Slashdot Mirror


AT&T Microcell Disassembly; Security Flaws Exposed

CharlyFoxtrot writes "The geeks over on the fail0verflow blog took apart an AT&T Microcell device which is 'essentially a small cell-tower in a box, which shuttles your calls and data back to the AT&T mothership over your home broadband connection.' They soon uncovered some real security issues including a backdoor : 'We believe that this backdoor is NOT meant to be globally accessible. It is probably only intended to be used over the IPSEC tunnel which the picoChip SoC creates. [...] Unfortunately, they set up the wizard to bind on 0.0.0.0, so the backdoor is accessible over the WAN interface.'"

12 of 82 comments (clear)

  1. Backdoor? by Anonymous Coward · · Score: 5, Insightful

    AT&T's customers routinely take it in the backdoor from the company already so they just figured that no one would notice in this case.

  2. Improved Roaming by clarkn0va · · Score: 2

    The box is only ‘allowed’ to work when within the area nominally serviced by AT&T.

    Very cool would be any trick to overcome this limitation and have local cell service wherever you may be.

    --
    I am literally 3000 tokens away from the chaotic crossbow --Stephen
    1. Re:Improved Roaming by TFoo · · Score: 4, Insightful

      Actually, you're incorrect in your thinking. They were required to put GPS in it for E911 to work and the device will not function until the GPS location is verified. As the owner of a microcell I can tell you that GPS reception is the biggest #$@!@# pain in the ass for the thing in general. I have a metal roof at home and the microcell will only activate for me if I hang the device in the skylight.

    2. Re:Improved Roaming by WalrusSlayer · · Score: 2

      You obviously don't have one of these. There is in fact a GPS inside, and they specifically instruct you to put it near a window if the GPS LED doesn't go solid. There have been various complaints on other boards about this fact, with tips on where to find GPS antennas and connectors (yes, there is an antenna jack on the back of the unit) so that the MicroCell can be used in a more convenient place while still getting a GPS signal.

    3. Re:Improved Roaming by henrym · · Score: 2

      It actually has a port on the back for an external GPS antenna...I ran a cheapo from e-bay outside, and have the microcell in my basement where I needed the signal the most.

    4. Re:Improved Roaming by tcampb01 · · Score: 5, Informative

      It' does have a GPS, but it's not for E911.... you could register the location if that were all it was.

      They won't allow the device to use unlicensed spectrum. Since the frequencies that a company has licensed will vary from place to place, they want the device to know where it's located. It can then determine which frequencies it is licensed to use in that particular area. You'd think a reverse-IP location would be adequate, but the FCC apparently "requires" that they do this with GPS. I had read stories that some customers were allowed to request a bypass (AT&T would remotely program the device location and tell it to ignore the GPS and work anyway) but the FCC forced them to put an end to that practice (the FCC is always so "helpful" like that. )

      There are more ironies... not only does the device need to be near a window where it can pick up a GPS lock, it also tests the signal strength of the standard AT&T towers. It dials it's own signal strength back IF it thinks that the outside signal strength should be good enough. And since the device now has to be located in a window, it'll get better signal than you could realistically get inside your home. And of course being at a window, you cannot locate the device in a central location to offer coverage to most of the home. The result is that this makes the micro-cell transmit the weakest possible signal (and of course you bought it SPECIFICALLY to overcome the problem of weak signals) and if you're not relatively close, the device is worthless.

      It gets worse. AT&T allows a hand-off of a call from micro-cell to regular towers, but it can't do a hand-off in the other direction. And since towers vary their signal strength regularly and the micro-cell is now using it's wimpiest transmit power, it takes very little to make the phone think that it needs to switch to an outside tower. The result is that if you get an outside tower boost from... say 1 bar to maybe 3 bars, your phone will switch to the outside tower. A few moments later the outside tower drops back to it's more typical 1 bar signal strength. Since the call cannot do a hand-off back to the micro-cell... the call just drops.

