Here’s a picture of the internals of an AT&T Microcell. This hardware extends the cellular network by acting as its own cell tower and connecting to the network via a broadband connection. So if you don’t get service in your home, you can get one of these and hook it up to your cable modem or DSL and poof, you’re cellphone works again. [C1de0x] decided to crack one open and see what secrets it holds.
On the board there are two System-0n-Chips, an FPGA, the radio chip, and a GPS module. There is some tamper detection circuitry which [C1de0x] got around, but he’s saving that info for a future post. In poking and prodding at the hardware he found the UART connections which let him tap into each of the SoCs which dump data as they boot. It’s running a Linux kernel with BusyBox and there are SSH and ROOT accounts which share the same password. About five days of automated cracking and the password was discovered.
But things really start to get interesting when he stumbles upon something he calls the “wizard”. It’s a backdoor which allow full access to the device. Now it looks like the developers must have missed something, because this is just sitting out there on the WAN waiting for someone to monkey with it. Responses are sent to a hard-coded IP address, but a bit of work with the iptables will fix that. Wondering what kind of mischief can be caused by this security flaw? Take a look at the Vodafone femtocell hacking to find out.
I have one. It works well enough. Call quality is comparable to cell service. Range is a bit lacking though. Also, if you get real close (<3 feet or so) it will drop the call.
The “wizard” sounds like it could be an intentionally left back-door. For NSA use perhaps?
100% quality hack. Awesome work, looking forward to the follow ups on this!
I wonder if the “wizard” is some sort of law enforcement tap interface..
Looks more like a lazy implementation of a remote management interface – rexec on steroids.
It’s always good to see super locked town hardware/software opened up to do whatever is needed.
So many people are involved with making these devices, I wonder if someone like me intentionally makes it somewhat easy to get into.
Now THIS is hacking! Great work!!
Too bad the comments will never see triple digits because it doesn’t involve an Arduino, Bikers vs. Drivers or testing the accuracy of some fake watches… yeeess…. so sad about that. [not]
I reckon if this beauty would be fed with some fake GPS data and used through a VPN tunnel one could use it abroad making calls to the States for local rates…
“poof, you’re cellphone works again.”
– I’m cellphone?
All you’re cellphone’s are us.
I see all sorts of things that could be done with these little guys that could get me into all sorts of trouble, luckily I live on the other side of the world so not many AT&T customers or agents around here.
Some of the hacks I would like to do would be to use an AVR to intercept and rewrite the GPS data so you could start setting up AT&T cells globally. I only see it useful if you are a AT&T customer and don’t want to pay roaming fees again.
Another idea would be to sniff all the passing data, just because it could be nice to what you phone is upto.
Or you could give it a bad data connection that keeps dropping or with bad latency that would cause poor cell signal symptoms.
Some of the service provides over here sell similar hardware but I never like the idea that if I live in an area with bad signal I have to pay for one of these to get signal for myself (and for everyone else in my unit complex) at the expense of my bandwidth. I think the service providers should just provide the service you pay for but until then I’ll keep slipping the sales pamphlets for these into the mailboxes of the other residents around here and let them improve my cell signal.
A really good hack documentation.
Is there any known way to inhibit log in of my cell phone to such a femtocell (except switching it off)?
lol i was right, i was right, i was right!
I TOLD YOU SO !!! haha!
(not *you* guys, so relax:)
the day i read about theses in the news… i was right!
they DO mean the end of
“Cell towers are always more secure then my home router.”
i was right that the new feminine aka femtocell routers allow rape of their main towers, its all a matter of digging deeper into that very box.
then the cell tower (within reach) is now in the total control of the peasent / public / anyone over 8 years old? maybe younger.
btw my original quote,
(not a posted quote, something i said in person to maybe ppl)
was this:
“those new cell-over-ip boxes mean the end of security for ALL cell network operators and eventually either the fall of the new fangled boxes, or the end of cell towers.
operator’s choice ;)”
PS: THATs why he isnt showing us the tamper switch workaround, cuz if he does…
Anonymous will …
“have thier fun” … == very very very bad, mmmmkay?
You’re nuts.
Just once could your posts actually add something constructive to the disscusion? If I wanted to hear this kind of babble I’d let a preschooler eat too much candy and tell them to pretend they’re hackers.
