AT&T Microcell Disassembly; Security Flaws Exposed

CharlyFoxtrot writes "The geeks over on the fail0verflow blog took apart an AT&T Microcell device which is 'essentially a small cell-tower in a box, which shuttles your calls and data back to the AT&T mothership over your home broadband connection.' They soon uncovered some real security issues including a backdoor : 'We believe that this backdoor is NOT meant to be globally accessible. It is probably only intended to be used over the IPSEC tunnel which the picoChip SoC creates. [...] Unfortunately, they set up the wizard to bind on 0.0.0.0, so the backdoor is accessible over the WAN interface.'"

And that's why

That's why I bought a Saturn.

Backdoor?

AT&T's customers routinely take it in the backdoor from the company already so they just figured that no one would notice in this case.

Re:Backdoor?

AT&T's customers routinely take it in the backdoor from the company already so they just figured that no one would notice in this case.

Maybe it's a good time to point out that my T-mobile Smart phone, that I was able to purchase without a Data plan happily switches to my home wireless network for calls whenever the wi-fi is turned on. I still get the minutes deducted though.

Re:Backdoor?

[Firehed]

They charge you for using resources you're already paying for, and you're pointing this out as a good thing?

Re:Backdoor?

[tibit]

I don't think he did point it out as a good thing :)

Re:Backdoor?

No, he's telling us that he enjoys T-Mobile making him take it up the backdoor, too

Re:Backdoor?

no, it's a good thing, I can go down in my basement where cell service kind of sucks, flip it over to wifi, and I have a good connection. the transfer is seamless. I work in a metal building, no cell service, the company phones are AT&t, they need the microcell to work. mine works on the internal wireless network. no extra cost. I have more minutes than I'll ever use anyway.

Re:Backdoor?

[RicoX9]

I had one of the earliest T-Mobile wifi phones. They used to use "no minutes used on wifi" as a selling point. It was pretty good about transitioning from wifi->wireless, but not so much the other way. That they are now dinging you for offloading their cell towers seems crappy. Still better than Verizon and AT&T though. Have to pay for the microcell and service.

Re:Backdoor?

[sjames]

It is a bit tacky to charge you full minutes though since they're leeching your bandwidth to complete the call.

Re:Backdoor?

[peragrin]

Verizon and AT&T make you pay three times for the privilege of getting better cell xoverage.

Once for the cell phone service
once for your (now capped) internet,
and once for the microcell

All forthe privillege of using them. Oh and the micro cell in each case only works for you so when family visits they also get shoddy cell reception.

Re:Backdoor?

Some of the Tmobile phones could do "UMA", which is the GSM protocol over Wifi. The cool thing about this (as opposed to VoIP), is that you can hand off a UMA call to regular mobile phone tower. I don't understand why this isn't more prevalent. Perhaps it's the techinical problem: I think all the GSM stuff is done in the "baseband processor", so there would need to be a way to get the GSM packets out of the baseband processor and into the application processor and onto the wifi.

Improved Roaming

[clarkn0va]

The box is only ‘allowed’ to work when within the area nominally serviced by AT&T.

Very cool would be any trick to overcome this limitation and have local cell service wherever you may be.

Re:Improved Roaming

Replace the GPS module by a small microcontroller that'll always provide the same location - done !

Re:Improved Roaming

[DarkOx]

I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.

So you are pretty much a VPS host someplace and GRE tunnel away.

Re:Improved Roaming

[X0563511]

Or why not just murder the geoIP database, so all IPs fall within the covered area? Either that, or just wrap it in NAT so it thinks it's on a network that it actually is not?

Self contained! :D

Re:Improved Roaming

[TFoo]

Actually, you're incorrect in your thinking. They were required to put GPS in it for E911 to work and the device will not function until the GPS location is verified. As the owner of a microcell I can tell you that GPS reception is the biggest #$@!@# pain in the ass for the thing in general. I have a metal roof at home and the microcell will only activate for me if I hang the device in the skylight.

Re:Improved Roaming

[deKernel]

I don't believe that to be the case. I have one (not used anymore since they just put a tower in close by), and it does not come online unless it is able to sync with GPS. I had to actually move it from the basement because it wasn't able to sync to the satellites.

Re:Improved Roaming

[WalrusSlayer]

You obviously don't have one of these. There is in fact a GPS inside, and they specifically instruct you to put it near a window if the GPS LED doesn't go solid. There have been various complaints on other boards about this fact, with tips on where to find GPS antennas and connectors (yes, there is an antenna jack on the back of the unit) so that the MicroCell can be used in a more convenient place while still getting a GPS signal.

