backtop


Print 6 comment(s) - last by mikeyD95125.. on Jul 15 at 11:53 PM

Coverage bubbles may not be as secure as thought

Doug DePerry and Tom Ritter, senior consultants with the security firm iSEC Partners, are preparing to give elaborate demonstrations at DefCon 21 [talk] and BlackHat 2013 [talk] -- the world's top two hacker conferences -- on how to hack femtocells.

I. Verizon Wireless Femtocells:  Gateway to Spying?


U.S. and foreign carriers are increasingly using femtocells to fill gaps in signal coverage.  In the U.S. both AT&T, Inc. (Tand Verizon Wireless (a joint subsidiary of Verizon Communications, Inc. (VZ) and Vodafone Group Plc (LON:VOD)) use the cells to offer "bubbles" of coverage to customers in such trouble spots.

But according to Mr. DePerry and Ritter poor security in the cells offers an easy route to score call information and even listen in on phone calls -- or alternative snoop on clients data traffic (website addresses visited, text messages, etc.).  The pair's attack focuses specifically on CDMA (3G) data cells.  Verizon Wireless uses CDMA, while AT&T uses the alternative GSM format.

The key to the intrusion is compromising the software of the femtocell.  This would generally be easiest with direct access, but it could be possible to remotely download malicious "patches" to the femtocell as well, in theory.

Here's a 2012 interview with Mr. Ritter:

Black Hat Europe 2012 - Tom Ritter interview from Twist and Shout on Vimeo.


The hack comes at a time when the public is awakening to the issue of mobile security.  The U.S. National Security Agency (NSA) is reportedly tracking 99 percent of Americans' locations -- as well as that of tens of millions of Europeans -- on a daily basis by monitoring their call records, which contain location information.

But the femtocell hack would allow for much more detailed spying; the kind that the NSA used to spy on foreign leaders at a G20 conference, for example.  In the wake of those spying revelations DefCon's organizers advised "feds" not to attend this year's conference.

II. Femtocells are Increasingly Popular Attack Target as Usage Grows

Despite the apparent links to the NSA debate, Mr. DePerry and Ritter insist their research is more for the masses and stands alone.  Mr. Ritter remarks in a Reuters interview, "This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people."

The discovery of the security flaw in CDMA cells explains a March patch that trickled out from Verizon Wireless to femtocells, closing an undisclosed security loophole.  While Mr. Ritter says that patch indeed fixed the vulnerability, he said that he could still spy on cells that were compromised before the patch, by using existing hooks to preserve control of the cell and connected devices.

A Verizon Wireless spokesperson, David Samberg, sought to reassure customers, releasing a statement commenting, "The Verizon Wireless Network Extender remains a very secure and effective solution for our customers."
Verizon Network Extender
Verizon's network extenders run a distribution of Linux, the world's most used open source operating system.  While generally very secure, Linux has at times suffered from vulnerabilities due to the fact that much of its core code is openly available to the public (and hackers).

This is not the first attack on femtocells.  Back in Oct. 2012 researchers published a paper on key-based attacks on a femtocell.  And in Feb. 2013 the U.S. Cellular Telecommunications and Internet Association (CTIA), the industry trade group that represents phonemakers and their wireless carrier partners, published a whitepaper [PDF] suggesting app-level attacks on femtocells could become a danger.

The phone industry has a rich hacking tradition of hacking -- for both good and evil.  Many hackers later became top industry officials; for example the late Steve Jobs who went on to found the phone industry's most profitable corporation and second largest smartphone seller, had worked with Apple co-founder Steve Wozniak as a
"phone phreaker" in his younger days, taken advantages of flaws in the tone-based phone coding system of his time.

Sources: BlackHat, DEF CON, Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Kerckoff Principle
By KingofL337 on 7/15/2013 2:38:56 PM , Rating: 1
He didn't write Kernel, he wrote distribution. He is correct that once a hole is found in the certain version of a distro it's based on it's easy to crack.

A great example is Android, because of open sourceness of the distro people found hole that goes all the way back. http://techcrunch.com/2013/07/04/android-security-...

Will distro get patched and be more secure then before? Yes. Will all the devices running it be patched? No.


“We do believe we have a moral responsibility to keep porn off the iPhone.” -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki