called ATT and told them that I wanted to cancel my contract. Why they asked? Because they were in breach of contract as I have poor cell service I explained. The conversation was not long at all. The UPS truck was in front of my house in 48 hours.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,825 other followers