Saturday, August 23, 2008

Airave and Network Sniffing for Fun and Profit

Sprint's AIRAVE BYOB (bring-your-own-backhaul) femtocell went on sale nationwide this week. Reviews seem mildly positive; it kind of costs a bunch considering you're subsidizing Sprint's infrastructure, but it's marketed toward people who have little other choice.

I don't have one (I'm not on Sprint at the moment). But if I did, the second thing I'd do with it is to start sniffing the traffic it sends back up the wire.

But all that data would be encrypted, right? Well, maybe ... and maybe not. Since Excel files seem to be an enterprise data store of choice these days for companies handling sensitive personal information, and since telcos are not the science-fair winners of the class but more like that kid in the back that just giggles all day keeps getting his lollipop stuck in his own hair, it wouldn't surprise me if they think ADPCM is encryption.

Even if some or all of the call content is encrypted, though, one could probably learn a lot about the signaling layer of the system -- i.e., how the network identifies and talks to the phones to indicate presence or session initiation.

Why would this be useful?

Well, for one thing, it would be interesting to use the AIRAVE as a presence detection mechanism. Once I can determine that the base station has recognized a known cell phone ID, I can automate all sorts of things that are supposed to happen when I'm nearby.

Applications include home automation (open locks, turn off the alarm); media (access and/or license to all of the media I own "appears" on any connected device when I'm nearby with my cell phone, and goes away when I leave); or for commerce: my hotel reservation, preferences at a restaurant, or online search history for a retailer can cue up automagically as I enter range.


Anonymous said...

Good luck sniffing. In addition to the standard CDMA EVRC encoding (which no one has broken yet), all traffic from the AIRAVE back to the network is encrypted using IPSec.

Adam said...

As I said, haven't tried it ... BUT (1) not sure EVRC is still the codex in use for Sprint; (2) EVRC is an audio compression scheme and not a security mechanism. Implementations are available even if they are encumbered by IP restrictions; (3) if the traffic runs from Airave to Sprint in an IPSec tunnel, how does it 'automagically' traverse a cheap home NAT router without requiring any user configuration? Maybe some routers can do this by UPnP, but a lot can't...

Andy said...

There are some examples of femtocell-enabled presence service here:

and femtocell-enabled Connected Home services here:

wowlovetera said...

hello,i am new mwmber here,WOW Goldnice to meet u,buy tera goldi like your blog,hope we will be friends.

WOW Items

RS Gold said...

Lengthy ago i stumbled on your own report and also have been studying along. I need to exhibit the respect of this writing talent in addition to capacity to generate audience go through before it starts to your ending. I'd like to study more sophisticated articles also to share my personal ideas with you.

Cheap WOW Gold said...

Happy to locate your blog along with the excellent images that you've frequently!

Buy RS Gold
Buy Cheap RS Gold