Re:Improved Roaming

[Norwell+Bob]

Actually, I have one, and I'm led to believe it is a real GPS. You need to keep the unit near a window. It's ostensibly for 911 purposes.

Re:Improved Roaming

They did put GPS into the device. That's why they recommend you locate it near a window and let you attach an antenna for the GPS if you can't.

Re:Improved Roaming

[Norwell+Bob]

Just read TFA... it is, in fact, actual GPS for not only positioning, but also time synchronization.

Re:Improved Roaming

[ender-]

I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.

So you are pretty much a VPS host someplace and GRE tunnel away.

There is a GPS on the device. I have one and it won't work until it gets a GPS lock. It won't get a GPS lock unless it is near a window, and this information is clearly stated in the documentation.

Re:Improved Roaming

Its also used for handover/hand-off negotiations, frequency assignment and TDMA timing

It is also used for AGPS to the handset

Re:Improved Roaming

[YackoYak]

I have a metal roof at home too. The [cool | pain in the ass thing] is that it only uses GPS on startup or whenever the power is cut. I added an extra long Ethernet cable and extension cord and just drag it to the window whenever it needs to phone home. So far it's only been about once a month.

Re:Improved Roaming

[ncc74656]

I am sure its just geo-ip location. I don't think they'd put GPS on the device. To many applications have inside structures with metal roofs, and underground where GPS works poorly if at all.

The Sprint Airave I used to have came with a GPS antenna on a long cable that you were supposed to put next to a window. It needed GPS not for location purposes, but because CDMA requires a highly-accurate clock to work properly.

Re:Improved Roaming

[henrym]

It actually has a port on the back for an external GPS antenna...I ran a cheapo from e-bay outside, and have the microcell in my basement where I needed the signal the most.

Re:Improved Roaming

[cpu6502]

I don't see the point. The device hooks into your DSL or Cable internet. So why not just use a Wifi device, and avoid ATT's extra fees?

Re:Improved Roaming

[clarkn0va]

You're right in that I don't see what this offers over a good voip service except maybe the convenience of not having to set it up. For those that do though, I think voip offers way better service at a way better price.

Re:Improved Roaming

[bondiblueos9]

Because then you are not using your existing cell phone anymore with your existing ATT number. You would have a second phone number for your wifi device, so you would have to set up call forwarding to the phone you are using when you are using the other one. Also you wouldn't be able to receive text messages when your cell phone doesn't have service. I get around this by using Google Voice with a variety of phone services, only giving out my Google Voice number.

Re:Improved Roaming

Cool for you, not cool for your neighbor who's on a different wireless carrier (which has the license for those frequencies in this out-of-AT&T-coverage location), and now can't make a call due to interference from your microcell.

Also not cool for you if you keep using it too long, your neighbor complains loud enough, the telco sends a test guy who quickly realizes what's going on, they sic the FCC on you, and you get hit with up to a $10,000 fine. (Granted, this is unlikely, mainly because telcos don't care about their customers to send a test guy, they'll just tell them to get stuffed. But the regional operators whose frequencies you'll be stomping on do have a higher chance of caring than the big nationals, so it's not inconceivable.)

Re:Improved Roaming

[tcampb01]

It' does have a GPS, but it's not for E911.... you could register the location if that were all it was.

They won't allow the device to use unlicensed spectrum. Since the frequencies that a company has licensed will vary from place to place, they want the device to know where it's located. It can then determine which frequencies it is licensed to use in that particular area. You'd think a reverse-IP location would be adequate, but the FCC apparently "requires" that they do this with GPS. I had read stories that some customers were allowed to request a bypass (AT&T would remotely program the device location and tell it to ignore the GPS and work anyway) but the FCC forced them to put an end to that practice (the FCC is always so "helpful" like that. )

There are more ironies... not only does the device need to be near a window where it can pick up a GPS lock, it also tests the signal strength of the standard AT&T towers. It dials it's own signal strength back IF it thinks that the outside signal strength should be good enough. And since the device now has to be located in a window, it'll get better signal than you could realistically get inside your home. And of course being at a window, you cannot locate the device in a central location to offer coverage to most of the home. The result is that this makes the micro-cell transmit the weakest possible signal (and of course you bought it SPECIFICALLY to overcome the problem of weak signals) and if you're not relatively close, the device is worthless.

