If you’ve never heard of a femtocell, now would be a good time to learn.
At the Black Hat hacker conference in Las Vegas, NV, on Wednesday, a pair of security researchers detailed their ability to use a Verizon signal-boosting device, a $250 consumer unit called a femtocell, to secretly intercept voice calls, data, and SMS text messages of any handset that connects to the device.
A femtocell is, basically, a miniature cell phone tower that anyone can use to boost their wireless signal in their home. Most of the major U.S. wireless carriers sell femtocells, as do other retailers, and they can typically be purchased for $150 to $250.
For a cell phone or tablet to connect to a femtocell, it must be within 15 feet of the device, and remain within 40 feet to maintain a connection, explains Doug DePerry of security firm iSEC Partners and one of the researchers who discovered the vulnerability. But when your device does connect to the femtocell, you will not know it.
“Your phone will associate to a femtocell without your knowledge,” says DePerry. “This is not like joining a Wi-Fi network. You don’t have a choice.”
The iSEC Partners team, led by DePerry and fellow researchers Tom Ritter and Andrew Rahimi, successfully tapped into the root of two femtocells sold by Verizon and manufactured by Samsung, which allowed them to intercept SMS messages in real-time, and even record voice calls.
During a demonstration of their exploit, Ritter and DePerry showed how they could begin recording audio from a cell phone even before the call began. The recording also included both sides of the conversation. The duo also demonstrated how it could trick Apple’s iMessage – which encrypts texts sent over its network using SSL, rendering them unreadable to snoopers, including the NSA – into defaulting to SMS, allowing the femtocell to intercept the messages.
“If you block the SSL connection back home to Apple, iMessages fails over to SMS, which plain text,” explains Ritter. “And that we can see just fine.”
In their final demonstration, DePerry and Ritter showed off their ability to “clone” a cell phone that runs on a CDMA network (like Verizon’s) by remotely collecting its device ID number through the femtocell, in spite of added security measures to prevent against cloning of CDMA phones. Once a phone is cloned to another handset – meaning the network thinks both phones are the same device, assigned to a single account – a hacker can make expensive phone calls (i.e. 1-900 numbers), or use excessive amounts of data, and the charges are all attributed to the cloning victim.
Because both the cloned phone and its evil twin device must be connected to a femtocell to work – “any femtocell,” says DePerry, not just one that’s been hacked – the cloning dangers are limited. However, when it comes to intercepting calls and text messages, the eavesdropping potential is significant – especially if someone with a hacked femtocell sets up camp in a heavily trafficked area, like Times Square, to listen in on passersby.
Fortunately for Verizon customers, the company has since issued a patch to all affected femtocells. Sprint currently offers a femtocell that is similar to the vulnerable models from Verizon, but the company has said it plans to discontinue the device. And while AT&T also offers femtocells, it requires an extra level of authentication that makes much of the iSEC Partner’s findings irrelevant. Still, says Ritter, the femtocell vulnerability is still a major problem.
“It’d be easy to think this is all about Verizon,” says Ritter. “But this really about everybody. Remember, there are 30 carriers worldwide who have femtocells, and three of the four U.S. carriers.”
Ritter suggests that all carriers that offer femtocells require owners to provide a list of approved devices that are allowed to connect to their femtocell. And also prevent customers’ cell phones from connecting to any unauthorized femtocell.