backtop


Print 6 comment(s) - last by mikeyD95125.. on Jul 15 at 11:53 PM

Coverage bubbles may not be as secure as thought

Doug DePerry and Tom Ritter, senior consultants with the security firm iSEC Partners, are preparing to give elaborate demonstrations at DefCon 21 [talk] and BlackHat 2013 [talk] -- the world's top two hacker conferences -- on how to hack femtocells.

I. Verizon Wireless Femtocells:  Gateway to Spying?


U.S. and foreign carriers are increasingly using femtocells to fill gaps in signal coverage.  In the U.S. both AT&T, Inc. (Tand Verizon Wireless (a joint subsidiary of Verizon Communications, Inc. (VZ) and Vodafone Group Plc (LON:VOD)) use the cells to offer "bubbles" of coverage to customers in such trouble spots.

But according to Mr. DePerry and Ritter poor security in the cells offers an easy route to score call information and even listen in on phone calls -- or alternative snoop on clients data traffic (website addresses visited, text messages, etc.).  The pair's attack focuses specifically on CDMA (3G) data cells.  Verizon Wireless uses CDMA, while AT&T uses the alternative GSM format.

The key to the intrusion is compromising the software of the femtocell.  This would generally be easiest with direct access, but it could be possible to remotely download malicious "patches" to the femtocell as well, in theory.

Here's a 2012 interview with Mr. Ritter:

Black Hat Europe 2012 - Tom Ritter interview from Twist and Shout on Vimeo.


The hack comes at a time when the public is awakening to the issue of mobile security.  The U.S. National Security Agency (NSA) is reportedly tracking 99 percent of Americans' locations -- as well as that of tens of millions of Europeans -- on a daily basis by monitoring their call records, which contain location information.

But the femtocell hack would allow for much more detailed spying; the kind that the NSA used to spy on foreign leaders at a G20 conference, for example.  In the wake of those spying revelations DefCon's organizers advised "feds" not to attend this year's conference.

II. Femtocells are Increasingly Popular Attack Target as Usage Grows

Despite the apparent links to the NSA debate, Mr. DePerry and Ritter insist their research is more for the masses and stands alone.  Mr. Ritter remarks in a Reuters interview, "This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people."

The discovery of the security flaw in CDMA cells explains a March patch that trickled out from Verizon Wireless to femtocells, closing an undisclosed security loophole.  While Mr. Ritter says that patch indeed fixed the vulnerability, he said that he could still spy on cells that were compromised before the patch, by using existing hooks to preserve control of the cell and connected devices.

A Verizon Wireless spokesperson, David Samberg, sought to reassure customers, releasing a statement commenting, "The Verizon Wireless Network Extender remains a very secure and effective solution for our customers."
Verizon Network Extender
Verizon's network extenders run a distribution of Linux, the world's most used open source operating system.  While generally very secure, Linux has at times suffered from vulnerabilities due to the fact that much of its core code is openly available to the public (and hackers).

This is not the first attack on femtocells.  Back in Oct. 2012 researchers published a paper on key-based attacks on a femtocell.  And in Feb. 2013 the U.S. Cellular Telecommunications and Internet Association (CTIA), the industry trade group that represents phonemakers and their wireless carrier partners, published a whitepaper [PDF] suggesting app-level attacks on femtocells could become a danger.

The phone industry has a rich hacking tradition of hacking -- for both good and evil.  Many hackers later became top industry officials; for example the late Steve Jobs who went on to found the phone industry's most profitable corporation and second largest smartphone seller, had worked with Apple co-founder Steve Wozniak as a
"phone phreaker" in his younger days, taken advantages of flaws in the tone-based phone coding system of his time.

Sources: BlackHat, DEF CON, Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Kerckoff Principle
By Ramtech on 7/15/2013 8:16:44 PM , Rating: 2
Yes searching for bugs (and fixing them) is easier when you have access to source
Umm even closed source SW can fall to known vulnerabilities
Fact of the matter is that closed source bugs are traded and sold by hackers so if someone wants gain access to closed source he will Its not that difficult to use reverse engineering tools on Windows
Conclusion is that closed source isn't magically bugfree or secure because is closed nor open source is secure because is open.

Well there are distros like OpenBSD which prides itself to be the most secure OS in world and it is completely opensource AFAIK (yes access to keys are restricted to root)
Most important Kerckoff Principle says assume that system is compromised which in Software development is translated into assume that enemy has source code what part is difficult to implement in OS?

You are speaking as if Linux was some kind of hobbyist project but in fact there are hundreds of companies who use and contribute to Linux and its fighting right here and now internet trenches since 1993
Umm you focus too much on theory but in real world its Linux or BSD which are used in embedded devices not Windows CE


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki