Using equipment that can be purchased for less than $300 and a free software download, researchers at security consultancy iSEC Partners recently demonstrated that they could easily listen in on cell phone calls or access data from nearby phones. By exploiting a vulnerability in consumer femtocell gear, a hacker could theoretically access the private data of cell phone users within a certain radius, giving credence to longstanding concerns about the software security of such cell phone service enhancing devices.
The research team demonstrated its attack to journalists at Reuters and NPR using a femtocell made for Verizon by Samsung. The full findings of the study will be presented at the upcoming Def Con conference in Las Vegas.
Inside the femtocell
Femtocells extend cell phone service for customers who live in areas with weak signals. Essentially miniature cell towers, they have been used to inexpensively expand wireless service to remote and rural areas. They also pick up signals from all nearby phones, which means that someone able to access the device could intercept text messages, browser input and other phone data. The devices cost $250 purchased from Verizon or retailers like Best Buy, and used models can be obtained online for about $150, Reuters reported.
The researchers, Tom Ritter and Doug DePerry, used free software downloaded online to exploit vulnerabilities in the femtocells and listen in on nearby calls. They were able to capture the phone number of NPR’s Laura Sydell as soon as she walked into a room, then record and play back an entire conversation from her phone. They claimed to be the first to have hacked the femtocells of a U.S. carrier, as well as the first to hack femtocells running on the wireless standard CDMA, Reuters reported. Verizon released an over-the-air update in March that it claims automatically corrects the flaw for end users and noted that there have not been instances of in-the-wild attacks.
“The Verizon Wireless Network Extender remains a very secure and effective solution for our customers,” Verizon spokesman David Samberg said.
Ease of attack
Nonetheless, Ritter and DePerry’s proof-of-concept system still works, and they have highlighted some of the potential threats of an attack using femtocells. Since the devices are small and can access any phone within a 40-foot radius, an attacker might stash one in a bag at a restaurant frequented by investment bankers or at a party filled with political insiders, they noted, allowing him or her to gain sensitive information from messages and picture data. Such concerns have been particularly heightened in recent weeks due to debates over electronic privacy, Reuters noted.
“This is not about how the NSA would attack ordinary people,” Ritter told the news agency. “This is about how ordinary people would attack ordinary people.”
The researchers noted that similar attacks could likely be carried out on femtocells of more than 30 global wireless companies. Femtocells are of unique concern because they give attackers physical device access, several onlookers noted. As a result, it is possible to easily modify the embedded software in ways that physical cell towers prohibit.
“Unlike traditional cell sites that are locked behind some serious security (and fences), anyone can buy and crack open a femtocell,” GigaOM’s Lauren Hockenson noted. “If the hacker can get past the security measures in place for the device, he or she gets access to any information that would normally pass through a tower: text messages, voice calls and possibly even passwords you type into your browser.”
With such accessible tools creating potential conduits for hackers, improving the security of embedded software is essential for protecting end users. Organizations can use tools such as static analysis software to scan code before it is released and eliminate such errors.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.