Subscribe to our Newsletter

Keep informed of small cell developments with our free monthly newsletter. Your email address will not be shared with 3rd parties.
View past editions

Our Sponsors

RSS Feed

rss_icon_small Blog updates via RSS
or emailed to your inbox

Femtocell Security

Femtocell Laptop Security A TV program which specialises in demonstrating scams and confidence-tricks caught my attention the other day.

Parked in a van outside a house in a leafy suburb, a standard laptop with WiFi and commercially available software was used to scan the airwaves. It picked up four domestic WiFi hotspots, of which only one had any security enabled.

Targetting this and using easily availabile software, the WEP security was quickly cracked, allowing full viewing of web pages being surfed. Whilst those accessed from a secure browser page using HTTPS (such as banking and ecommerce sites) were not visible, most screens could be logged, stored and printed out for future reference.

Pages included full details of a holiday booking (including flight dates and times) and shopping baskets. The user was understandably shocked when these pages were shown to him - especially since he had thought that WiFi security was switched on.

The solution to this for WiFi is to enable the newer and more powerful WPA encryption, and restrict access to individual MAC addresses, but not all WiFi devices have this capability.

When using public WiFi hotspots, security is usually turned off by default (otherwise each customer must be given the secret key and would have to enter it into their computer). Whilst this makes it easy to find and use WiFi, especially if it is a free service, it also exposes the user to risk of interception. Some programs, such as Skype, automatically encrypt their data, and so are not easily hacked. Business users with secureID and VPN tunnels have their own separate security layer.

But as more users become aware of the problem, public WiFi for general use may get a bad name.

One of the key benefits of femtocells is that they adopt the existing 3G cellular security protocols already in place. The end user doesn't have to take any special action or input any key codes or passwords to access the femtocell. Quite apart from the difficulty in accessing and decoding the radio layer (you can't just use a standard WiFi adaptor or its equivalent), the traffic is normally encrypted over the radio channel. The secrets held within the SIM card are used to setup a temporary session, with the subscriber identity (IMSI) being substituted with a T-IMSI. The user's telephone number is not normally transferred over the air - all registration is based on the IMSI - so tracing specific sessions to a user from their telephone number is more difficult.

With the growing popularity of small notebooks and uMPCs such as the Asus eeePC, not to mention smartphones which come with WiFi built in, the security concerns of using public WiFi in this way are not yet fully appreciated. Perhaps once they are more widely known, the switch to mobile broadband data services is more likely - both for use inside and outside the home.

Whilst the competing dual-mode UMA/WiFi solution also encrypts voice and data traffic over the air, many using WiFi as a simple fallback on their laptop remain open to security threats. This is where using the femtocell with a local data offload would provide the dual benefits of secure encryption over the air with fast, direct access to any data devices on the home network or directly through to the internet itself via wired broadband.

Hits : 12622

Comments   

#1 Barlow Keener said: 
What if the next door neighbor is inadvertantly camping out on the home owner's femtocell. Will it be just as simple to encrypt the transmission of a cell voice call and data flow to prevent the femtocell owner from sniffing at the Ethernet side of the femtocell and listening to the call?
0 Quote 2008-09-18 00:45
 
#2 Thinkfemtocell said: 
@Barlow. Good question. A few points spring to mind:

1) Femtocells can't "sniff" other calls. In order to be able to decrypt and listen in, the call would have to be physically routed via their femtocell instead of yours. This would be noticeable and traceable.

2) All digital cellphone calls are encrypted by default (its a setting controlled by the network operator, and very few countries/opera tors don't have this enabled).

3) Separate encryption of the voice/data call is used between the femtocell and core network. This is actually more than is the case for outdoor cellsites, which are either hardwired or transmitted over point-to-point microwave. It stops the determined eavesdropper physically connecting a tap to your phone wires outside your property for example.

4) I'd say femtocells are still more secure than your cordless phone, which its replacing. Calls are encrypted over the air and over the broadband wired connection.

5) In the future, handsets will display the "name" of the femtocell - which can be a user defined text string (i.e. Fred's House). So the neighbour would have to duplicate that, and it might become obvious what's going on.

I'd say you'd have to be quite a hacker to compromise a femtocell and still get the network operators systems to think it was working as normal. Calls would be routed via your femtocell and so would be logged as such. This is not undetected "sniffing" of calls/data, but physically taking over the call handling. I suspect its not completely impossible, just as any determined hackers can find some workaround, but the value in doing so would need to make it worth their while.

In comparison with WiFi security, which isn't used at all in public WiFi services, its substantially better.

I'm planning a separate article on the security of the wired broadband connection between femtocell and operators network shortly, and have spoken with specialists on this topic. Watch this space.
0 Quote 2008-09-18 11:35
 
#3 Barlow Keener said: 
The "sniffing" occurs using deep packet inspection software on the wired side of the femtocell. Any device user near a femtocell can end up on the femtocell without knowning they are on it. Basically, the operators are opening up the backhaul side of the femto "tower" connection to creative hackers. Right now the wired backhaul is protected by locked doors and barbed wire. Bringing femto antennas to the masses will change this. Creative hackers will be able to sniff and pick up data using femtocells connected to the RAN without awareness of the user or the carrier. I think femtocells are going to see a cellco world that is going to look much more like mobile VoIP does today than the cellco world of the last 20 years dominated by outdoor antenna and RAN. Sure cell calls will continue to be made outdoors, but most of the minutes and data traffic will be in doors on femtocells, transmitted over the Internet.
0 Quote 2008-09-23 01:58
 
#4 Cyber Tao Flow said: 
I agree with Barlow completely. After all the solutions to intercept GSM that are commonly built and sold to governments are based on a MiTM or man in the middle attack wherein a dual radio cellular repeater is setup and the traffic is sniffed in between decryption by the "tower" radio and re-encrpytion by the repeater (client) radio.

IMHO Ive found the MiTM attack technique to always work when concerning ANY information flow. Due to information flow geometry. Ad-hoc type (think pure P2P ala bittorrent) configurations are less suceptible but in a way moreso
0 Quote 2009-04-07 17:37
 

Add comment

Security code
Refresh


Keep informed of small cell thinking. Signup to our FREE monthly newsletter and articles and get a FREE ebook!

Small Cell Essentials

Residential Read more

The vast majority of small cells today are residential. Millions provide excellent voice coverage and fast data connectivity for smartphones in the home.

Residential

EnterpriseRead more

Businesses generate over a third of mobile network operator revenues, justifying specialist sales teams, commercial packaged and technical solutions.

Enterprise

MetrocellsRead more

Metrocells deliver both high capacity and high data rates in dense urban environments cost effectively, complementing the wide area coverage from today's macrocells.

Metrocells

RuralRead more

Rural small cells bring mobile phone coverage to remote rural areas for both the developed and developing world. Backhaul and power are perhaps the most difficult issues.

Rural