"While in this room, CDMA cell phone users may experience cellular interception, modification, or loss of service, including loss of 911 service. By entering this room, you acknowledge and consent to that interception, modification, or loss of service. If you use a CDMA device while in this room, you may only communicate with parties have consented to interception and modification of communications. If you wish to avoid interception or modification of your CDMA communications, please turn off your CDMA devices while in this room."
The sign was over the doorway to the room where researchers from iSec Partners demonstrated how they exploited a vulnerability in the way mobile devices connected to a femtocell, a miniature cell tower, to eavesdrop on people's conversations and impersonate their phones. If this sounds scary, it should. This is the Black Hat conference at Las Vegas, and researchers take pride in showing how practically any form of technology can be hacked.
Femtocells are network devices that people can get from their carrier to boost their cellular signal. For example, your office building or your house, may have really poor cell reception. You can request a femtocell from the carrier and plug it into your local network. The femtocell communicates with the carrier's internal network over a secure tunnel to become part of the cellular network. Mobile devices connect to the femtocell and function as if it was connecting to one of the cellular towers. Most users won't even notice the difference.
This is an automatic process, as phones connect to the tower with the strongest signal. That can be the cell tower, or it can be the femtocell, Doug DePerry, senior security engineer at iSec Partners said in his presentation. "This is not like joining an open WiFi network. There is no user interaction," he said, before adding, "You might be on ours right now."
What Can HappenResearchers were able to eavesdrop and record all voice calls, intercept incoming SMS and MMS messages, launch a man-in-the-middle attack to view Web sites being accessed, and strip SSL from secure pages, Tom Ritter, principal security engineer at iSec Partners said. They were also able to clone mobile devices without having physical access to the device. It could intercept cellular signals at even 40 feet away, depending on certain environmental factors, Ritter said.
Ritter and DePerry demonstrated how a phone call to DePerry's phone was recorded, and displayed a phone's incoming text messages on a computer screen. They also intercepted MMS messages, a list of Web sites being accessed from a mobile device, and any information entered on those Websites (including passwords).
"Eavesdropping was cool and everything, but impersonation is even cooler," DePerry said, noting that femtocells are essentially mini towers. With a rogue femtocell, an attacker can become the person holding the targeted mobile device without ever touching the phone, he said. If someone was calling the victim's phone, the attacker's cloned phones would also ring, letting the attacker listen to the call in a "2.5 way" calling.
Without a femtocell, an attacker interested in cloning a mobile device could "wait for the victim to go to the bathroom and write down the identifiers associated with the phone," DePerry said. It's much easier, and harder to get caught, if you just set up the femtocell and wait for mobile devices to register automatically with the tower. All the necessary identifiers are transmitted during the registration process, so attackers can easily get the information to create a cloned phone without ever touching the victim's device, DePerry said.
This hack targeted a Verizon femtocell, which is on a CDMA network. Verizon has patched the issue, although both Ritter and DePerry declined to discuss the patch's effectiveness. A similar vulnerability was found in a femtocell from Sprint, as it was made by the same manufacturer. However, it is naïve to think the problem is specific to a manufacturer or to a particular carrier.
"Femtocells are a bad idea," Ritter said, noting that Verizon, Sprint, and AT&T all offer femtocells.
While the immediate danger has been addressed, iSec Partners has "serious architectural concerns about femtocells," DePerry said. The better option is for carriers to stop using femtocells altogether and look into WiFi calls using IPSec or SSL Tunnels for security. Until the carriers take steps to secure the calls, users can encrypt their calls, using tools such as RedPhone or Ostel, Ritter said.
The researchers announced the "femtocatch" tool, which will detect femtocells and automatically put the device into "airplane mode" instead of connecting, Ritter said. The tool will be available "soon," once some kinks have been worked out, he said.