A Samsung femtocell offered by Verizon Wireless.

The wireless industry’s push to offload wireless traffic to microcells and other short-range femtocell base stations has opened the door for hackers to intercept voice calls, SMS text messages and collect enough identifying information to clone your phone.

Researchers from iSec Partners demonstrated femtocell vulnerability last month at the Black Hat conference in Las Vegas, successfully recording phone calls, messages, and even certain web traffic using a compromised $250 Samsung “network extender” sold to consumers by Verizon Wireless.

Once anyone gets within 15-20 feet of a femtocell using compatible network technology (CDMA or GSM), their device will automatically attempt to connect and stay connected to a potentially rogue cell signal repeater as long as the person remains within 50 feet of the base station. Many phone owners will never know their phone has been compromised.

“Your phone will associate to a femtocell without your knowledge,” said Doug DePerry from iSEC Partners. “This is not like joining a Wi-Fi network. You don’t have a choice. You might be connected to ours right now.”

During the demonstration, the presenters were able to record both sides of phone conversations and compromise the security of Apple’s iMessage service. All that was required was to trick Apple’s encrypted messaging service to default to exchanging messages by plain text SMS. Phones were also successfully cloned by capturing device ID numbers over Verizon’s cell network. Once cloned, when the cloned phone and the original are connected to a femtocell of any kind, at any location, the cloned unit can run up a customer’s phone, text, and data bill.

“Eavesdropping was cool and everything, but impersonation is even cooler,” DePerry said.

Although the very limited range of femtocells make them less useful to track a particular person’s cell phone over any significant distance, installing a compromised femtocell base station in a high traffic area like a restaurant, mall, or entertainment venue could allow hackers to quietly accumulate a large database of phone ID numbers as people pass in and out of range. Those ID numbers could be used to eventually clone a large number of phones.

iSEC Partners believe femtocells, as designed, are a bad idea and major security risk. Although Verizon has since patched the vulnerability discovered by the security group, DePerry believes other vulnerabilities will eventually be found. He worries future exploits could be used to activate networks of compromised femtocells controlled by unknown third parties used to snoop and steal from a larger user base.

iSEC says network operators should drop femtocells completely and depend on implementing security at the network level, not on individual devices like phones and cell phone extenders.

AT&T’s femtocells support an extra layer of security, so they are now unaffected by hacking. But that could change eventually.

“It’d be easy to think this is all about Verizon,” said Tom Ritter, principal security engineer at iSec Partners. “But this really is about everybody. Remember, there are 30 carriers worldwide who have femtocells, and [that includes] three of the four U.S. carriers.”

iSec Partners is working on “Femtocatch,” a free tool that will allow security-conscious users to automatically switch wireless devices to “airplane mode” if they ever attempt to connect to a femtocell. The app should be available by the end of August.

Schneiderman

The New York Attorney General has some strong words for Verizon Communications:

“Verizon [must] divest those portions of its New York franchise where it is no longer willing to continue providing wireline service and replace Verizon with another carrier that will provide wireline service.”

Attorney General Eric Schneiderman is more than a little concerned with Verizon’s plans to abandon offering landline service on the western half of Fire Island and potentially other areas further upstate to satisfy the company’s wireless business strategy.

In a hostile 13-page filing directed to the New York Public Service Commission, Schneiderman’s office accused Verizon of abdicating its responsibility to provide universal access to high quality landline service in favor of moving customers to inferior Verizon Wireless service.

“Verizon is asking the Commission to depart from a century of telephone service regulation, which had as one of its fundamental principles, universal wireline telephone service for all customers,” Schneiderman wrote.

In return for a guaranteed monopoly, profits, and a secure franchise area across portions of New York, telephone companies like Verizon historically agreed to offer phone service to any customer who wanted it. State and federal universal service rules provided subsidies to phone companies to reach their most rural or expensive-to-reach customers.

The goal, Schneiderman argued, was for every resident in New York to have home phone service, enabling them to communicate with their doctors, families, schools, friends and businesses, as well as to send for police, fire and ambulance assistance in an emergency.

