Blackhat 2013-traffic interception & Remote Mobile Phone cloning with a compromised CDMA Femtocell

Https://www.youtube.com/watch?v=1yR3F9hnwGU

First, popularize the femtocell:https://zh.wikipedia.org/wiki/%e5%ae%b6%e5%ba%ad%e5%9f%ba%e7%ab%99.

Home Base Station ( English:Femtocell, also translated as Pico Honeycomb Base station), originally called the access point base stations , is a small cellular base station that is generally designed for use in home or small commercial establishments. Connecting to the operator's network via broadband access (such as DSL, cable, fiber) can integrate 2G, 3G, WiFi on one machine.

The 2008 global Mobile World CONGRESS;MWC First exhibited Femtocell technology, which was orange, t-mobile blue graces, and "Femto" meant 10 minus 15 times, also known as Pico . Home base Station, the first in Europe, is an ultra-small mobile base station, compared to Microcell base stations (usually within 2 km of coverage) and Picocell miniature base station (referring to the typical coverage range of 200 meters) smaller, home base stations covering about 12 meters. In some cases, femtocell can provide a wider range of coverage to meet the needs of the office environment.

The family base station can be converted to 3G ADSL or fiber-optic network bandwidth for wireless 3G message, suitable for home and office environment.

The family base station is simple, based on IP protocol, the launch power is 10MW~100MW, also can provide 3G Network service while providing Wi-Fi function, compared to the low cost of traditional base station is Femtocell become the most attractive solution.

A Linux box

The Phone will automatically access the Femtocell,no user interaction and no indication (not a joining an open WiFi network)

Ideas:

1. Get root permissions. There is an HDMI port for console port.

Wireless Signal RANGE:APPR. 40 '

Scs-26uc4:get root by interrupting the boot process. (Uboot delay:press any key to interrupt boot), go to the root shell, run a script and root on fullly functional device. But this vulnerability has been patched.

Scs-2u01:can abort the root process using the Magic sysreq+i key. Then you can log in as root. Run a script and root on fully functional device.

2. Find the Packets:but quicksec works on the kernel level, therefore cannot get useful info using normal capture tools L Ike Tcpdump

Need to customize the kernel module, must is above & below Quickset to get the plaintext before encryption and after D Ecryption.

Things to Do:view the data, and drop it.

(To be continued: 18:21)

Additional: The principle of Androtti right: http://www.zhihu.com/question/21074979

Blackhat 2013-traffic interception & Remote Mobile Phone cloning with a compromised CDMA Femtocell