Coverage bubbles may not be as secure as thought

Doug DePerry and Tom Ritter, senior consultants with the security firm iSEC Partners, are preparing to give elaborate demonstrations at DefCon 21 [talk] and BlackHat 2013 [talk] -- the world's top two hacker conferences -- on how to hack femtocells.

I. Verizon Wireless Femtocells:  Gateway to Spying?

U.S. and foreign carriers are increasingly using femtocells to fill gaps in signal coverage.  In the U.S. both AT&T, Inc. (Tand Verizon Wireless (a joint subsidiary of Verizon Communications, Inc. (VZ) and Vodafone Group Plc (LON:VOD)) use the cells to offer "bubbles" of coverage to customers in such trouble spots.

But according to Mr. DePerry and Ritter poor security in the cells offers an easy route to score call information and even listen in on phone calls -- or alternative snoop on clients data traffic (website addresses visited, text messages, etc.).  The pair's attack focuses specifically on CDMA (3G) data cells.  Verizon Wireless uses CDMA, while AT&T uses the alternative GSM format.

The key to the intrusion is compromising the software of the femtocell.  This would generally be easiest with direct access, but it could be possible to remotely download malicious "patches" to the femtocell as well, in theory.

Here's a 2012 interview with Mr. Ritter:

Black Hat Europe 2012 - Tom Ritter interview from Twist and Shout on Vimeo.

The hack comes at a time when the public is awakening to the issue of mobile security.  The U.S. National Security Agency (NSA) is reportedly tracking 99 percent of Americans' locations -- as well as that of tens of millions of Europeans -- on a daily basis by monitoring their call records, which contain location information.

But the femtocell hack would allow for much more detailed spying; the kind that the NSA used to spy on foreign leaders at a G20 conference, for example.  In the wake of those spying revelations DefCon's organizers advised "feds" not to attend this year's conference.

II. Femtocells are Increasingly Popular Attack Target as Usage Grows

Despite the apparent links to the NSA debate, Mr. DePerry and Ritter insist their research is more for the masses and stands alone.  Mr. Ritter remarks in a Reuters interview, "This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people."

The discovery of the security flaw in CDMA cells explains a March patch that trickled out from Verizon Wireless to femtocells, closing an undisclosed security loophole.  While Mr. Ritter says that patch indeed fixed the vulnerability, he said that he could still spy on cells that were compromised before the patch, by using existing hooks to preserve control of the cell and connected devices.

A Verizon Wireless spokesperson, David Samberg, sought to reassure customers, releasing a statement commenting, "The Verizon Wireless Network Extender remains a very secure and effective solution for our customers."
Verizon Network Extender
Verizon's network extenders run a distribution of Linux, the world's most used open source operating system.  While generally very secure, Linux has at times suffered from vulnerabilities due to the fact that much of its core code is openly available to the public (and hackers).

This is not the first attack on femtocells.  Back in Oct. 2012 researchers published a paper on key-based attacks on a femtocell.  And in Feb. 2013 the U.S. Cellular Telecommunications and Internet Association (CTIA), the industry trade group that represents phonemakers and their wireless carrier partners, published a whitepaper [PDF] suggesting app-level attacks on femtocells could become a danger.

The phone industry has a rich hacking tradition of hacking -- for both good and evil.  Many hackers later became top industry officials; for example the late Steve Jobs who went on to found the phone industry's most profitable corporation and second largest smartphone seller, had worked with Apple co-founder Steve Wozniak as a
"phone phreaker" in his younger days, taken advantages of flaws in the tone-based phone coding system of his time.

Sources: BlackHat, DEF CON, Reuters

"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki

Most Popular Articles

Copyright 2018 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki