Connect with us

Hi, what are you looking for?


Privacy & Compliance

Hackable Femtocells Pose Serious Risk to Enterprises: Experts

Reports that researchers have figured out how to hack femtocells to eavesdrop on calls have serious implications for the enterprise, security experts say.

Reports that researchers have figured out how to hack femtocells to eavesdrop on calls have serious implications for the enterprise, security experts say.

Femtocells, low-cost cellular extenders that can be used to boost the cellular signal in areas with poor cell reception or coverage, can be hacked to intercept phone numbers, view text messages, and eavesdrop on calls, from users on the cellular network, according to researchers at iSEC Partners. The team has demonstrated the attack to various outlets, including NPR, Reuters, and CNN/Money and plans to disclose details during the Black Hat security conference in Las Vegas next week.

Even without full details of the hack, organizations have plenty to worry about, Chris Eng, vice-president of research at Veracode, told SecurityWeek. Femtocells are frequently used in rural areas so that customers have cellular access no matter how far away they are from the tower, or in organizations plagued with dead zone and spotty cellular service. These extenders —available from carriers and even Amazon for around $200—use the local network to strengthen the cellular signal.

“Where you previously had only one bar, now you may have three bars,” Eng said.

As far as mobile devices are concerned, there is no way to differentiate between the “big cell towers” and femtocells, Eng said. They all are part of the carrier’s network. The point of the cellular network is that switching from tower to tower is seamless and transparent to the user. Mobile users don’t need to know whether they are on a cellular tower or if a nearby femtocell actually had a stronger signal, Eng said.

This means that if someone set up a rogue femtocell in a coffeeshop, or even within an office building near a conference room, there is the possibility of intercepting cellular activity, Eng said. Considering that these extenders are small desktop devices and fairly affordable, this isn’t a far-fetched scenario, assuming the attacker figures out how to perform the hack.

“Proximity is key,” Eng said.

Advertisement. Scroll to continue reading.

By modifying the femtocell’s software, iSec researchers were able see everything the phone sent to the cell phone tower, including phone calls, text and picture messages, and mobile Web sessions.

The hack immediately evokes images of the government eavesdropping on its citizens. However, “this is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people,” said Tom Ritter, a senior consultant with the security firm iSEC Partners, told Reuters.

While targeted attacks, say someone trying to eavesdrop on the company’s CEO’s calls, may not be as likely, “opportunistic attacks” are quite possible. Attackers may decide to set up a femtocell in locations they know plenty of venture capitalists like to congregate, or where there are a lot of business people. They could be capturing all the calls in hopes of finding that one call that is interesting and lucrative, Eng said.

Eng described another scary, but possible, scenario. When people are on the road or attending conferences, the common recommendation is to rely on your cell phone or get a 3G or 4G device to connect the computer to the cellular network, he said. This is generally considered good advice as it gets users off the public wireless networks. But now there is the specter of rogue towers.

“Say you are at a place like Black Hat where you don’t want to get on the wireless network and decide to use your MyFi device. There is no way to tell if you are somehow connecting to a bad femtocell,” Eng said.

While that is probably not likely next week because iSec hasn’t disclosed any details, now that the hack has been publicized, other people will look, he said. Who knows whether it would be too dangerous at future conferences to use the cellular network to get online.

The hack was based on a Verizon femtocell and Verizon has claimed the flaw has been patched, but it would be naïve to think this kind of hack wouldn’t be possible on other femtocells from other carriers, since “in reality, a lot of the technology is the same,” Eng said. The carriers may be working with the same hardware provider, and just have a different frequency and maybe a different chip for different carrier.

“I wouldn’t be surprised if this wasn’t an issue with extenders from other CDMA carriers,” Eng said. It would be important to see what kind of mitigation strategies iSec Partners would recommend to protect users from rogue femtocells, Eng said.

Users worried about their cellular activities getting intercepted can look into encryption. There are mobile apps that encrypt calls and text messages, such as Silent Circle, Wickr, Cellcrypt, Redphone and TextSecure.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.