      After months of frustration, I discovered the solution. There's an external antenna jack on the back. If you ask AT&T about it, they can't tell you anything about it. They don't sell any accessories or even know what sort of antenna would work with this. You can get an external GPS antenna with a long cord (I bought one with a 25' cord.) This allows you to get the micro-cell away from the window and closer to the center of the house. BUT.. the micro-cell also varies its own transmit power based on whether it's able to detect much outdoor AT&T signal. It's in your best interest to make sure the micro-cell gets the weakest signal you can manage. I located my micro-cell to my basement... in a small closet under the stairs. The GPS antenna is in a basement window. Now the micro-cell still gets the GPS lock, but it doesn't get any outside AT&T signal... consequently it's actually willing to put out a much stronger signal and it works all around the house.

      You won't be able to buy the antenna from AT&T. You'll need do a search for a GPS antenna that works with the AT&T micro-cell. I found one via Amazon for $30... one of the best $30 I ever spent. Now the device actually works as intended.

    5. Re:Improved Roaming by xyzzyman · · Score: 5, Funny

      So just enclose your microcell in a Faraday cage so it can't detect any AT&T signal and it'll boost itself as strong as possible! There's ZERO DOWNSIDES. I've thought this through.

    6. Re:Improved Roaming by flatulus · · Score: 2

      Hold your horses!

      Yes you can probably come up with hacks to make it possible to user your box out of the "legal" area. Here's things to keep in mind:

      1) AT&T may very well be watching the IP address from which your box is connecting into their cellular switching center. While nowhere nearly as accurate as GPS, they can certainly tell that you're in the Chicago area with your box, while your service is registered in Seattle... They could stop you cold on this.

      2) The timing issue, while not so much a concern to you, the (agreement violating) user, it does have consequences. We are not just talking about "oh, it's 3:15pm, give or take a second". The timing they are talking about is actually "frequency accuracy". (you know, frequency and time are conjugate transforms) These devices have very strict frequency tolerances (used to be +/- 0.1 ppm when I was working on this technology, may be somewhat more permissive these days). GPS is the "gold standard" for disciplining your radio's local oscillator, and makes it easy to achieve the required tolerances. Bypass the "true GPS" accuracy with a hack, and your box's radio will drift out of channel. This may cause interference to surrounding (well behaved) radios, and may cause your quality of (cellular) service to suck as well.

      3) There are legal reasons why AT&T ties the operation of your box to your "registered location". If you operate the box "elsewhere", you may very well be operating in a geography where AT&T has no license for that band. Now, AT&T can be held liable for violation of license. Think they're gonna take the rap without taking you down too? Even if so, enough of you "tinkerers" pull this shit and you can count on new criminal penalties being written into law - just for you!

      So as fun as it might seem, may I caution you to find something else to hack? It won't make the world a better place if you "develop" these workarounds...

  3. Re:So what incentive do people have to get these? by X0563511 · · Score: 2

    Our company phones are all verizon, and we have a local repeater on our floor since this building is somehow repellant to all forms of RF (seriously, I can pick nothing up cleanly from 0.5 to 1.0ghz)

    It has it's uses, I'm sure.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. Re:So what incentive do people have to get these? by Anonymous Coward · · Score: 2, Insightful

    You obviously don't have AT&T. If you did you would see the foolishness in your question.

  5. Re:So what incentive do people have to get these? by Norwell+Bob · · Score: 2

    I live in an area where my signal is finicky... usually at 1 bar, sometimes 2, just as often 0. I was experiencing a lot of dropped calls and delayed SMS delivery in my apartment, so I went to the store and told them that I was switching providers (I go way back to the Cingular days) unless they gave me a microcell. They did. It works pretty well, but isn't perfect. I don't know if I'd pay $200 for one, but it's pretty easy to bully the people at carriers' store fronts into giving you accessories and stuff to keep you on their books. I told the manager, "it can cost you $200 now, or $200 every month... which is it gonna be?"

  6. backdoor password: by Nyder · · Score: 2

    Joshua

    Sorry, could resist for all the peeps, who like me, first heard of backdoors in Wargames. I was just a young peep who discovered the world of computers and was hooked, then saw wargames and thought, hmm, there's some shit i didn't think of.

    --
    Be seeing you...