It gets worse. AT&T allows a hand-off of a call from micro-cell to regular towers, but it can't do a hand-off in the other direction. And since towers vary their signal strength regularly and the micro-cell is now using it's wimpiest transmit power, it takes very little to make the phone think that it needs to switch to an outside tower. The result is that if you get an outside tower boost from... say 1 bar to maybe 3 bars, your phone will switch to the outside tower. A few moments later the outside tower drops back to it's more typical 1 bar signal strength. Since the call cannot do a hand-off back to the micro-cell... the call just drops.

After months of frustration, I discovered the solution. There's an external antenna jack on the back. If you ask AT&T about it, they can't tell you anything about it. They don't sell any accessories or even know what sort of antenna would work with this. You can get an external GPS antenna with a long cord (I bought one with a 25' cord.) This allows you to get the micro-cell away from the window and closer to the center of the house. BUT.. the micro-cell also varies its own transmit power based on whether it's able to detect much outdoor AT&T signal. It's in your best interest to make sure the micro-cell gets the weakest signal you can manage. I located my micro-cell to my basement... in a small closet under the stairs. The GPS antenna is in a basement window. Now the micro-cell still gets the GPS lock, but it doesn't get any outside AT&T signal... consequently it's actually willing to put out a much stronger signal and it works all around the house.

You won't be able to buy the antenna from AT&T. You'll need do a search for a GPS antenna that works with the AT&T micro-cell. I found one via Amazon for $30... one of the best $30 I ever spent. Now the device actually works as intended.

Re:Improved Roaming

I have a microcell, and the devices have a GPS antenna hook-up on the back. I picked one up on Amazon, attached it, stuck the antenna in the window and the microcell where I wanted and I was all set.

Re:Improved Roaming

[e_hu_man]

also remember that att often is the dsl or cable internet and they can bundle things. part of this sales pitch is saying, though not necessarily providing, an overall discount. another part is offering a microcell for free as long as you stay for 2 years. i'm sure there's more, but you get the idea.

Re:Improved Roaming

[xyzzyman]

So just enclose your microcell in a Faraday cage so it can't detect any AT&T signal and it'll boost itself as strong as possible! There's ZERO DOWNSIDES. I've thought this through.

Re:Improved Roaming

Wouldn't the Faraday cage then block the microcell from broadcasting a signal within your house for your cell phones to use?

Re:Improved Roaming

[xyzzyman]

Sucker...

Re:Improved Roaming

[afidel]

mainly because telcos don't care about their customers to send a test guy

Not true at all, we had some indoor repeaters installed by a bunch of idiots (they were not our vendor choice, our selection was overruled by management) and between the amp and the yagi antenna we were putting out enough signal strength to blind one quadrant on the tower we were pointing at. Verizon not only sent out a tech but he climbed the tower to figure out the source of the interference and then came to our location to talk to us. We then had our original choice (actually licensed installers) come in and fix the problem after explaining FCC fines to management.

Re:Improved Roaming

[CharlyFoxtrot]

The article states the microcell also uses GPS for timing : "GPS is used both for radio timing and for determining the position of the box." So that might not work.

Re:Improved Roaming

[Hovsep]

It, like the microcells for Sprint and Verizon, has a GPS radio. I've set several of these up and have had to always put the unit close to an exterior wall/window/door in order for it to pick up a GPS signal. Sprint in the very first AirRaves included an antenna with a 30' cord to allow placement of the unit further inside, but I never really saw a need for it. If I'm going to run the antenna cable that far, I can run the Ethernet that far too.

Recently a friend was complaining that his AT&T mico-cell wasn't working. I went over and saw it was placed towards the inner part of this condo. I moved the unit to the other side of the credenza it was sitting under, bringing it about 6 feet closer to the outside window, and the unit picked up a GPS signal and provisioned itself for service again.

Re:Improved Roaming

[cheater512]

A little AVR chip can intercept the GPS readings, keep the time the same but substitute the long/lat just with its onboard serial.

Re:Improved Roaming

Do you not see the difference between interfering with your neighbours reception and taking out a quarter of a cells coverage.

Re:Improved Roaming

[flatulus]

Hold your horses!

Yes you can probably come up with hacks to make it possible to user your box out of the "legal" area. Here's things to keep in mind:

1) AT&T may very well be watching the IP address from which your box is connecting into their cellular switching center. While nowhere nearly as accurate as GPS, they can certainly tell that you're in the Chicago area with your box, while your service is registered in Seattle... They could stop you cold on this.

