The newswires have been abuzz lately about a demonstrated hack of a residential femtocell, potentially allowing them to snoop and intercept calls and data illicitly. Is this FUD (Fear, Uncertainty and Doubt) more about headlines and readership or is there really a substantial threat to their use?
The story so far
So-called "white hat" hackers (they're the good ones) demonstrated to Reuters that they had managed to hack into and gain control of a residential femtocell. In this case, it was Verizon's Network Extender supplied by Samsung, but it could equally be almost any other similar product. It required a special HDMI cable, physical access to the device and highly detailed technical knowledge.
There are no reports of any live commercial femtocells affected.
In March, a fix for this particular issue was developed, tested and deployed throughout Verizon's network for both models of the affected femtocells. Since all femtocells have to be registered and authenticated by their host network operator, updating software is automated and quickly achieved.
The "hole" has been fixed and the problem quickly resolved.
Security holes are regularly found in mass market software systems. Your PC or Mac is regularly updated with fixes to counter thousands of threats identified, and it has been commonplace. Even so, most PCs also have anti-virus software scanners to protect them.
I've come across many home PC users with out-of-date software and/or anti-virus. The large numbers of infected computers that can be remotely controlled, so-called bot-nets, are further evidence of poorly controlled and maintained systems.
Legalised private data capture
These reports come at a time when much more widespread privacy issues have come to light, such as the US PRISM scandal (you were right to be paranoid), where state agencies have seemingly unfettered access to huge amounts of personal data.
Regulators, especially in Europe, are also threatening large fines for breaches of data privacy of their citizens browsing the internet – you only have to watch how cleverly website advertising interacts and responds to your surfing and buying patterns to appreciate that there's an awful lot going on behind the scenes.
As mentioned in Reuter's report – this femtocell exploit wouldn't be needed by official government agencies to intercept calls. They and even some of the larger internet businesses already have a wealth of data about you available to them, usually freely given (does anyone really read those long privacy agreements) or through lawful intercept.
The adoption of centralised management and software control
The introduction of Windows Update and similar schemes for Mac and Linux users has gone a long way to improve the stability of major platforms, with bugfixes quickly and effectively being rolled out. These may not always be deployed quickly enough to protect against a zero-day attack, where a new virus threat rapidly establishes itself, but undoubtedly have minimised the problem.
Enterprise IT systems, which lock down specific configurations and regularly deploy software updates in a controlled manner, have also stabilised the performance and reliability of desktop and laptop computers.
Network operators work on an even larger scale, with millions of domestic femtocells, routers and modems managed from centralised platforms. These not only update, but can override/reset parameters and even remotely disable rogue equipment.
Wi-Fi router vs Femtocell
Many residential Wi-Fi routers are provided and remotely managed by wireline broadband operators as part of their package. In some cases, these are very tightly controlled and access to configuration is extremely limited. In other cases, they can be replaced with similar equipment that the householder directly configures and manages.
As with self-managed domestic PCs, there is an opportunity for software updates and configuration changes to become overlooked and outdated. This perhaps poses a greater risk than a centrally managed unit, whether by the enterprise or a network operator, because it may be easier to gain access to.
I don't really see it makes much difference between whether it's a Wi-Fi router or a cellular femtocell (in the longer term, such equipment will be dual mode). What's far more significant is whether it is centrally managed and actively supervised.
Some reports even suggested that hacked femtocells could capture your passwords. For secure sites, such as banking and even email, the SSL (secure socket layer) protocol is used to exchange passwords, so these would not be seen in unencrypted form within the small cell. This is true for both Wi-Fi and cellular traffic.
We have written before about some of the security issues from using Wi-Fi, where hackers have intercepted traffic by sitting outside homes in a van and using a scanner. This wouldn't be the case for hacked small cells, where physical access to the device is required.
Those wanting to track your behaviour and intercept traffic may prefer to use a "Trojan" that quietly resides on your smartphone, intercepting and forwarding your data wherever you go rather than being restricted to the limited coverage area of a femtocell.
Long term security concerns
I've heard a few industry players express concerns about the risk of end user interception. It's nice to know that this issue is in the minds of CTOs and others as they expand the scope of commercial wireless service to integrate Wi-Fi more tightly.
Whether the best gauge to measure their success will be the level of hype generated by the press remains to be seen. Perhaps it is because this type of threat is so unusual and uncommon is the primary reason it has become newsworthy. I do hope that reporters will research the issue more thoroughly should it arise in the future.
To me, this specific case is more comparable to warnings about stepping on a mousetrap when walking through the jungle - there are far bigger threats to be watchful about.