You still need a valid login for the cell network, right? Can’t just fake gps and hack email/pw combinations… I hope.
Oh, contrary…
Spoofing GPS & cracking emails/passwords are easier then you think…
To OP, was the two passwords you cracked default to ALL the femtocells? Usually, if the password was set OEM then its universal…
OMG if it is…
the cell login is already inside it and setup, all you need is to getinside the box’s main root settings,,, this article showing us that…
in terms of security, what this means is you no longer have to do one of the following 4, in order to do major screwing with the celltower:
1) breakinto and screw with central telco servers, get caught
-or-
2) hackinto and screw with central telco servers, probably get caught
-or-
3) hack through a cellphone itself, within minutes they WILL kick the phone off the network and you get caught.(EDIT: traced)
-or-
4) climb all the way up a celltower, being careful to not get cooked by radiation (100’s, maybe 1000’s of watts, like in an oven), and hackinto the box(see: multiple UARTs, multiple USB-rs232 and a USB hub) while hanging off the tower, and holding onto your laptop, this one will DEFINATELY get you caught, and put in a mental hospital! lol 😛
(no word on if the interference would fu** up the cheapo unshielded usb cables)
—OOORRRRRRR—
4) just buy this box for like, what? 100$ and then… oh its linux? … that means…
remember linksys anyone?
PS: and yes im nuts, in general, but the implications are still very serious, because if the commands are coming from an authorized box using an authorized login, and simultaneusly carrying a tonne of public services (normal calls ect) then they dont pay attention, but if a cellphone itself tell another cellphone to… thats not allowed ever anyway so the system might autokick (in mins or seconds) a phone doing abnormal things…
and this box im sure could be setup to “get internet” from like say a hotspot, where there might already be another identical box…
What are the legalities of these companies building closed hardware around open software? As an EE student, I feel I should know these things. It seems to be a common practice in the industry and definitely allows engineers to produce a better product with less effort – but is it legal? And, if not, why are so many reputable companies doing it?
if it reeeally IS true linux, then for about (lawer fees)$, you can force the telco to upload the source to the box on thier website for EVERYone to see.
very unwise to base a box such as this on linux, telco’s smoking (insert something here)
thats almost like posting the wiring diagram of a car ignition on the outside of a steering column, easier for theves to hotwire without needing a flashlight or multimeter!
Even though its Linux based, only the code for those pieces that are actually open source (like the kernel and busybox) have to be released.
The proprietary stuff for handling the cellular stuff does not have to be assuming it doesn’t link with GPL code.
Very Nice, I have been waiting for this.
Two things, one, these boxes are supposed to be drop in and use. No real setup is needed for them (aside from being tied to an account). They do not block users, but you can in general setup white/preferred access lists. You (Att techs) can make changes to increase/decrease the power, but it is carefully done due to fcc regulations and all.
Two, these things are hacks in it of themselves. The reason you can’t just stop picking these up (in crowded populated areas) is because they had to be designed to act like cell towers. The GSM protocol never had these in mind, so without forcing people to upgrade all phones ever, they were made in the best way possible (Halfassing).
MITM tool in 5..4..3..2
I see, HD censors like Chinese communists 🙂 Let the amateurs speak rubbish, silence the rest…
Demonstrating once again that security through secrecy ‘ain’t no security at all.
Very well done OP.
This is a quality hack, agree that interesting hacks could be made on this.
How far away are these from IMSI Catchers which are already in use? Following the description ist seems to incorporate all features needed.
The security flaws of the device are obviously described by reading the approach and not purely specific to linux. “Wizards” and root logins in the final product, allowing successful brute force within 3 days means asking for trouble.
I guess the manufacturer has the usual attitude of having a tamper-proof housing is sufficient in regard of warranty issues, not for putting privacy at risk. It seems to be a problem that the existence of one flawed or unprotected device renders all others insecure during specification stage.
On the other hand this raises attention that rather cheap devices are able to compromise privacy and almost anyone is able to make use of it.
The site seems to be offline, I’t might be a local thing (since I’m in the Netherlands) or AT&T is trying to silence it. Mysterious…?
I like the hack though, something that looks rather unbeatable is brought down to it’s knees in a couple of days. “true l33t skills!”