I used to run a Linux box with a webserver on it from home. It helped me understand aspects of setting up and maintaining a server and some of the issues associated with them.
I was shocked when I looked through the access log report - the sheer volume of continuous exploits trying to bypass security (at that time mainly Windows server issues) was enormous. I've heard it said that any unprotected PC can be attacked within a minute, so that installing the original Windows XP (without Service Pack 2 or 3 preintegrated) is virtually impossible to do because by the time you've downloaded the latest security patches, your system will already have been infected.
So its a nasty, harsh environment to work in. What can operators do to protect both their own networks and their customers femtocells from attack?
What are the common security threats that femtocells face on their broadband internet connections?
1. Denial of Service (DoS) attacks.
Denial of Service attacks are orchestrated attempts to flood an internet destination with vast numbers of requests so that the real users are swamped and are not served, or performance degrades to an unacceptable level. The main internet routers can detect and throttle unusual volumes of traffic from individual sources, but such attacks can be sent using botnets - lots of individual computers infected with malware unknown to their owners - and so can be indistinguishable from real traffic.
Some mobile operators plan to offer femtocells with their own broadband service. This can protect against attacks from outside their own domain (i.e. traffic from other ISPs can be automatically blocked), but not necessarily against a botnet which included computers from their own customers.
DoS attacks can also arise from non-malicious activities, such as after recovery from an area-wide power failure, a remote software upgrade or restoration of a faulty high-capacity transmission link. When the femtocells are powered back up (all at the same time), a large number of concurrent reconnection requests need to be processed in a short time. Consideration needs to include where the bottlenecks are going to be worst (for example other upstream network elements such as HLR, MSC), and throughput of the security gateway designed accordingly.
A well publicised example where this went wrong was when Skype went offline for more than a day after a major Windows Upgrade patch was rolled out. Its algorithm for handling massive restarts and reconnections wasn't suited for the heavy traffic that occured.
2. Unauthorised Access and/or Service Theft
Up to now, the mobile/handset has pretty much always trusted the networks it finds which will communicate with it. Strong authentication processes were put in place for the network to validate and confirm the identity of the handset and subscription - specifically the SIM card for GSM/UMTS systems.
Femtocells need to verify that they are indeed connected to their owning network operator and are not being hi-jacked for nefarious purposes. This requires mutual authentication using one of the two mechanisms supported by IPsec:
- a pre-shared secret
- X.509 (which uses a pre-defined list of certificate authorities to validate the destination, as used in secure web browser sessions).
As with the example at the start of this article, the potential for hackers to access a femtocell and gain control could open up the possibility of downloading malicious software into the femtocell and changing its functionality - sometimes without the owners knowledge.
3. Subscriber ID theft and interception
These techniques include "man in the middle" attacks, whereby devices intercept and monitor all the traffic between the femtocell and the femto gateway, allowing them to decode and record any calls or data sessions. There is also the possibility of stealing the identity of the femtocell and reusing it elsewhere.Femtocell vendors have two approaches to validating the femtocell identity:
- One is to use the existing GSM SIM card scheme, issuing a unique SIM card for each femtocell. These are authenticated using the normal procedures, and provide a high level of confidence that the SIM card belongs to who the femtocell says it does. (The SIM security hasn't been broken yet, and even if it was, the architecture allows each operator to embed a different security protocol scheme by issuing different SIM cards). Products from vendors including Ubiquisys include a SIM card slot for this purpose.
- The other scheme is to use digital certificates - ip.access, Alcatel-Lucent and others use this approach, which is claimed to be lower cost. Ubiquisys claim to be able to offer this option too.
Whilst some operators may use a SIM approach for logistics reasons (it fits into their back office processes more easily), I'd expect certificates to become the longer term approach because of lower product cost.
4. SIP application layer DoS attacks
The industry is generally adopting the existing mobile network architecture, at least for the first round of deployments. The alternative SIP architecture is a much larger break from existing systems, and would required major upheaval in most operator's back office systems to deploy.One additional concern for SIP based solutions is the threat of SIP attacks. Excess SIP messages can flood the SIP server in a similar way to Layer 3 DoS attacks. Therefore, SIP signalling messages need to be inspected and screened by a separate security system to protect the network - a Session Border Controller provides Deep Packet Inspection of each message. Techniques such as signature matching validate that the correct messages are coming from the appropriate source. There's probably some commonality with spam email filtering in this context.