Two researchers at cybersecurity firm iSec Partners have cracked the security of a Verizon femtocell.
Femtocells, also called “small cells,” are low-power cellular base stations that wireless carriers, including Verizon, AT&T and Sprint, either sell or give to consumers. They connect to the service provider’s network through broadband and support multiple cellphones. They extend wireless coverage indoors or at the edge of the carrier’s network.
Cellphones automatically connect to femtocells that are within range and send all their traffic through it without the user’s knowledge.
The researchers, Doug DePerry and Tom Ritter, used a femtocell to intercept voice, SMS messages and data, and to launch network attacks. They also managed to clone a mobile device without accessing it physically.
“This is an issue that was fixed in March of this year on all Network Extender devices,” Verizon Wireless spokesperson David Samberg told TechNewsWorld. “The fix prevents the Network Extender from being compromised in the same manner.”
Verizon has not received any reports of any customers being affected by the flaw, Samberg said.
iSec did not respond to our request for further details.
The Threat From Femtocells
Femtocells “are in a similar position to routers — they are becoming popular, are key for a home infrastructure, and allow a potential attacker to take control of their traffic if compromised,” Bogdan Botezatu, senior e-threat analyst at Bitdefender, told TechNewsWorld.
DePerry and Ritter will explain how they hacked the Verizon femtocell at the DefCon 2013 hackers conference to be held in Las Vegas in August.
However, “from what we know of the incident, the issue that allowed the hack is not within the protocol but rather within the femtocell’s firmware,” Botezatu said. “Bypassing authentication by exploitation is relatively common amongst embedded devices; what makes it spectacular now is the fact that we’re talking about voice and data in a relatively unexplored area.”
That unrestricted access is an area of particular concern, because while voice conversations — including those over mobile phones — were “extremely easy to intercept with hardware costing less than $1,000 and open source software,” Botezatu pointed out, “3G snooping was out of the question.”
Keeping Femtocells Safe
Femtocells need to be properly configured to allow connections only from authorized numbers and to obey the rules of physical security, Botezatu said.
However, “anything is hackable,” Jim McGregor, principal analyst at Tirias Research, told TechNewsWorld. “It depends on how creative you are and how much time you spend on it.”
The plethora of end points — PCs, tablets, netbooks and smartphones among them — and the multiplicity of standards make it difficult to assure security, McGregor remarked. End-user apathy exacerbates the situation.
“When you try to implement security, you find IT managers don’t want to implement something new until they launch a major upgrade,” McGregor explained.
“As for the general consumer,” he said, “how many people go back and update their firmware on their WiFi router or game console or Smart TV?”
Variations on a Theme
The ability to monitor communications through a hacked femtocell is nothing new.
Researchers warned of the threat from femtocells at Black Hat 2011, and hackers that year showed that breaking into a Vodafone femtocell would let them intercept and record calls and send SMS messages and calls through other subscribers’ accounts.
The hardware needed to be physically modified so as to prevent remote upgrades, which limited the threat to some extent.
There are no other vulnerabilities in Verizon’s femtocells, the company’s Samberg said. “We continue to proactively work to protect the Network Extender from any new, real threats if they are discovered.”
Still, more attention should be paid to femtocell security by both consumers and businesses, Tirias Research’s McGregor urged. “Security is something everyone says they want but no one wants to pay for or do much about — and it falls on the industry to push out security.”