Feeds

Hackers crack femtocells to pwn then clone phones

"You should be ditching femtocells altogether"

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Black Hat 2013 Security researchers have warned against the industry's use of femtocells after successfully hacking into two popular models of femtocell, allowing them to intercept voice and SMS information from nearby mobile devices.

The exploit was detailed by iSEC Partners at the Black Hat conference in Vegas after being revealed earlier in July, and affects two femtocells used by Verizon and one repackaged Verizon box put out by Sprint which have already been remotely patched.

Femtocells are used to extend the range of broadcast signals in hard to reach places, and work by creating a secure IP-SEC tunnel between themselves and their carriers larger network. If signal is lacking or poor, then phones will automatically hop onto a nearby femtocell.

The researchers believe it is the first time an exploit has been disclosed against femtocells produced by US carriers. The exploit has been verified to work on 2009 SCS-26UC4 and a 2010 SCS-2U01 femtocell from Verizon.

The exploit saw the researchers gain access to the femtocells via interfacing with an HDMI port on the base of the device, then gaining root access to the stripped-down Linux system inside.

Once inside the system, they were able to implement methods for intercepting and decoding both voice and SMS track – data proved too difficult. They also developed a technique for cloning the phone, allowing people to surreptitiously listen in to calls.

Though these vulnerabilities have been subsequently patched, the researchers are not confident in the continuing integrity of the femtocell as an architecture. This is because the hardware can never be totally locked down by the vendor, and so there will always be some kind of exploit, they reckon.

"There are over 30 carriers worldwide who have femtocells," Tom Ritter, a security consultant at iSEC Partners explained. "Clearly there are issues here. You could of course harden the actual device [but] there's nothing you can do on the platform to prevent physical attackers getting in. There are lots of ways to break onto a physical device."

Another route would be to have carriers mandate that femtocell users register expected numbers with the operator in advance, "but we don't think it is enough," they said.

They instead recommend the use of secured VoIP on WiFI, when out of tower range, or the use of secure end-to-end encryption via apps, of which ones made by Whisper Systems and Silent Circle would be examples.

"Really, you should be ditching them altogether. We're just pretty nervous about giving random people like yourselves cellphone towers and [you] breaking into them." ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.