Verizon’s intended replacement, Voice Link, represents a downgrade in service even worse than hundred-year old copper wire “plain old telephone service,” according to the attorney general. Schneiderman called Verizon’s Voice Link inferior and its thick 10-page terms, conditions, and disclaimers “legalistic,” leaving consumers without services they previously received or imposing significant new burdens and obligations.

The issues cited by Schneiderman:

Voice Link Service “is not compatible with fax machines, DVR services, credit card machines, medical alert or other monitoring services or some High Speed or DSL Internet services.” Customers in western Fire Island and other rural parts of New York have no FiOS or cable modem Internet providers to switch to, so those who rely on these services have no alternatives if switched to Voice Link.

Because Voice Link “may not be compatible with certain monitored home security systems,” customers’ homes and businesses will be at greater risk from flooding by burst plumbing, fire or burglars. In the case of plumbing emergencies, visit Carlson Plumbing Company website for reliable solutions and prompt support.

Although wireline customers whose service is suspended for nonpayment can still reach a 911 operator in emergencies, suspension of Voice Link “will prevent ALL Service, including any 911 dialing and associated emergency response services. Customers may also lose the ability to receive or place calls, even to 911, if they fail to “promptly notify Verizon” of a change in their address, email, or credit card expiration date.

Customers must “defend, indemnify and hold harmless Verizon from and against all claims … for infringement of any intellectual property rights arising from use of Voice Link or its software.”

Voice Link Service “does not allow the Customer to make 500, 700, 900, 950, 976, 0, 00, 01, 0+, calling card or dial-around calls (e.g., 10-10-XXXX),” so customers will be unable to use such pay-per-call information services. Voice Link Service “does not allow the Customer to accept collect calls or third number billed calls. The Company will not bill any charges on behalf of other carriers. [Customers] must have an International Calling Plan in order to make international calls. Wireline customers are able to subscribe to toll and international calling plans provided by other carriers, and have these and other third-party service charges included on their Verizon bills.

Verizon Voice Link

Voice Link Service “is subject to the availability of adequate wireless coverage throughout your home, and is not available in all locations.”

Unlike wireline service, which supplies its own power over the copper wiring, Voice Link uses customers’ house current to operate. Verizon has not disclosed how much customers’ electric utility bills will increase to power the Voice Link device. Also, if electric power is interrupted, Customers may have to “reset or reconfigure equipment prior to using” Voice Link. This may be difficult for some physically limited or technologically unsophisticated customers to perform.

During power interruptions, the wireless Devices used in Voice Link are battery operated. Although the Devices include a rechargeable battery back-up that provides only 36 hours of standby power and up to 2.5 hours of talk time in the event of a commercial power outage, “[a ]fter the battery is exhausted, the Service (including 911 dialing) will not function until power is restored.”

After the expiration of a one year replacement warranty for the battery back-up included with customers’ wireless Device, customers “are responsible for replacing the back-up battery as needed,” but Verizon has not disclosed the cost of such replacement batteries.

Wireline customers purchase their own telephones from competitive manufacturers, but the Voice Link device is only supplied by Verizon, which continues to own it. Thus, customers will have to pay Verizon to repair the device if “such repair or maintenance is made necessary due to misuse, abuse or intentional damage to the Device.” Verizon has not disclosed what [the] repair or replacement might cost customers in such event.

When wireline customers end their service with Verizon, they have no equipment to return to the company. However, Voice Link customers who cancel their service “are responsible for returning their Wireless Device to [Verizon] in an undamaged condition. Failure to return the Device within 30 days … may result in [Verizon] charging [customers] an unreturned equipment fee.” Verizon has not disclosed the amount of this fee.

Schneiderman accused Verizon of dragging its feet on repairs on Fire Island and forcing Voice Link on customers as the only available alternative.

“It is clear that Verizon is leveraging the storm damage from Sandy as part of its long-term strategy to abandon its copper networks by substituting Voice Link for [landline] service on western Fire Island and forcing customers to accept wireless Voice Link wherever it does not build FiOS,” Schneiderman argued. “Verizon’s failure to make prompt repairs to its Fire Island facilities during the seven months following Sandy left the Commission little choice but to provide temporary approval of Voice Link so that customers would have some form of telephone service during the 2013 summer beach season. However, this ‘temporary approval’ should not be expanded to allow Verizon to avoid its obligations permanently, on Fire Island or anywhere else in New York.”

