Femtocells wilt under attack
Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope. Researchers working for TrustWave will present details of their successful attacks against femtocells at the ShmooCon security conference next week in Washington …
"Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope"
Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or as some pen pusher would put it in a report: an unantipicate security excursion. Did not anyone check these devices for security vulnerabilities. What are they teaching them in college nowadays ?
"Uh you've reached stewie and brian, we're not here right now, uh and if this is mom, uh send money because we're college students and we need money for books...and highlighters...and.... ramen noodles...and condoms, for sexual relations with our classmates"
If you could set up a base station that identified itself as being from a country where encryption was not supported (basically 'the axis of evil' where US legislation forbids the export of strong encryption), you could then set up an unencrypted channel. This still required the victim to be conned into roaming onto your dodgy network.
I've no idea if this trick could succeed with 3G or not, as I no longer work in this field.
What other reason is there to have a femtocell? I mean to get Internet locally, I could also use WLAN, but to play with GSM, a femtocell is cheap hardware.
Could you use a femtocell to divert phone calls to an accomplice who can mimick the voices of people that your victim is likely to call?
Interesting idea, but not possible over 3G as the protocol demands that the network authenticate itself to the handset (as well as the handset authenticating itself to the network).
2G doesn't include that bit, but 2G femtocells are rare.
Once the network and handset have been mutually authenticated then everything is secured using A5/3, so if you've broken that then you could do a lot more.
Nice idea though.
Bill.
While the theory of planting an exploited femtocell within a business is a nice futuristic idea... as the femotcell requires access to the internet, one would hope that in order to keep the computer network as secure as possible - the DHCP server would only be giving out IP Addresses to those devices whose MAC addresses have been whitelisted!
Additionally why bother going to the hassle and expense of hiding a femotcell, when one can simply purchase one of the hundreds of "innocent" looking devices on the market which harbour a GSM SIM card which you simply call from anywhere you have a mobile signal and either listen to the conversation or with the more advanced models listen and watch!
If you are able to hide somewhere close to the device then the older style of a plug adapter with a microphone and an fm transmitter inside will be sufficient.
Andy
Looks like a security company just trying to drum up business. Since there seem to be dozens of Femto vendors out there, it's not surprising if one startup forgets to close the backdoor to their system.
Come back with the real news when you know which femto has been hacked. If it's a magicJack, I doubt anyone would be surprised. If it is a Vodafone or AT&T device that would be news, but having had a run-in or two with Operator security teams (best not to talk about that), I doubt that they would let anything that insecure near their networks.
'After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts'
'Investigating hardware pinouts' says to me that they had physical access to the device, any geek worth his salt knows that this makes most security mechanisms pretty easy to bypass.
..."though the sudden availability of a high-strength 3G signal might give things away"...
-Tinfoil hat the sneaky femtocell's antenna then.
Oh, Chris - US doesn't control the GSM/3GPP algorithm spec AFAIK, so the 'Axis of Feeble*' restriction shouldn't apply here.
Showing my true colours here, and they aint red, white and blue. Just white and blue.
* Time magazine(?) UK, US and Spain - at the start of the Iraq insurgency§, which I can never regard as a war - none declared.
§ http://en.wikipedia.org/wiki/Insurgency. Made me wonder who the 'insurgents' really are......
I was using 'axis of evil' as a shorthand for the list of states that couldn't use encryption on GSM: Iran, North Korea etc.
I agree that there was no US restriction on the encryption algorithms available for GSM, but any large, international supplier of base stations that supplied encrypting GSM systems to these states could have been in big trouble stateside for supplying 'prohibited munitions'. And, as a direct result, they didn't do it.
As I said, things are probably different nowadays, when it's no longer illegal to wear a t-shirt printed with the code for PGP.
Sign up, sign up for The Register's weekly mobile & wireless newsletter - click here