2) The timing issue, while not so much a concern to you, the (agreement violating) user, it does have consequences. We are not just talking about "oh, it's 3:15pm, give or take a second". The timing they are talking about is actually "frequency accuracy". (you know, frequency and time are conjugate transforms) These devices have very strict frequency tolerances (used to be +/- 0.1 ppm when I was working on this technology, may be somewhat more permissive these days). GPS is the "gold standard" for disciplining your radio's local oscillator, and makes it easy to achieve the required tolerances. Bypass the "true GPS" accuracy with a hack, and your box's radio will drift out of channel. This may cause interference to surrounding (well behaved) radios, and may cause your quality of (cellular) service to suck as well.

3) There are legal reasons why AT&T ties the operation of your box to your "registered location". If you operate the box "elsewhere", you may very well be operating in a geography where AT&T has no license for that band. Now, AT&T can be held liable for violation of license. Think they're gonna take the rap without taking you down too? Even if so, enough of you "tinkerers" pull this shit and you can count on new criminal penalties being written into law - just for you!

So as fun as it might seem, may I caution you to find something else to hack? It won't make the world a better place if you "develop" these workarounds...

Re:Improved Roaming

[cheater512]

#2 would be an interesting issue to investigate in more detail.

With an AVR you could calculate the exact amount of time it takes to process the signal and either make it fully compatible (e.g. a very specific delay for the signal) or also alter the timing by the exact amount.

Re:Improved Roaming

I have my microcell in the basement where GPS link is impossible. I activate it using the iPhone app, which seems to provide the coordinates. It will not activate until I access it with the iPhone app, but then it is fine. I have not seen it time out after activation.

Re:Improved Roaming

There really is a GPS in the device that won't start service until it has sync'ed at least once. If you setup in a basement ATT says you have to place it near a window.

So what incentive do people have to get these?

[sandytaru]

If they're pricey, insecure, and can't be used outside of the normal AT&T range, what's the point, really? About the only usage I can think of would be providing interior building cell phone service in massive structures, such as conference hotels, where the signal from outside is too weak to penetrate twenty layers of concrete.

Re:So what incentive do people have to get these?

[X0563511]

Our company phones are all verizon, and we have a local repeater on our floor since this building is somehow repellant to all forms of RF (seriously, I can pick nothing up cleanly from 0.5 to 1.0ghz)

It has it's uses, I'm sure.

Re:So what incentive do people have to get these?

[sandytaru]

Aye, they'd do best targeting this toward the commercial market. If they are even thinking of aiming it to consumers, well, that's another layer of fail on the device.

Re:So what incentive do people have to get these?

You obviously don't have AT&T. If you did you would see the foolishness in your question.

Re:So what incentive do people have to get these?

[Norwell+Bob]

I live in an area where my signal is finicky... usually at 1 bar, sometimes 2, just as often 0. I was experiencing a lot of dropped calls and delayed SMS delivery in my apartment, so I went to the store and told them that I was switching providers (I go way back to the Cingular days) unless they gave me a microcell. They did. It works pretty well, but isn't perfect. I don't know if I'd pay $200 for one, but it's pretty easy to bully the people at carriers' store fronts into giving you accessories and stuff to keep you on their books. I told the manager, "it can cost you $200 now, or $200 every month... which is it gonna be?"

Re:So what incentive do people have to get these?

I live in a very old house, one with brick walls covered in plaster and reinforced by lath. Now AT&T's service is pretty decent in my neighborhood (5 bars outside and whatnot), but my house is effectively a Faraday Cage. One can see the advantage of turning my signal-murdering house into a place where cell phones actually work.

Re:So what incentive do people have to get these?

[skywire]

You failed to think of the tiny regions scattered through each cell provider's high-level coverage area that happen to be, say, blocked by a hill from the nearest tower. No layers of concrete, or anything else, is necessary to get an unreliable signal in those locations. Take a look at AT&T's detailed coverage map for any city and you will see them. This is precisely what these boxes were designed to address.

Re:So what incentive do people have to get these?

"it's pretty easy to bully the people at carriers' store fronts"
Wonder how that would work at a gas station, threaten to quit buying gas if they don't give you a more fuel efficient car.
I don't know what line of work your in, but I'm sure you'd appreciate someone coming in off the street and "bullying" you for free stuff from your employer.
If you want nearly 100% uptime for your telephone at home, get a land line, cell phones regardless of carrier have an annoying habit of having signal blocked by buildings, trees, geography, etc.

