Wireless carriers and enterprise customers should immediately stop using femtocells as a way to extend cellular-network connectivity into big corporate facilities, according to security researchers at this year’s Black Hat security conference.
Femtocells, also called indoor small cells, act just like WiFi access points except that they work on cellular-network frequencies and connect users to carrier networks by either repeating a weak cell signal or routing connections through wired Ethernet connections.
Rather than treating femtocells as convenient tools to extend a cellular network, however, both carriers and customers should treat them as horrific security threats, according to a Black Hat presentation titled “I Can Hear You Now.”
“I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet,” wrote Doug Deperry and Tom Ritter, security researchers at iSec Partners who discovered the flaw and published a paper on it. They also demonstrated an exploit of it live onstage at Black Hat.
“I own this box. I watch all the traffic that crosses it and you don’t even know you’re connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box… for free,” they wrote.
Femtocells are low-power cellular base stations that do for cell networks the same thing range extenders and remote access points do for wireless LANs—extend a wireless network signal into radio-opaque office buildings or residential dead zones. They link local devices to cell nets through wired Ethernet connections, and use all the same “imposing,” “state-of-the-art” authentication as outdoor cell nets. In theory, that should provide good protection.
Inside the femtocell, however, is hardware and software far less bulletproof than on actual cell-network antennas, including an embedded and comparatively vulnerable Linux implementation. Using a Verizon Wireless CDMA femtocell and a $50 antenna, Ritter and DePerry built a proof of concept of an exploit, which they demonstrated by intercepting text messages, recording and replaying audio of a voice call, and collecting unique numerical IDs of smartphones in the audience, which they used to clone an attendee’s phone so they could keep eavesdropping even long after the user was out of femtocell range.
The hack depends on getting root access to the Linux OS inside the Femtocell, which Ritter and DePerry did by plugging an HDMI cable on the device.
The biggest danger, Ritter said during the presentation, is that cell phones are set up to connect automatically to any cell antenna in the vicinity linked to the right carrier’s network, usually without the user’s knowledge. Because they’re intended to cover dead spots, carriers typically configure femtocells to accept connections from any customer of the right network—not just those in the house or building owned by the customer who installed it.
They could be installed in the financial district of any city to spy on the texts, conversations and document transfers of traders walking by, Ritter and DePerry wrote in a release announcing the presentation.
“This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people,” Ritter added.
Verizon has already patched the flaw exploited by the two researchers, but the researchers’ “serious architectural concerns about femtocells” make them believe it is unlikely that units from Verizon and other carriers are invulnerable.