Feeds

Hackers crack femtocells to pwn then clone phones

"You should be ditching femtocells altogether"

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Black Hat 2013 Security researchers have warned against the industry's use of femtocells after successfully hacking into two popular models of femtocell, allowing them to intercept voice and SMS information from nearby mobile devices.

The exploit was detailed by iSEC Partners at the Black Hat conference in Vegas after being revealed earlier in July, and affects two femtocells used by Verizon and one repackaged Verizon box put out by Sprint which have already been remotely patched.

Femtocells are used to extend the range of broadcast signals in hard to reach places, and work by creating a secure IP-SEC tunnel between themselves and their carriers larger network. If signal is lacking or poor, then phones will automatically hop onto a nearby femtocell.

The researchers believe it is the first time an exploit has been disclosed against femtocells produced by US carriers. The exploit has been verified to work on 2009 SCS-26UC4 and a 2010 SCS-2U01 femtocell from Verizon.

The exploit saw the researchers gain access to the femtocells via interfacing with an HDMI port on the base of the device, then gaining root access to the stripped-down Linux system inside.

Once inside the system, they were able to implement methods for intercepting and decoding both voice and SMS track – data proved too difficult. They also developed a technique for cloning the phone, allowing people to surreptitiously listen in to calls.

Though these vulnerabilities have been subsequently patched, the researchers are not confident in the continuing integrity of the femtocell as an architecture. This is because the hardware can never be totally locked down by the vendor, and so there will always be some kind of exploit, they reckon.

"There are over 30 carriers worldwide who have femtocells," Tom Ritter, a security consultant at iSEC Partners explained. "Clearly there are issues here. You could of course harden the actual device [but] there's nothing you can do on the platform to prevent physical attackers getting in. There are lots of ways to break onto a physical device."

Another route would be to have carriers mandate that femtocell users register expected numbers with the operator in advance, "but we don't think it is enough," they said.

They instead recommend the use of secured VoIP on WiFI, when out of tower range, or the use of secure end-to-end encryption via apps, of which ones made by Whisper Systems and Silent Circle would be examples.

"Really, you should be ditching them altogether. We're just pretty nervous about giving random people like yourselves cellphone towers and [you] breaking into them." ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.