Re:So what incentive do people have to get these?

The only cell tower near my house is behind a hill. If I climb up on the roof I have cell coverage. Down at ground level I don't.

Re:So what incentive do people have to get these?

[NevarMore]

Don't forget that when providing cellular signals to locations with poor radio reception that it somehow has to get a GPS signal. Thats a feature.

Re:So what incentive do people have to get these?

I go way back to the Cingular days

Bell South newbie, huh? I go way back to the McCaw Cellular days. I've had crummy cell service at my house since 1995. I'll have to try this.

Re:So what incentive do people have to get these?

[sjames]

It's just an extension of the carrier's usual policy of expecting us to pay handsomely for the privilege of building out their inadequate infrastructure in order to have the privilege of paying them handsomely for barely adequate service.

Re:So what incentive do people have to get these?

He didn't physically bully them, he didn't threaten them with blackmail, he didn't threaten them with physical harm, he didn't even threaten to blacken their name on the internet (which, I guess, wouldn't really be a threat given their reputation already).

He simply made a business proposition and they accepted it. They could have rejected it with no consequences beyond losing his business. Obviously they felt it was in their best interests to accept the proposition.

That's how businesses work.

If you go to your local gas and make a business proposition: "I won't patronize you anymore unless you give you a more fuel efficient car", it's likely the gas station owner/manager/clerk will think about it for all of 300 mSec and reject your proposition. No Harm, No Foul.

Re:So what incentive do people have to get these?

[afidel]

Nope, the device has a list of allowed phone numbers and it's a fairly short list. These devices are absolutely aimed at consumers and business users who have a weak signal either at their office or home.

Re:So what incentive do people have to get these?

If you want to use your cellphone at home then you need one. AT&T has coverage is some parts of most cities, but in residential areas their coverage is even spottier. I want to be able to use my iPhone rather than pay extra a home phone so I have one of these. I don't understand your question.

Re:So what incentive do people have to get these?

If you complain loud enough you can get them for free. The rest is upside, either they do work and you have better signal, or then don't and you still use your cell tower and you are no worse off. The GPS signal thing is annoying though. On mine it is red half of the time. Maybe it is time to search for GPS antenna.

Re:So what incentive do people have to get these?

Don't forget you can connect an external GPS antenna to these things.

Re:So what incentive do people have to get these?

GPS signals come from the sky.
Cellular signals come from the ground, or close to it.

Picture, if you will, a hill, with a cell tower on one side, and a house on the other.

Re:So what incentive do people have to get these?

[Norwell+Bob]

Sorry, sensitive one; my non-literal use of the word 'bully' has apparently evoked a strong emotional response from you. Let's pretend I used the word 'convince' instead, dab away the tears with a tissue, and go get an ice cream.

Ask Slashdot "how to spoof GPS" indoors.

[Paracelcus]

How to spoof GPS indoors?
Let it pick up a signal for an arbitrary location.

Re:Ask Slashdot "how to spoof GPS" indoors.

Usually a GPS chip has a simple, well-documented serial protocol. You could easily add some kind of chip or microcontroller that responds like a GPS chip over serial, but only outputs coordinates that you want. If you already know how to program a microcontroller (such as Arduino or similar) this should be a piece of cake. Throw in a MAX232 chip if it's RS-232 and you're experiencing voltage difference issues, etc. With my limited experience, I could probably do this in 1-2 hours.

There are probably other purpose-built chips out there, but I haven't looked around yet.

Re:Ask Slashdot "how to spoof GPS" indoors.

One more thing, this won't work so well if they're using the chip for receiving accurate time in adddition to location. You would have to get very creative for that and possibly have to use a real GPS chip for receiving the time and then report that and spoofed coordinates to the device. That wouldn't be fun, but should be doable.

Re:Ask Slashdot "how to spoof GPS" indoors.

[tibit]

It wouldn't be fun? Huh? It should fit in 100-200 lines of C on most any decent microcontroller with hardware UARTS. It's almost a no-brainer.

Re:Ask Slashdot "how to spoof GPS" indoors.

One more thing, this won't work so well if they're using the chip for receiving accurate time in adddition to location. You would have to get very creative for that and possibly have to use a real GPS chip for receiving the time and then report that and spoofed coordinates to the device. That wouldn't be fun, but should be doable.

So now I need a GPS attocell in order to make my phone's femtocell work? It's cells, cells, cells, all the way down!

