A TV program which specialises in demonstrating scams and confidence-tricks caught my attention the other day.
Parked in a van outside a house in a leafy suburb, a standard laptop with WiFi and commercially available software was used to scan the airwaves. It picked up four domestic WiFi hotspots, of which only one had any security enabled.
Targetting this and using easily availabile software, the WEP security was quickly cracked, allowing full viewing of web pages being surfed. Whilst those accessed from a secure browser page using HTTPS (such as banking and ecommerce sites) were not visible, most screens could be logged, stored and printed out for future reference.
Pages included full details of a holiday booking (including flight dates and times) and shopping baskets. The user was understandably shocked when these pages were shown to him - especially since he had thought that WiFi security was switched on.
The solution to this for WiFi is to enable the newer and more powerful WPA encryption, and restrict access to individual MAC addresses, but not all WiFi devices have this capability.
When using public WiFi hotspots, security is usually turned off by default (otherwise each customer must be given the secret key and would have to enter it into their computer). Whilst this makes it easy to find and use WiFi, especially if it is a free service, it also exposes the user to risk of interception. Some programs, such as Skype, automatically encrypt their data, and so are not easily hacked. Business users with secureID and VPN tunnels have their own separate security layer.
But as more users become aware of the problem, public WiFi for general use may get a bad name.
One of the key benefits of femtocells is that they adopt the existing 3G cellular security protocols already in place. The end user doesn't have to take any special action or input any key codes or passwords to access the femtocell. Quite apart from the difficulty in accessing and decoding the radio layer (you can't just use a standard WiFi adaptor or its equivalent), the traffic is normally encrypted over the radio channel. The secrets held within the SIM card are used to setup a temporary session, with the subscriber identity (IMSI) being substituted with a T-IMSI. The user's telephone number is not normally transferred over the air - all registration is based on the IMSI - so tracing specific sessions to a user from their telephone number is more difficult.
With the growing popularity of small notebooks and uMPCs such as the Asus eeePC, not to mention smartphones which come with WiFi built in, the security concerns of using public WiFi in this way are not yet fully appreciated. Perhaps once they are more widely known, the switch to mobile broadband data services is more likely - both for use inside and outside the home.
Whilst the competing dual-mode UMA/WiFi solution also encrypts voice and data traffic over the air, many using WiFi as a simple fallback on their laptop remain open to security threats. This is where using the femtocell with a local data offload would provide the dual benefits of secure encryption over the air with fast, direct access to any data devices on the home network or directly through to the internet itself via wired broadband.
Comments
1) Femtocells can't "sniff" other calls. In order to be able to decrypt and listen in, the call would have to be physically routed via their femtocell instead of yours. This would be noticeable and traceable.
2) All digital cellphone calls are encrypted by default (its a setting controlled by the network operator, and very few countries/opera tors don't have this enabled).
3) Separate encryption of the voice/data call is used between the femtocell and core network. This is actually more than is the case for outdoor cellsites, which are either hardwired or transmitted over point-to-point microwave. It stops the determined eavesdropper physically connecting a tap to your phone wires outside your property for example.
4) I'd say femtocells are still more secure than your cordless phone, which its replacing. Calls are encrypted over the air and over the broadband wired connection.
5) In the future, handsets will display the "name" of the femtocell - which can be a user defined text string (i.e. Fred's House). So the neighbour would have to duplicate that, and it might become obvious what's going on.
I'd say you'd have to be quite a hacker to compromise a femtocell and still get the network operators systems to think it was working as normal. Calls would be routed via your femtocell and so would be logged as such. This is not undetected "sniffing" of calls/data, but physically taking over the call handling. I suspect its not completely impossible, just as any determined hackers can find some workaround, but the value in doing so would need to make it worth their while.
In comparison with WiFi security, which isn't used at all in public WiFi services, its substantially better.
I'm planning a separate article on the security of the wired broadband connection between femtocell and operators network shortly, and have spoken with specialists on this topic. Watch this space.
IMHO Ive found the MiTM attack technique to always work when concerning ANY information flow. Due to information flow geometry. Ad-hoc type (think pure P2P ala bittorrent) configurations are less suceptible but in a way moreso
RSS feed for comments to this post