Femtocells

FEMTOCELLS

by Wyatt Ferreira and Tony Giandomenico

The U.S. National Security Agency’s phone snooping program has made headlines for the past few weeks forcing many Americans to question their confidentiality and sense of privacy. In addition to the worries of the NSA tracking their phone communications, Americans must also be aware of hacked femtocells.
 
Femtocells are small, low-power cellular stations that are used to repeat a cellular data signal and connect to mobile operators’ networks through broadband Internet connection. In the same way that a person would use a network extender to increase the range of their Wi-Fi router, a femtocell can repeat the cellular signal in areas that may have very limited coverage. All that is required when setting up a femtocell is a power source and broadband connection. Femtocells can be extremely useful especially if a user’s home or workplace does not provide a strong cellular signal. When set up correctly, most femtocells promise “5 bar connection.”
 
 The concept of a compact, home cell site has been documented since 1999. As technology advanced, the system design of a femtocell modified to be configured with the current communication standards. Around 2005, the name femtocell was adopted for a home base station. The first commercially available femtocells began shipping in August 2008 by Sprint. These days, femtocells are available for every carrier and can be purchased through Amazon or Best Buy. The prices range anywhere from $40 -$250. Femtocells today are also named microcells and are mainly targeted by wireless carriers for small businesses, people who work from home, and those who are simply looking for greater connectivity where they live (especially if they only receive one or two bars of signal service).
 
Obviously, the femtocell would be a great place for hackers to look for vulnerabilities, and security researchers from around the world have done just that. According to Doug DePerry and Tom Ritter, senior consultants with the security firm ISEC Partners, poor security in the femtocells offers an easy way to intercept and receive phone data including voice conversations, text and picture messages, phone identification information, and mobile web traffic. Key intrusion compromises the software of the femtocell.
 
The way in which in the hack is performed is relatively as easy as jailbreaking a smartphone. First, a hacker must root the device. Many femtocells provide a recovery procedure that is similar to a factory reset. From here, new firmware is flashed and the settings are cleared. The only security feature provided is client server authentication, meaning that when a femtocell sends out a request to the server for its firmware, the server authenticates that the femtocell is legitimate. Unfortunately, when the femtocell receives the firmware from the firmware server, that data is unauthenticated. In fact, the public key is in the parameter and firmware list, which is unsigned as well. The femtocell provides a web interface that allows for simple customization, similar to ones that are included with Wi-Fi routers. Some femtocells provide hidden interfaces that are accessible through a hidden URL without any login credentials. From here, the femtocell may be adjusted to target only specific cellular networks or adjusted to accept calls from any network. Because the keys are so easily available, interception can be completed using a few, free hacking applications that are available with a simple Google search.
 
Fortunately, the security researchers at ISEC had notified the most popular network carriers about a year ago and some carriers, such as Verizon, have commented publicly that they have patched their software and have been pushing out the updates over-the-air. At this point, it is unknown how many people have fallen victim to intercepted traffic through a femtocell, but Verizon has publicly stated that it hasn’t received any notifications of a security glitch. Samsung, the company that manufactures Verizon’s femtocells, have also publicly stated that they have fixed the problem.
 
Now the question becomes “How can I tell if someone is intercepting my phone calls through a femtocell?” Fortunately for customers on most major networks, the wireless carriers have some means of identification. Verizon customers can dial #48 from their mobile device and they will receive audio confirmation if they are connected to a femtocell device. Also, there will be a short double tone on your mobile phone whenever you make or receive a call. Sprint customers can dial *99 from your mobile phone to receive an audio announcement to determine if they are connected. Also, there will be a short double tone on your mobile phone whenever you make or receive calls. AT&T customers will have a display that says “AT&T MicroCell” where the cellular bar signal is located or (if you have a smartphone) where it would normally display the name of the Wi-Fi network if connected.  
 
There are encryption apps available that can help users create a more secure connection, but as one of the senior consultants of ISEC, Doug DePerry warns, “You should assume that everything you’re saying is being intercepted. That is a bit of a defeatist opinion, but sometimes that has to be the way it is.”