Feeds

Hackers crack femtocells to pwn then clone phones

"You should be ditching femtocells altogether"

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Black Hat 2013 Security researchers have warned against the industry's use of femtocells after successfully hacking into two popular models of femtocell, allowing them to intercept voice and SMS information from nearby mobile devices.

The exploit was detailed by iSEC Partners at the Black Hat conference in Vegas after being revealed earlier in July, and affects two femtocells used by Verizon and one repackaged Verizon box put out by Sprint which have already been remotely patched.

Femtocells are used to extend the range of broadcast signals in hard to reach places, and work by creating a secure IP-SEC tunnel between themselves and their carriers larger network. If signal is lacking or poor, then phones will automatically hop onto a nearby femtocell.

The researchers believe it is the first time an exploit has been disclosed against femtocells produced by US carriers. The exploit has been verified to work on 2009 SCS-26UC4 and a 2010 SCS-2U01 femtocell from Verizon.

The exploit saw the researchers gain access to the femtocells via interfacing with an HDMI port on the base of the device, then gaining root access to the stripped-down Linux system inside.

Once inside the system, they were able to implement methods for intercepting and decoding both voice and SMS track – data proved too difficult. They also developed a technique for cloning the phone, allowing people to surreptitiously listen in to calls.

Though these vulnerabilities have been subsequently patched, the researchers are not confident in the continuing integrity of the femtocell as an architecture. This is because the hardware can never be totally locked down by the vendor, and so there will always be some kind of exploit, they reckon.

"There are over 30 carriers worldwide who have femtocells," Tom Ritter, a security consultant at iSEC Partners explained. "Clearly there are issues here. You could of course harden the actual device [but] there's nothing you can do on the platform to prevent physical attackers getting in. There are lots of ways to break onto a physical device."

Another route would be to have carriers mandate that femtocell users register expected numbers with the operator in advance, "but we don't think it is enough," they said.

They instead recommend the use of secured VoIP on WiFI, when out of tower range, or the use of secure end-to-end encryption via apps, of which ones made by Whisper Systems and Silent Circle would be examples.

"Really, you should be ditching them altogether. We're just pretty nervous about giving random people like yourselves cellphone towers and [you] breaking into them." ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.