Femtocells and Security
Posted by Craig H on 25 June 2009
The Femtocells World Summit is in London this week; I haven’t attended, but I have seen articles about it that have me wondering whether there are interesting security issues emerging.
First, what’s a femtocell? Essentially, it’s a short-range, miniaturised version of a mobile phone mast. However, instead of being directly plumbed in to the phone network, calls made through a femtocell are routed over broadband Internet connections so they can be used in areas where the normal phone network coverage is poor or non-existent.
Vodafone have announced that they will start selling a home femtocell product, called Access Gateway, next week. Incidentally, the reported price is £160, which makes me wonder why anyone would want to pay 3 times over to make a phone call (once for the femtocell hardware, once for the ISP broadband connection, and then finally for the call over the Vodafone network) but maybe there will be some pricing plans that bundle the costs and make sense.
Anyway, on to the (potential) security issues. What got me interested in this was another announcement this week, from a US company called Airvana. They are demonstrating something they call “party alert”, which allows the subscriber to get a notification each time a new mobile phone comes in range of the femtocell; apparently this will discourage your teenage children from throwing impromptu parties in your absence (although it doesn’t seem particularly challenging to get the guests to turn off their phones before arriving :-)). Functionality like this could well have privacy issues, so I got to thinking: exactly what private information could be exposed if things go wrong with a femtocell?
As far as the phone knows, it’s just registering with a normal base station provided by the network operator. It will therefore supply exactly the same identifying information to the femtocell as it does to a normal phone mast. In particular, this includes the IMSI (International Mobile Subscriber Identity) which uniquely identifies the subscriber, and the IMEI (International Mobile Equipment Identity) which uniquely identifies the phone. (Interestingly, however, I don’t think either the phone or the femtocell necessarily know what the phone number – MSISDN, technically – is.)
The GSM (2G) protocols don’t provide the phone with any assurance that the base station it is talking to is actually a legitimate part of the network, which means it’s possible to construct an “IMSI Catcher” that pretends to be a legitimate GSM base station but actually records the IMSI’s of phones in it’s vicinity for surveillance purposes, and also potentially can intercept and record outgoing calls by turning off the GSM encryption. The UMTS (3G) protocol addresses this by doing “mutual authentication” so that the base station proves its identity to the phone as well as the other way around.
I’m also reminded of the fuss over the Path Intelligence technology which has been used to track the location of shoppers within shopping malls for marketing purposes. Path Intelligence have stated that no personally identifiable information is recorded, and that may well be the case but, as with other potentially privacy-invading technologies such as Phorm, we shouldn’t have to just trust them to do the right thing.
Unfortunately I’m by no means an expert on the UMTS protocols, and don’t have any particular information on the innards of the Vodafone femotocell, so I’m left with some dangling questions:
- Is the femtocell constrained to only use the more secure UMTS protocol, or will it fall back to GSM? If it will fall back to GSM, it will presumably be vulnerable to “man in the middle” attacks.
- Is there any way for data that’s exchanged between the phone and femtocell to be used to derive the phone number? I presume this could at least be done with the cooperation of the network operator if they chose to offer it as a service.
- Could bad guys take a femtocell and modify it to be used as an IMSI catcher? If so, wide availability of relatively cheap femtocells would make this attack much easier.
- Could bad guys use the femtocell hardware to listen in on communications between the phone and a legitimate base station, as Path Intelligence does? What data could they collect? IMEI?
- What stops the phones of people just walking past my house registering with my femtocell? The Vodafone materials suggest that their femtocell can be configured to only connect with specific phones, but that seems to conflict with Airvana’s example of detecting all phones in its vicinity