Schneiderman wants the PSC to force the issue with Verizon, and not on the preferred terms of its senior executives.

“Rather than allow Verizon to provide inadequate Voice Link service to Fire Island and other New York customers, the Commission should compel the company to either maintain its wireline network throughout its franchise territory or sell
those parts where it is unwilling to do so to another provider that will provide adequate service,” Schneiderman wrote.

If the Federal Communications Commission allows Charter Communications to deploy a new, enhanced encryption system for set-top boxes that will allow it to scramble any or all of its video channels, it will offer broadband service up to 100Mbps to at least 200,000 additional homes within two years and transition every Charter Cable system in the country to all-digital television service.

The proposed deal was addressed to the Commission in a brief letter from Charter Communications CEO Thomas Rutledge on Apr. 4.

Charter is trying to negotiate a two-year waiver to allow the company to deploy a cheaper and more robust downloadable set-top box security upgrade that initially does not support CableCARD technology. Charter’s proposal will leave its legacy conditional access platform in place to give CableCARD users a temporary reprieve until the next generation of CableCARD technology becomes available in retail outlets. Other customers will eventually have to get a set-top box for every television in the home once the company converts to an all-digital platform. QAM service will not be available if Charter encrypts its lineup.

Charter wants to move away from analog service to increase bandwidth for DOCSIS 3 broadband upgrades and providing more HD channels to customers.

The commitment to offer up to 100/5Mbps service may not tax Charter too much. Multichannel News reports Charter’s regulatory filings show the majority of Charter Cable systems can already offer 100Mbps service today.

Charter ended 2012 with DOCSIS 3.0 deployed to 94 percent of its homes passed, “allowing us to offer multiple tiers of Internet services with speeds up to 100 Mbits download to our residential customers.”  About 98 percent of Charter’s cable network supported 550 MHz or more of capacity at the end of 2012.

Rutledge is attempting to repeat the success he had at Cablevision convincing the FCC to waive costly set-top box upgrade requirements. Cablevision also received a waiver allowing it to encrypt its entire video lineup in the New York area, in part to combat signal theft.

The Consumer Electronics Association is opposed to the cable industry’s efforts to adopt their own closed standards for set top security, preferring AllVid, a proposed next generation version of the CableCARD that will work with all types of video services, not just cable television.

Downtown Shenyang

When corporate executives discover the merits of outsourcing jobs to overseas workers in China or India, that wins them a large bonus for improved efficiency and successful cost-cutting. When an enterprising employee does the same thing, that is a heinous security risk.

Verizon’s RISK Team, which sells enterprise-level security services to large companies, discovered a “severe” security threat when it went to work for a “critical U.S. infrastructure company” (which goes unnamed) that found some unusual activity in its private network logs.

It all started when the company began shifting employees away from in-office work towards cheaper telecommuting. To allow this to happen, a secure virtual private network was established allowing developers to manage their work from home.

When the company began reviewing the network logs, it discovered a curious workday connection being established almost daily originating from Shenyang, China. The company hired Verizon’s RISK Team to consider the implications.

Company security personnel were initially concerned the Chinese had infiltrated their private network even though network access required the use of a rotating token RSA key fob. Even harder to understand, security officials watched the employee working at his office desk at the same time.

Was it a Chinese intelligence agency break-in? Malware? Hackers?

No, it turned out the employee, who Verizon calls “Bob,” had simply outsourced his job responsibilities to a contracting firm in China.

Company officials authorized some infiltration of their own, asking Verizon to review a forensic image quietly obtained from Bob’s workstation. Verizon security officials were surprised when they found hundreds of .PDF invoices sent from the third party contractor-developer… in Shenyang, China. Verizon’s RISK blog explains further:

As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less than one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedEx’d his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.

A typical ‘work day’ for Bob looked like this:

• 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
• 11:30 a.m. – Take lunch
• 1:00 p.m. – Ebay time.
• 2:00 – ish p.m Facebook updates – LinkedIn
• 4:30 p.m. – End of day update e-mail to management.
• 5:00 p.m. – Go home

Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.