Computer Security Rants & Reverse Engineering

Saturday, December 10, 2011

Moving forward...

My next plans for looking at republic wireless involve peering into the HTTPS connection it makes to their SSL server.

Depending on how they have things configured this will likely involve some DNS redirection on my local network. Basically I'll take and redirect it to a local machine. I'll use the local machine to man-in-the-middle the data. Either just displaying it, or altering it along the way.

Depending on how their software is setup, this may require me to modify the handset to trust some extra SSL certificates. Only time will tell.

Doing this should at least enable me to figure out how they're doing text messages over WiFi and probably yield some other interesting results.

I've also been pondering how they're handling 911 calls. I've got three theories, in order of likelihood:
  1. If the user dials 911 force the call to occur on the cellular network. This enables them to rely on Sprint's already existing, federally mandated, E911 support. -- In this instance, I wonder which number (cellular directory number or republic VoIP number) the 911 processing center sees..?
  2. If the user is on WiFi determine the phones position using GPS, WiFi, and/or cell site positioning. Then send that data to their backend -- probably a bit like I think they do text messaging. Use this information to determine which 911 center to route to and provide them with the position.
  3. They don't handle 911 calls. Given that they're a VoIP service they may or may not be required by law to handle 911 calling at all. Some services are able to avoid this by putting some language in their user agreements.
Like I said, my money is on the first option. This would be a hard one to test without running afoul in the law. So I'll just leave it as a thought experiment -- unless someone from republic wants to explain?

More as it occurs to me and I've time to look into it.


  1. On 911, I would think that there long term solution involves the Dash911 service that they acquired with dash Carrier Services earlier this year:

    “Dash has some unique advantages in 911,” said Steve Leonard , senior vice president and general manager of’s wholesale division. “They use geospatial routing instead of a hard address lookup. Moving into a world that is [increasingly] WiFi-enabled, will become very important.”

  2. * 911 always goes over the cellular network from what I've been told, so they're using the cellular MDN for that.

    * Regarding the 'second number': The MIN just identifies the phone to Sprint (like an account number); the MDN is the actual second number the phone has. Does calling the MDN directly affect the CUI?

    * Where's the phone looking for OTA updates? I don't have a phone and I want to prod at the software; although a Nandroid would be great it's not feasible without blanking out some settings (since your SIP provisioning would be in the Nandroid, technically)