Print 6 comment(s) - last by mikeyD95125.. on Jul 15 at 11:53 PM

Coverage bubbles may not be as secure as thought

Doug DePerry and Tom Ritter, senior consultants with the security firm iSEC Partners, are preparing to give elaborate demonstrations at DefCon 21 [talk] and BlackHat 2013 [talk] -- the world's top two hacker conferences -- on how to hack femtocells.

I. Verizon Wireless Femtocells:  Gateway to Spying?

U.S. and foreign carriers are increasingly using femtocells to fill gaps in signal coverage.  In the U.S. both AT&T, Inc. (Tand Verizon Wireless (a joint subsidiary of Verizon Communications, Inc. (VZ) and Vodafone Group Plc (LON:VOD)) use the cells to offer "bubbles" of coverage to customers in such trouble spots.

But according to Mr. DePerry and Ritter poor security in the cells offers an easy route to score call information and even listen in on phone calls -- or alternative snoop on clients data traffic (website addresses visited, text messages, etc.).  The pair's attack focuses specifically on CDMA (3G) data cells.  Verizon Wireless uses CDMA, while AT&T uses the alternative GSM format.

The key to the intrusion is compromising the software of the femtocell.  This would generally be easiest with direct access, but it could be possible to remotely download malicious "patches" to the femtocell as well, in theory.

Here's a 2012 interview with Mr. Ritter:

Black Hat Europe 2012 - Tom Ritter interview from Twist and Shout on Vimeo.

The hack comes at a time when the public is awakening to the issue of mobile security.  The U.S. National Security Agency (NSA) is reportedly tracking 99 percent of Americans' locations -- as well as that of tens of millions of Europeans -- on a daily basis by monitoring their call records, which contain location information.

But the femtocell hack would allow for much more detailed spying; the kind that the NSA used to spy on foreign leaders at a G20 conference, for example.  In the wake of those spying revelations DefCon's organizers advised "feds" not to attend this year's conference.

II. Femtocells are Increasingly Popular Attack Target as Usage Grows

Despite the apparent links to the NSA debate, Mr. DePerry and Ritter insist their research is more for the masses and stands alone.  Mr. Ritter remarks in a Reuters interview, "This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people."

The discovery of the security flaw in CDMA cells explains a March patch that trickled out from Verizon Wireless to femtocells, closing an undisclosed security loophole.  While Mr. Ritter says that patch indeed fixed the vulnerability, he said that he could still spy on cells that were compromised before the patch, by using existing hooks to preserve control of the cell and connected devices.

A Verizon Wireless spokesperson, David Samberg, sought to reassure customers, releasing a statement commenting, "The Verizon Wireless Network Extender remains a very secure and effective solution for our customers."
Verizon Network Extender
Verizon's network extenders run a distribution of Linux, the world's most used open source operating system.  While generally very secure, Linux has at times suffered from vulnerabilities due to the fact that much of its core code is openly available to the public (and hackers).

This is not the first attack on femtocells.  Back in Oct. 2012 researchers published a paper on key-based attacks on a femtocell.  And in Feb. 2013 the U.S. Cellular Telecommunications and Internet Association (CTIA), the industry trade group that represents phonemakers and their wireless carrier partners, published a whitepaper [PDF] suggesting app-level attacks on femtocells could become a danger.

The phone industry has a rich hacking tradition of hacking -- for both good and evil.  Many hackers later became top industry officials; for example the late Steve Jobs who went on to found the phone industry's most profitable corporation and second largest smartphone seller, had worked with Apple co-founder Steve Wozniak as a
"phone phreaker" in his younger days, taken advantages of flaws in the tone-based phone coding system of his time.

Sources: BlackHat, DEF CON, Reuters

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Kerckoff Principle
By kingmotley on 7/15/2013 1:41:42 PM , Rating: 2
It is true. Many of Linux's hacks are found out because the system is open. Embedded systems that depend on software that isn't updatable, or is irregularly updated will fall prey to such attacks because the vulnerabilities are known.

The Kerchoff Principle is about cryptography and cryptographic algorithms, not software, so it doesn't really apply very well. Sure, you can try to apply some of the same logic, but the Kerchoff Principle doesn't state how to handle cases where previously thought secure {something} is now known to have vulnerabilities.

Even experts will tell you that following the Kerchoff Principle to the letter by distributing everything except the key will often lead to compromised systems faster than if you did not. It trades short term security for long term security, which is great in theoretical environments, but for the 99% that live in the real world and need to implement security NOW, not 1000 years from now where all known (or likely to be known) vulnerabilities have been eliminated to the point that no more new unknown vulnerabilities are likely to appear in the time frame you need said {something} to be secure, it really don't help all that much.

RE: Kerckoff Principle
By Ramtech on 7/15/2013 8:16:44 PM , Rating: 2
Yes searching for bugs (and fixing them) is easier when you have access to source
Umm even closed source SW can fall to known vulnerabilities
Fact of the matter is that closed source bugs are traded and sold by hackers so if someone wants gain access to closed source he will Its not that difficult to use reverse engineering tools on Windows
Conclusion is that closed source isn't magically bugfree or secure because is closed nor open source is secure because is open.

Well there are distros like OpenBSD which prides itself to be the most secure OS in world and it is completely opensource AFAIK (yes access to keys are restricted to root)
Most important Kerckoff Principle says assume that system is compromised which in Software development is translated into assume that enemy has source code what part is difficult to implement in OS?

You are speaking as if Linux was some kind of hobbyist project but in fact there are hundreds of companies who use and contribute to Linux and its fighting right here and now internet trenches since 1993
Umm you focus too much on theory but in real world its Linux or BSD which are used in embedded devices not Windows CE

"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki