Connect with us

Hi, what are you looking for?


Mobile & Wireless

Carriers Should Ditch Femtocells Over Security Risks: Researchers

LAS VEGAS – After demonstrating how easily rogue femtocells can be used to intercept voice calls and text messages, researchers from iSec Partners called on carriers to stop using the network devices altogether.

LAS VEGAS – After demonstrating how easily rogue femtocells can be used to intercept voice calls and text messages, researchers from iSec Partners called on carriers to stop using the network devices altogether.

“Femtocells are a bad idea,” Tom Ritter, a principal security engineer at iSec Partners, said during his presentation at the Black Hat conference in Las Vegas on Wednesday. The researchers said they had “serious architectural concerns about femtocells.”

As SecurityWeek reported last week, femtocells are network devices that let people plug into the local network in order to boost their cell signal. Verizon, AT&T and Sprint all offer femtocells. T-Mobile is the only major carrier in the United States that does not.

Since these devices establish a secure Internet tunnel with the carrier’s internal network, as far as the devices are concerned, there is no difference between connecting to the femtocell or an actual cellular tower. The devices pick whichever has the stronger signal.

“This is not like joining an open Wi-Fi network. There is no user interaction,” Doug DePerry, senior security engineer at iSec Partners said, before adding, “You might be on ours right now.”

Ritter and DePerry demonstrated how a the compromised femtocell from Verizon was able to capture voice calls, display SMS messages sent to a specific phone by various members of the audience, and intercept MMS messages. A video also demonstrated how Web data was intercepted, along with user credentials entered on a banking site from the mobile device.

The researchers also collected unique device identifiers for mobile phones so that they could create a cloned phone. They were able to do this without physical access to the targeted phone. Instead, they harvested unique identifiers as they connected to the femtocell.

Advertisement. Scroll to continue reading.

Essentially, incoming calls would ring both the original phone as well as the cloned phone, letting attackers eavesdrop on the conversation.

“Eavesdropping was cool and everything, but impersonation is even cooler,” DePerry said.

While Verizon has patched the flaw by requiring devices to protect device identifiers with CAVE, a special encryption method on the carrier network level, DePerry noted that this was just a “Band-aid effect.” Other vulnerabilities could allow other methods of attack, and it is reasonable to assume that similar flaws are also present in femtocells from other carriers.

It is naïve to think that technology can’t be hacked, especially when there are so many people who have their hands on the devices, Jesse Burns, a founding partner and vice-president of research at iSec Partners, told SecurityWeek.

As a short-term solution, carriers can also adopt a whitelisting approach and have only phones that are registered and authorized to access a femtocell be allowed to connect, Ritter suggested. This level of checking should happen on the carrier network level and not on the femtocell itself, he said. AT&T currently requires this kind of registration, Ritter said.

However, as a long-term solution, it is best if carriers just drop support for femtocells altogether, Ritter suggested. Instead of focusing energies on hardening the femtocells, carriers also need to implement security protections such as IPSec and SSL Tunneling over Wi-Fi calls instead of relying on the security built-in to embedded devices. There are even end-to-end encryption tools such as Ostel, CsipSimple, Groundwire, RedPhone, and ZRTP, Ritter said. Encrypting calls over Wi-Fi will go a long way towards securing calls even if the user is on a less secure wireless network, Ritter said.

Because it is so difficult for users to realize they may possibly not be on a secure cellular network, femtocells pose a significant risk, he said.

While certain Android devices do display a special icon when the handset is connected to the femtocell, there is no comparable indicator in iOS devices, DePerry said. A special tone is played when users make a call, but it’s so subtle that most people miss it, he said.

“Registration is a good minimum level of security but it’s not enough,” Ritter said.

The team at iSec Partners is currently working on “femtocatch,” a free tool which will force a mobile handset to go into airplane mode when connecting to a femtocell. The app will be available soon after the conference, after kinks have been worked out, Ritter said.

The team spent the past year on this research, and while the number of hours spent on the project was “not trivial,” but it was “still easier than we would have liked it to be,” Ritter said.

Related: Hackable Femtocells Pose Serious Risk to Enterprises

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.