There are three areas of security considered here:
a) Identity Theft - Could someone use mobile phone services and charge your account.
b) Phone-Tapping – Could someone use a femtocell solution to intercept your voice or data calls.
c) Bill Avoidance – Could a femtocell be used to avoid paying for services provided.
Femtocells use the same authentication schemes to prove the identity of the end user as are used by mobile phone networks around the world. This is the same for both GSM and UMTS (3G) systems which are the most common. A SIM card (Subscriber Identification Module – a small chip the size of a thumbnail) holds a small electronic circuit with a coded secret. When a mobile phone first registers with a mobile network, a set of numbers are used to query the SIM card and the response compared with a set of answers provided by the network operator’s online database (the HLR or Home Location Register). These numbers change every time a registration is performed, and the method to generate them is known only to the SIM card and HLR.
Whilst the method of transporting the numbers and comparing them is standardised, the algorithm to create the numbers is not, and can potentially be different for every SIM card. Therefore, intercepting the information transferred would not provide a key which could be reused with other phones. Also, even if the key and algorithm was identified, this may not work with other batches of SIM cards or other operators. Up to now, the GSM SIM card security scheme has not been compromised, and even if it was broken for one operator or phone, this doesn’t mean that it is unlocked for any other subscribers. It would also be possible for operators to upgrade to a more complex scheme in the future.
Standard femtocells simply transfer these security messages from the mobile phone to the operator’s network, and so are not otherwise involved in the authentication process. Therefore, there is no security loophole to exploit, even if the messages could be intercepted. For the SIP based architecture proposed as a future alternative, it may be necessary for the femtocell itself to perform the authentication. This would involve comparing the two sets of numbers received from the mobile device and HLR. Whilst this may not allow easy breaking of the SIM code/algorithm, it could open up access into the operators network (e.g. access to the HLR) which they may not be comfortable with. Therefore, it would be expected that authentication continue to take place in the operator’s network, and the femtocell rely on that before allowing even “free” voice or data calls through the system.
A common concern of early mobile phone users was that their conversations might be overheard. Older, analogue networks often did not use any encryption over the air, and thus could easily be listened to by anyone in range. Digital networks, like GSM and UMTS, encode the voice and data messages sent from the mobile device to the basestation, effectively avoiding that problem. The other weak link is from the basestation to the operators central switching centres. Femtocells typically encrypt their voice and data traffic using secure tunnels (IPsec) between the femtocell and the operators network. This is may be more secure than when using the mobile phone outdoors, where no encryption is used.
This falls in the same class as bypassing your electricity or gas meter, so that services can be obtained for free. Where all calls or data traffic are controlled by and routed through the core network, it is difficult to see how billing and charging functions could be avoided. However, if the femtocell itself becomes the controlling network element (ie the MSC or GSN function), then there is a risk that the femtocell could be compromised to achieve that purpose. We have seen considerable efforts to “hack” and unlock the iPhone, as well as re-engineering consumer boxes such as TiVo players, Xbox games machines etc. If it becomes possible to do this for a femtocell, then any core billing functions may be at risk. Vendors have proposed including a SIM card in the femtocell itself, in order to validate that the owner of the device is known, and thus stolen or compromised units can be disconnected from the network.