Security Experts:

Carriers Should Ditch Femtocells Over Security Risks: Researchers

LAS VEGAS - After demonstrating how easily rogue femtocells can be used to intercept voice calls and text messages, researchers from iSec Partners called on carriers to stop using the network devices altogether.

“Femtocells are a bad idea,” Tom Ritter, a principal security engineer at iSec Partners, said during his presentation at the Black Hat conference in Las Vegas on Wednesday. The researchers said they had “serious architectural concerns about femtocells.”

As SecurityWeek reported last week, femtocells are network devices that let people plug into the local network in order to boost their cell signal. Verizon, AT&T and Sprint all offer femtocells. T-Mobile is the only major carrier in the United States that does not.

Since these devices establish a secure Internet tunnel with the carrier's internal network, as far as the devices are concerned, there is no difference between connecting to the femtocell or an actual cellular tower. The devices pick whichever has the stronger signal.

“This is not like joining an open Wi-Fi network. There is no user interaction,” Doug DePerry, senior security engineer at iSec Partners said, before adding, “You might be on ours right now.”

Ritter and DePerry demonstrated how a the compromised femtocell from Verizon was able to capture voice calls, display SMS messages sent to a specific phone by various members of the audience, and intercept MMS messages. A video also demonstrated how Web data was intercepted, along with user credentials entered on a banking site from the mobile device.

The researchers also collected unique device identifiers for mobile phones so that they could create a cloned phone. They were able to do this without physical access to the targeted phone. Instead, they harvested unique identifiers as they connected to the femtocell.

Essentially, incoming calls would ring both the original phone as well as the cloned phone, letting attackers eavesdrop on the conversation.

“Eavesdropping was cool and everything, but impersonation is even cooler,” DePerry said.

While Verizon has patched the flaw by requiring devices to protect device identifiers with CAVE, a special encryption method on the carrier network level, DePerry noted that this was just a “Band-aid effect.” Other vulnerabilities could allow other methods of attack, and it is reasonable to assume that similar flaws are also present in femtocells from other carriers.

It is naïve to think that technology can't be hacked, especially when there are so many people who have their hands on the devices, Jesse Burns, a founding partner and vice-president of research at iSec Partners, told SecurityWeek.

As a short-term solution, carriers can also adopt a whitelisting approach and have only phones that are registered and authorized to access a femtocell be allowed to connect, Ritter suggested. This level of checking should happen on the carrier network level and not on the femtocell itself, he said. AT&T currently requires this kind of registration, Ritter said.

However, as a long-term solution, it is best if carriers just drop support for femtocells altogether, Ritter suggested. Instead of focusing energies on hardening the femtocells, carriers also need to implement security protections such as IPSec and SSL Tunneling over Wi-Fi calls instead of relying on the security built-in to embedded devices. There are even end-to-end encryption tools such as Ostel, CsipSimple, Groundwire, RedPhone, and ZRTP, Ritter said. Encrypting calls over Wi-Fi will go a long way towards securing calls even if the user is on a less secure wireless network, Ritter said.

Because it is so difficult for users to realize they may possibly not be on a secure cellular network, femtocells pose a significant risk, he said.

While certain Android devices do display a special icon when the handset is connected to the femtocell, there is no comparable indicator in iOS devices, DePerry said. A special tone is played when users make a call, but it's so subtle that most people miss it, he said.

“Registration is a good minimum level of security but it's not enough,” Ritter said.

The team at iSec Partners is currently working on “femtocatch,” a free tool which will force a mobile handset to go into airplane mode when connecting to a femtocell. The app will be available soon after the conference, after kinks have been worked out, Ritter said.

The team spent the past year on this research, and while the number of hours spent on the project was "not trivial," but it was "still easier than we would have liked it to be," Ritter said.

Related: Hackable Femtocells Pose Serious Risk to Enterprises

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.