Two Trustwave security consultants report they have uncovered hardware and software vulnerabilities in femtocell devices that can be used to take over the device. The duo will present their findings at the ShmooCon conference in Washington.
Researchers with Trustwave have discovered flaws in the hardware and
software of femtocell devices that can allow an attacker to take full control
of the miniature cell towers without the user's knowledge.
Zack Fasel and Matthew Jakubowski, security consultants with Trustwave's
SpiderLabs, will present their findings at ShmooCon,
held Feb. 5 to 7 in Washington.
"Our original [area of] curiosity was whether these devices could be
utilized to supplement cellular deployment in third-world countries (such as
the OpenBTS+Asterisk project) in a much cheaper package ($250 compared to over
$1,200 for a USRP hardware device plus server costs)," Fasel explained. "After
hours of sniffing traffic, changing IP address ranges, guessing passwords and
investigating hardware pinouts, we had obtained root access on these
Linux-based cellular-based devices, which piqued our curiosity [about] the
Femtocell devices are small cellular base stations used to increase wireless
coverage in areas with limited service. Because a cell phone does not have
business logic to prevent it from connecting to a wireless device acting as a
tower that has been tampered with, it is possible for malicious users to abuse
that trust and sniff traffic as it traverses the network.
"Through the theoretical attack method outlined in our talk, the
attacker would compromise the femtocell device to gain full root access over
the device," Fasel said. "As the attacker has access to the device,
any services the device offers [are] subject to the attacker's control, including
voice, data, authentication and access to the femtocell's home network."
In addition, the researchers plan to offer proof that a malicious user could
tamper with a wireless device and create a fake tower in order to monitor
people's movement via the identification numbers of their cell phones.
"The cell companies need to focus on the security of the hardware just
as much as the software," Fasel said. "In our findings we noticed a
limited concern [about] the security of the hardware. We used this to our
advantage to get full root access to the device. This then allowed us
understand and modify existing software on the device.
"In addition, cellular technologies (specifically in the case of GSM) employ
a weak authentication mechanism," he added. "This has been known
throughout the security industry for several years."
As for users, there isn't much they can do, he said.
"Stop using cellular technologies? Other than that, because users can't
stop using cellular technologies, they must trust their cell phone as much as
they trust an open access point," Fasel said. "Use strong encryption
on data services and don't say anything over the airwaves that you wouldn't
assume someone's listening to."