Femtocell Security: Capturing phone numbers of passers-by


snoopingWith any new technology, innovators are always trying to dream up new ways to apply it for different purposes. One application I’ve been asked about a number of times relates to capturing the phone numbers of anyone passing within range - without the owners being aware of it. Is this possible, what are the implications and do other technologies offer an alternative?

One scenario being considered involves retailers or other businesses wanting to find out the details of their visitors so they can follow up with text messages or other marketing communications. These may be to existing customers where the retailer already has their contact details and would provide greater knowledge of time and duration of visits.

This tactic isn't new for some - for example, customer behaviour is already commonly tracked today by large retailers using loyalty cards, and potentially could be derived where credit cards are used for most transactions.

And of course there may be more malicious or unscrupulous reasons for such activities which don’t bear consideration here.

Why femtocells wouldn’t be used for this purpose

Here are a few reasons I can think of:

1: Your mobile phone number isn’t transmitted to the femtocell. All communications between your phone and the mobile network uses the IMSI (International Mobile Subscribers Identification), which is the unique number of your SIM card. Only your mobile operator will be able to match this with a specific telephone number (this is held in the HLR – Home Location Register – a big online database in the core of the network).

2: Femtocells are limited to a single network operator. Since visitors are likely to be distributed across all the national operators (and perhaps some from abroad), you would need to install a stack of femtocells, one from each of the networks.

3: Many short visits would be missed. It may take a few minutes for mobile phones entering an area covered by a femtocell to locate it and switch to use it. For transient passers-by, they may have come and gone without registering.

4: Most data is encrypted. 3G uses a secure connection between the mobile device and the core network. Anything your femtocell doesn’t need to know (such as the number you are calling, Caller ID for incoming calls etc) won’t be visible to it.

Other ways to snoop on mobile phones

Other technologies also present on your mobile device also have some limitations:

Bluetooth could be detected from those phones which have it switched on. This doesn’t identify the user although each phone does have a unique id. It can (and has) been used to track movement of unknown people around urban areas, but is entirely anonymous.

Wi-Fi can also be used to record which users are accessing each hotspot.  This is less of a problem at home or in the office where the WiFi connection is secured – avoiding both the chance of eavesdroppers snooping on your connection and your device connecting to the wrong hotspot.

But Wi-Fi is commonly used for public hotspots (e.g. at hotels) with unencrypted connections. The MAC address (a unique identifier for the device) can be tracked against any user registration, and your activity monitored. For example, the websites you visit could be recorded and pages viewed. Use of such hotspots normally requires the user to accept the connection, even when it's free, so it's unlikely to happen in transient situations like visiting a shop.

Any secure websites visited (i.e. where the padlock shows) would be encrypted within your device and invisible to any such snooping attacks. Likewise, Skype calls and Blackberry email are also hidden. For those using UMA (the dual-mode WiFi/mobile system popular with T-Mobile US and Orange France), everything is encrypted on the handset and is therefore also secure.

But for those using smartphones or featuresphones, a more common risk might be theft of your email address and password which are often not encrypted during its travel from your phone to your email server. Many (but not all) email providers offer secure SSL connections, and these are easily overlooked or omitted when configuring email clients.

Some further information about this risk can be found in this security briefing – especially the bit about using an email program through a public WiFi hotspot. For example, if your iPhone is set to connect to any WiFi hotspot and check your email regularly, every time it does so it could send or receive emails “in the clear” including all your email accounts and passwords.

There are some programs out there already which can run on a standard laptop that performs this snooping, without any direct interference or visibility of such an attack. Such programs don't exist for mobile phone networks (to my knowledge), which have many levels of security protection built in.

Sorry – femtocells can’t capture your phone number

So regrettably for those wanting to snoop on you, I don’t see femtocells as an easy answer at this stage. WiFi is more of a risk today for certain types of activity. Where WiFi is secured, for example when using UMA with a dual-mode GSM/WiFi phone or when connected through secure SSL connections, then this shouldn't be a problem. However, femtocells offer a much more secure, easy to use and straightforward approach that open/public WiFi today.

Hits : 18314


#1 Phillip Wilson said: 
Sorry, but the article seems very much to be a 'bury your head in the sand' view of the possible 'attacks' on mobile telephony from femtocells.
If/when the femtocells are recieved in the hands of criminals then this small box would easily be used for sniffing the details of unsuspecting mobile phone owners.
It is not a new and unknown fact that IMSI duplication has been used by people for illegal and, sometimes, legitimate cloning reasons. This allows the use of multiple mobile phones to be used within a single account. As you quite rightly pointed out in the article "All communications between your phone and the mobile network uses the IMSI (International Mobile Subscribers Identification) , which is the unique number of your SIM card."
Therefore when these unique identification numbers are 'sniffed' the sim cards can be, with relative ease, duplicated. If the point of the article was that phone numbers can't be retrieved, I'm sure that it's quite obvious that the ability to retrieve these IMSI numbers offers many more serious possibilities of fraud, as well as giving a way of retrieving a phone number(simply by calling a number from the cloned phone and seeing the number ID).
It's fair enough to say that legitimate businesses will probably not go these lengths to get a customers telephone details, but a criminal happily would.

I'm sure the argument that "4: Most data is encrypted." will also not be a valid one for too long.
As the femtocells become more widespread, then it is only natural that people, whether for a knowingly illegal reason or not, will attempt and eventually succeed in breaking this encryption (if it hasn't been done already).
I am in no way condemning Femtocells. In fact I think their arrival opens up many new and exciting prospects, but to bluntly state that "Sorry – femtocells can’t capture your phone number" seems to be a very short sighted and blinkered view on the technology.

Phillip Wilson
+2 Quote 2010-02-10 18:20
#2 Dave said: 
I agree
0 Quote 2016-06-02 17:39
  • 4




    A significant number of users continue to report poor mobile coverage in their homes. There will always be areas which are uneconomic for mobile operator to reach. They range from rural areas

  • 4




    The term Enterprise addresses any non-residential in-building including hotels, convention centres, transport hubs, offices, hospitals and retail outlets. It's not just intended for businesses to

  • 4




    Urban small cells (sometimes also named metrocells) are compact and discrete mobile phone basestations, unobstrusively located in urban areas. They can be mounted on lampposts, positioned on the

  • 4




    A rural small cell is a low power mobile phone base station designed to bring mobile phone service to small pockets of population in remote rural areas. These could be hamlets, small villages or

Backhaul Timing and Sync Chipsets Wi-Fi LTE TDD Regional

Popular Categories

Follow us on...