Poking at the femtocell hardware in an AT&T Microcell

Here’s a picture of the internals of an AT&T Microcell. This hardware extends the cellular network by acting as its own cell tower and connecting to the network via a broadband connection. So if you don’t get service in your home, you can get one of these and hook it up to your cable modem or DSL and poof, you’re cellphone works again. [C1de0x] decided to crack one open and see what secrets it holds.

On the board there are two System-0n-Chips, an FPGA, the radio chip, and a GPS module. There is some tamper detection circuitry which [C1de0x] got around, but he’s saving that info for a future post. In poking and prodding at the hardware he found the UART connections which let him tap into each of the SoCs which dump data as they boot. It’s running a Linux kernel with BusyBox and there are SSH and ROOT accounts which share the same password. About five days of automated cracking and the password was discovered.

But things really start to get interesting when he stumbles upon something he calls the “wizard”. It’s a backdoor which allow full access to the device. Now it looks like the developers must have missed something, because this is just sitting out there on the WAN waiting for someone to monkey with it. Responses are sent to a hard-coded IP address, but a bit of work with the iptables will fix that. Wondering what kind of mischief can be caused by this security flaw? Take a look at the Vodafone femtocell hacking to find out.

Vodafone femtocells hacked, root password revealed

vodafone_femtocell_network_diagram

As phone systems have evolved over time, the desire to break them and exploit their usage continues to flourish. Just recently, [The Hacker’s Choice (THC)] announced that they had accessed secure data from Vodafone’s mobile phone network last year, via their femtocell product.

The purpose of the femtocell is to extend mobiile network coverage to locations where reception might not be ideal, routing calls to Vodafone’s network via IPSec tunnels. [THC] knew that this meant the femtocells required a high-level of interaction with the carrier’s traditional mobile network, so they started poking around to see what could be exploited.

After gaining administrative access to the femtocell itself using the root password “newsys”, they found that they were able to allow unauthorized users to utilize the service – a simple ToS violation. However, they also had the ability to force any nearby Vodafone subscriber’s phone to use their femtocell. This enabled them to request secret keys from Vodafone, which they could then use to spoof calls and SMS messages from the victim’s phone without their knowledge.

They have been kind enough to release all of the pertinent information about the hack on their wiki for any interested parties to peruse. Now we’re just wondering how long it takes before stateside carriers’ femtocells are exploited in the same fashion.

[Thanks, kresp0]

Follow

Get every new post delivered to your Inbox.

Join 94,571 other followers