Re:Ask Slashdot "how to spoof GPS" indoors.

That's not what you're trying to do. The GPS is required for E911. If for some god damned reason you spoof it (do you really have 12 radio transmitters laying around?) you could be in deep shit if someone dies.

Now what you really want to do is run the GPS antenna outside so that the signals aren't blocked. Or like just put the box outside under a glass bowl.

Re:Ask Slashdot "how to spoof GPS" indoors.

You're nuts, why would I want to tell AT&T my location? Fuck off!

Re:Ask Slashdot "how to spoof GPS" indoors.

[flatulus]

Bingo - I posted on this earlier in this article (different sub-thread).

GPS is used to discipline the radio's oscillator to about 2,000 times greater precision than your garden-variety oscillator. This is NOT part of any serial port protocol. It is done with a dedicated logic signal, generally emitting one pulse per second.

Bad things will happen if the radio doesn't get rock-solid timing on this input. Like drifting out of your assigned RF channel and splattering on neighbor cells - oh and more important to you, having those neighbor cells splatter all over yours. Takeaway - everybody loses.

And then the lawsuits...

Not surprising

[sl4shd0rk]

Brought to you by the same guys charged with domestic evesdropping: http://www.wired.com/science/discoveries/news/2006/01/70126

Using IP multicast for the backdoor

[Chris+Dodd]

The most interesting thing I thought was that the device uses an IP multicast address for the backdoor reply. This makes it possible to search for all Microcell devices across the network, as long as its not behind a router that blocks IP multicast.

GPS

[Peter+Simpson]

Actually, you're incorrect in your thinking. They were required to put GPS in it for E911 to work and the device will not function until the GPS location is verified. As the owner of a microcell I can tell you that GPS reception is the biggest #$@!@# pain in the ass for the thing in general. I have a metal roof at home and the microcell will only activate for me if I hang the device in the skylight.

Actually, the GPS is most likely there to provide a precise time reference...required by GSM.

Just use a Signal Booster

What a hassle. Instead just get a signal booster from Wilson Electronics and bring the cell tower signal into your home. Perhaps something like this: http://www.wilsonelectronics.com/ProductDetails.aspx?Product=19&title=AG+SOHO+60+(801245)&Category=9

backdoor password:

[Nyder]

Joshua

Sorry, could resist for all the peeps, who like me, first heard of backdoors in Wargames. I was just a young peep who discovered the world of computers and was hooked, then saw wargames and thought, hmm, there's some shit i didn't think of.

Re:backdoor password:

[qubezz]

Mr Potatohead! Backdoors are not secrets.

What is the benefit of Microcells over UMA?

[Sherloqq]

I'm a Rogers customer out of Ontario with a wifi-capable cell phone. Reception in my neck of the woods sucks. However, my phone (a Blackberry Curve) has built-in wifi and supports UMA. For $5 / month extra, I can piggyback my calls over broadband internet and they simply get billed against my minutes. I can use this with any wifi hotspot in Ontario (and probably in Canada).

Pros: no hassles with GPS, placing equipment near windows; portability (don't have to take a microcell with me); cost

Cons: used to be a free service, but is not anymore; a UMA-compatible handset is required to leverage this

everything is backdoored.

Having done a bunch of reversing work on similar and other platforms, most of this can be taken by extracting the interesting binaries from the firmware images then running them on an emulated image of the OS.

There is a backdoor to almost every system I have tested. You can bet that if it has an OS, it has a backdoor from either the chip fab, the OEM, the software developer or the vendor, often more than one they aren't aware of. It's not a conspiracy, it's just human nature.

All VoIP

[bartoku]

All voice communication should be handled over a data connect and handed off to WiFi when available...

Battery life suffers

[JPElectron]

Anyone notice that if you are home all day, and your phone is associated exclusively to the Microcell, your phone battery is dead before the end of the day. Whereas if I am away from home the whole day, my battery will last all the way to the next day (almost twice as long) I've come to the conclusion that the Microcell kills the battery while paying attention to actual phone use, for example only 1hr of actual talk time, data usage only for syncing email via Exchange. In all my tests bluetooth is always off, wifi is always off. As an owner of this Microcell, which I also install for many other people, I can confirm a GPS lock is required when power is applied, but after that you can move it away from the window. Getting a new IP from your ISP will not always trigger re-sync of the GPS, often times it will re-establish the IPsec tunnel with the GPS light ever going into blinky-blink mode (searching)