The wireless industry’s push to offload wireless traffic to microcells and other short-range femtocell base stations has opened the door for hackers to intercept voice calls, SMS text messages and collect enough identifying information to clone your phone.
Researchers from iSec Partners demonstrated femtocell vulnerability last month at the Black Hat conference in Las Vegas, successfully recording phone calls, messages, and even certain web traffic using a compromised $250 Samsung “network extender” sold to consumers by Verizon Wireless.
Once anyone gets within 15-20 feet of a femtocell using compatible network technology (CDMA or GSM), their device will automatically attempt to connect and stay connected to a potentially rogue cell signal repeater as long as the person remains within 50 feet of the base station. Many phone owners will never know their phone has been compromised.
“Your phone will associate to a femtocell without your knowledge,” said Doug DePerry from iSEC Partners. “This is not like joining a Wi-Fi network. You don’t have a choice. You might be connected to ours right now.”
During the demonstration, the presenters were able to record both sides of phone conversations and compromise the security of Apple’s iMessage service. All that was required was to trick Apple’s encrypted messaging service to default to exchanging messages by plain text SMS. Phones were also successfully cloned by capturing device ID numbers over Verizon’s cell network. Once cloned, when the cloned phone and the original are connected to a femtocell of any kind, at any location, the cloned unit can run up a customer’s phone, text, and data bill.
“Eavesdropping was cool and everything, but impersonation is even cooler,” DePerry said.
Although the very limited range of femtocells make them less useful to track a particular person’s cell phone over any significant distance, installing a compromised femtocell base station in a high traffic area like a restaurant, mall, or entertainment venue could allow hackers to quietly accumulate a large database of phone ID numbers as people pass in and out of range. Those ID numbers could be used to eventually clone a large number of phones.
iSEC Partners believe femtocells, as designed, are a bad idea and major security risk. Although Verizon has since patched the vulnerability discovered by the security group, DePerry believes other vulnerabilities will eventually be found. He worries future exploits could be used to activate networks of compromised femtocells controlled by unknown third parties used to snoop and steal from a larger user base.
iSEC says network operators should drop femtocells completely and depend on implementing security at the network level, not on individual devices like phones and cell phone extenders.
AT&T’s femtocells support an extra layer of security, so they are now unaffected by hacking. But that could change eventually.
“It’d be easy to think this is all about Verizon,” said Tom Ritter, principal security engineer at iSec Partners. “But this really is about everybody. Remember, there are 30 carriers worldwide who have femtocells, and [that includes] three of the four U.S. carriers.”
iSec Partners is working on “Femtocatch,” a free tool that will allow security-conscious users to automatically switch wireless devices to “airplane mode” if they ever attempt to connect to a femtocell. The app should be available by the end of August.