Femtocell Security

Femtocell Laptop Security A TV program which specialises in demonstrating scams and confidence-tricks caught my attention the other day.

Parked in a van outside a house in a leafy suburb, a standard laptop with WiFi and commercially available software was used to scan the airwaves. It picked up four domestic WiFi hotspots, of which only one had any security enabled.

Targetting this and using easily availabile software, the WEP security was quickly cracked, allowing full viewing of web pages being surfed. Whilst those accessed from a secure browser page using HTTPS (such as banking and ecommerce sites) were not visible, most screens could be logged, stored and printed out for future reference.

Pages included full details of a holiday booking (including flight dates and times) and shopping baskets. The user was understandably shocked when these pages were shown to him - especially since he had thought that WiFi security was switched on.

The solution to this for WiFi is to enable the newer and more powerful WPA encryption, and restrict access to individual MAC addresses, but not all WiFi devices have this capability.

When using public WiFi hotspots, security is usually turned off by default (otherwise each customer must be given the secret key and would have to enter it into their computer). Whilst this makes it easy to find and use WiFi, especially if it is a free service, it also exposes the user to risk of interception. Some programs, such as Skype, automatically encrypt their data, and so are not easily hacked. Business users with secureID and VPN tunnels have their own separate security layer.

But as more users become aware of the problem, public WiFi for general use may get a bad name.

One of the key benefits of femtocells is that they adopt the existing 3G cellular security protocols already in place. The end user doesn't have to take any special action or input any key codes or passwords to access the femtocell. Quite apart from the difficulty in accessing and decoding the radio layer (you can't just use a standard WiFi adaptor or its equivalent), the traffic is normally encrypted over the radio channel. The secrets held within the SIM card are used to setup a temporary session, with the subscriber identity (IMSI) being substituted with a T-IMSI. The user's telephone number is not normally transferred over the air - all registration is based on the IMSI - so tracing specific sessions to a user from their telephone number is more difficult.

With the growing popularity of small notebooks and uMPCs such as the Asus eeePC, not to mention smartphones which come with WiFi built in, the security concerns of using public WiFi in this way are not yet fully appreciated. Perhaps once they are more widely known, the switch to mobile broadband data services is more likely - both for use inside and outside the home.

Whilst the competing dual-mode UMA/WiFi solution also encrypts voice and data traffic over the air, many using WiFi as a simple fallback on their laptop remain open to security threats. This is where using the femtocell with a local data offload would provide the dual benefits of secure encryption over the air with fast, direct access to any data devices on the home network or directly through to the internet itself via wired broadband.

Hits : 17457

Comments   

#1 Barlow Keener said: 
What if the next door neighbor is inadvertantly camping out on the home owner's femtocell. Will it be just as simple to encrypt the transmission of a cell voice call and data flow to prevent the femtocell owner from sniffing at the Ethernet side of the femtocell and listening to the call?
0 Quote 2008-09-18 00:45
 
#2 Thinkfemtocell said: 
@Barlow. Good question. A few points spring to mind:

1) Femtocells can't "sniff" other calls. In order to be able to decrypt and listen in, the call would have to be physically routed via their femtocell instead of yours. This would be noticeable and traceable.

2) All digital cellphone calls are encrypted by default (its a setting controlled by the network operator, and very few countries/opera tors don't have this enabled).

3) Separate encryption of the voice/data call is used between the femtocell and core network. This is actually more than is the case for outdoor cellsites, which are either hardwired or transmitted over point-to-point microwave. It stops the determined eavesdropper physically connecting a tap to your phone wires outside your property for example.

4) I'd say femtocells are still more secure than your cordless phone, which its replacing. Calls are encrypted over the air and over the broadband wired connection.

5) In the future, handsets will display the "name" of the femtocell - which can be a user defined text string (i.e. Fred's House). So the neighbour would have to duplicate that, and it might become obvious what's going on.

I'd say you'd have to be quite a hacker to compromise a femtocell and still get the network operators systems to think it was working as normal. Calls would be routed via your femtocell and so would be logged as such. This is not undetected "sniffing" of calls/data, but physically taking over the call handling. I suspect its not completely impossible, just as any determined hackers can find some workaround, but the value in doing so would need to make it worth their while.

In comparison with WiFi security, which isn't used at all in public WiFi services, its substantially better.

I'm planning a separate article on the security of the wired broadband connection between femtocell and operators network shortly, and have spoken with specialists on this topic. Watch this space.
0 Quote 2008-09-18 11:35
 
#3 Barlow Keener said: 
The "sniffing" occurs using deep packet inspection software on the wired side of the femtocell. Any device user near a femtocell can end up on the femtocell without knowning they are on it. Basically, the operators are opening up the backhaul side of the femto "tower" connection to creative hackers. Right now the wired backhaul is protected by locked doors and barbed wire. Bringing femto antennas to the masses will change this. Creative hackers will be able to sniff and pick up data using femtocells connected to the RAN without awareness of the user or the carrier. I think femtocells are going to see a cellco world that is going to look much more like mobile VoIP does today than the cellco world of the last 20 years dominated by outdoor antenna and RAN. Sure cell calls will continue to be made outdoors, but most of the minutes and data traffic will be in doors on femtocells, transmitted over the Internet.
0 Quote 2008-09-23 01:58
 
#4 Cyber Tao Flow said: 
I agree with Barlow completely. After all the solutions to intercept GSM that are commonly built and sold to governments are based on a MiTM or man in the middle attack wherein a dual radio cellular repeater is setup and the traffic is sniffed in between decryption by the "tower" radio and re-encrpytion by the repeater (client) radio.

IMHO Ive found the MiTM attack technique to always work when concerning ANY information flow. Due to information flow geometry. Ad-hoc type (think pure P2P ala bittorrent) configurations are less suceptible but in a way moreso
0 Quote 2009-04-07 17:37
 
  • 4

    more

    Residential

    Residential

    A significant number of users continue to report poor mobile coverage in their homes. There will always be areas which are uneconomic for mobile operator to reach. They range from rural areas

    ...
  • 4

    more

    Enterprise

    Enterprise

    The term Enterprise addresses any non-residential in-building including hotels, convention

    ...
  • 4

    more

    Metrocells

    Metrocells

    Metrocells are compact and discrete mobile phone basestations, unobstrusively located in urban areas. They can be mounted on lampposts, positioned on the sides of buildings or found indoors in

    ...
  • 4

    more

    Rural

    Rural

    A rural small cell is a low power mobile phone base station designed to bring mobile phone service to small pockets of population in remote rural areas. These could be hamlets, small villages or

    ...

Category Icons Backhaul Timing and Sync Chipsets Wi-Fi LTE TDD Regional

Popular Categories

Follow us on...

footer-logo

Search