Feeds

Hackers crack femtocells to pwn then clone phones

"You should be ditching femtocells altogether"

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Black Hat 2013 Security researchers have warned against the industry's use of femtocells after successfully hacking into two popular models of femtocell, allowing them to intercept voice and SMS information from nearby mobile devices.

The exploit was detailed by iSEC Partners at the Black Hat conference in Vegas after being revealed earlier in July, and affects two femtocells used by Verizon and one repackaged Verizon box put out by Sprint which have already been remotely patched.

Femtocells are used to extend the range of broadcast signals in hard to reach places, and work by creating a secure IP-SEC tunnel between themselves and their carriers larger network. If signal is lacking or poor, then phones will automatically hop onto a nearby femtocell.

The researchers believe it is the first time an exploit has been disclosed against femtocells produced by US carriers. The exploit has been verified to work on 2009 SCS-26UC4 and a 2010 SCS-2U01 femtocell from Verizon.

The exploit saw the researchers gain access to the femtocells via interfacing with an HDMI port on the base of the device, then gaining root access to the stripped-down Linux system inside.

Once inside the system, they were able to implement methods for intercepting and decoding both voice and SMS track – data proved too difficult. They also developed a technique for cloning the phone, allowing people to surreptitiously listen in to calls.

Though these vulnerabilities have been subsequently patched, the researchers are not confident in the continuing integrity of the femtocell as an architecture. This is because the hardware can never be totally locked down by the vendor, and so there will always be some kind of exploit, they reckon.

"There are over 30 carriers worldwide who have femtocells," Tom Ritter, a security consultant at iSEC Partners explained. "Clearly there are issues here. You could of course harden the actual device [but] there's nothing you can do on the platform to prevent physical attackers getting in. There are lots of ways to break onto a physical device."

Another route would be to have carriers mandate that femtocell users register expected numbers with the operator in advance, "but we don't think it is enough," they said.

They instead recommend the use of secured VoIP on WiFI, when out of tower range, or the use of secure end-to-end encryption via apps, of which ones made by Whisper Systems and Silent Circle would be examples.

"Really, you should be ditching them altogether. We're just pretty nervous about giving random people like yourselves cellphone towers and [you] breaking into them." ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.