Subverting Femto Cells – Infrastructure at Risk

René Pfeiffer/ July 14, 2011/ Security

The past DeepSec conferences featured talks about mobile telecommunication networks. Security researchers had to turn mobile phones into base stations or create their own from hardware and software. Yesterday The Hacker’s Choice have published a security analysis of Vodafone’s Femto Cells. These cells are small routers used for boosting the 3G signal. They cost about 160£ and can be purchased through the Vodafone store. Reverse engineering turns these little routers into full-blown 3G/UMTC/WCDMA interception devices. You can catch IMSIs and retrieve the secret subscriber information by requesting it from the core network. By using this secret key material you can decrypt intercepted phone calls and data transmissions. The reverse engineering process even produced the root password of the device (it’s ceolyx, but you need to decrypt it; other blogs feature the full plaintext password).

This is shocking news, but it comes without surprise. The trust model of the mobile phone networks break down once you are a part of the network. Apart from that everyone involved with Internet security knows about design flaws and security weaknesses in routers, switches and other networked equipment. What does this mean for your infrastructure? Clearly the components of third party providers, such as mobile network operators, is out of your hands (unless broken). We have seen from the talks about GSM security that a lot of components are defective by design or contain flaws that can be exploited. The only difference compared to the Internet is that no many talk about these vulnerabilities. Security researchers have begun to poke sticks at 2G/3G equipment just a few years ago. Now we are seeing the results, and don’t forget that this is an advantage.

The full analysis contains the technical details. Vodafone remarked that the system suffered from a bug reportedly fixed in 2010. This is good news, but the story is a perfect example why you should test your equipment before relying on it.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.