Femtocells and Security
Posted by Craig H on 25 June 2009
The Femtocells World Summit is in London this week; I haven’t attended, but I have seen articles about it that have me wondering whether there are interesting security issues emerging.
First, what’s a femtocell? Essentially, it’s a short-range, miniaturised version of a mobile phone mast. However, instead of being directly plumbed in to the phone network, calls made through a femtocell are routed over broadband Internet connections so they can be used in areas where the normal phone network coverage is poor or non-existent.
Vodafone have announced that they will start selling a home femtocell product, called Access Gateway, next week. Incidentally, the reported price is £160, which makes me wonder why anyone would want to pay 3 times over to make a phone call (once for the femtocell hardware, once for the ISP broadband connection, and then finally for the call over the Vodafone network) but maybe there will be some pricing plans that bundle the costs and make sense.
Anyway, on to the (potential) security issues. What got me interested in this was another announcement this week, from a US company called Airvana. They are demonstrating something they call “party alert”, which allows the subscriber to get a notification each time a new mobile phone comes in range of the femtocell; apparently this will discourage your teenage children from throwing impromptu parties in your absence (although it doesn’t seem particularly challenging to get the guests to turn off their phones before arriving :-)). Functionality like this could well have privacy issues, so I got to thinking: exactly what private information could be exposed if things go wrong with a femtocell?
As far as the phone knows, it’s just registering with a normal base station provided by the network operator. It will therefore supply exactly the same identifying information to the femtocell as it does to a normal phone mast. In particular, this includes the IMSI (International Mobile Subscriber Identity) which uniquely identifies the subscriber, and the IMEI (International Mobile Equipment Identity) which uniquely identifies the phone. (Interestingly, however, I don’t think either the phone or the femtocell necessarily know what the phone number – MSISDN, technically – is.)
The GSM (2G) protocols don’t provide the phone with any assurance that the base station it is talking to is actually a legitimate part of the network, which means it’s possible to construct an “IMSI Catcher” that pretends to be a legitimate GSM base station but actually records the IMSI’s of phones in it’s vicinity for surveillance purposes, and also potentially can intercept and record outgoing calls by turning off the GSM encryption. The UMTS (3G) protocol addresses this by doing “mutual authentication” so that the base station proves its identity to the phone as well as the other way around.
I’m also reminded of the fuss over the Path Intelligence technology which has been used to track the location of shoppers within shopping malls for marketing purposes. Path Intelligence have stated that no personally identifiable information is recorded, and that may well be the case but, as with other potentially privacy-invading technologies such as Phorm, we shouldn’t have to just trust them to do the right thing.
Unfortunately I’m by no means an expert on the UMTS protocols, and don’t have any particular information on the innards of the Vodafone femotocell, so I’m left with some dangling questions:
- Is the femtocell constrained to only use the more secure UMTS protocol, or will it fall back to GSM? If it will fall back to GSM, it will presumably be vulnerable to “man in the middle” attacks.
- Is there any way for data that’s exchanged between the phone and femtocell to be used to derive the phone number? I presume this could at least be done with the cooperation of the network operator if they chose to offer it as a service.
- Could bad guys take a femtocell and modify it to be used as an IMSI catcher? If so, wide availability of relatively cheap femtocells would make this attack much easier.
- Could bad guys use the femtocell hardware to listen in on communications between the phone and a legitimate base station, as Path Intelligence does? What data could they collect? IMEI?
- What stops the phones of people just walking past my house registering with my femtocell? The Vodafone materials suggest that their femtocell can be configured to only connect with specific phones, but that seems to conflict with Airvana’s example of detecting all phones in its vicinity
Franklin Heath Ltd 
David Mery said
Craig,
The MITM attack has already been done with BSC. This is legal in the UK if you’re a foreign territory, i.e., an embassy. In the US, the ACLU obtained documentation of the phantom base station technique used by the FBI for such purpose (Triggerfish). See Rupert’s post, I link to the FBI doc in the comments:
http://community.zdnet.co.uk/blog/0,1000000567,10011953o-2000331777b,00.htm
From what I read (sorry no reference, search the recent news) the legit software of these femtocells only recognise phones on the one network they’re registered for (Voda in this case). Also one has to go through a registration of the phones (up to four) to be able to use the femtocell so no walk-by war-calling. Changing the software to play with the air interface is most likely a breach of the type approval and hence illegal, but it effectively democratise the technical capabilities for a MITM attack.
As pointed out in a comment on the following post, another security issue is the “nomadic femtocell issue” where one moves the femtocell to another country where the operator does not have a license. Apparently some of these kits have GPS inside to prevent this scenario:
http://mobilesociety.typepad.com/mobile_life/2007/09/femtocell-tho-2.html
br -d
Tyson Key said
Anyone know if they’re using the UMA protocol over IPv4/IPv6 for the Vodafone Femtocells?
From what I’ve seen as far as publicly-available traffic dumps goes, it’s possible to operate in either unencrypted, or encrypted mode, and the IMSI gets thrown around on the air a lot during authentication to the ‘cell, although a TMSI/P-TMSI is seemingly assigned afterwards, before a “Temporary Logical Link Identifier” (that’s what Wireshark calls it anyway) is used for everything else.
I’d have to look at some more sample data, and read the 3GPP/GSM specs again, but I assume that authentication traffic is always plain-text, which should make things interesting.
I don’t have hardware available here to test, but I gather that it’s possible to collect IMSIs and TMSIs en-masse, if someone was running a Femtocell connected to an unsecured Wi-Fi access point (but that’s a pretty stupid idea, unless you’re in a controlled environment where you trust every device, need I digress), but everyone would need to have a Vodafone SIM card, to even try and authenticate with the said Femtocell. Not sure how/if IMEIs are handled, though.
Feel free to correct me on all that, but that’s my initial observation.
Craig H said
Tyson, I don’t think they are using UMA, as it’s advertised as working with any UMTS handset, but I am curious as to what protocol is being tunnelled (they use IPSec, apparently) between the femtocell and the back end. On this diagram the femtocell could conceivably just perform the NodeB function (and tunnel the Iub protocol) or perhaps include the RNC function as well (and tunnel the Iu protocols) or even divide it up some other way and use a proprietary protocol. I think the more functionality there is in the femtocell the more opportunity there will be to tamper with it.
Incidentally, there is an update on the tracking of mobile users over on The Register. Apparently there’s a US company involved called TruePosition, who are in a similar business to Path Technologies, but in this case they are talking about using it for intrusion detection. Why wouldn’t bad guys just turn off their phones??
David Mery said
From discussions at OpenTech, here are a few answers to your questions:
> Is the femtocell constrained to only use the more secure UMTS protocol
Yes.
> Is there any way for data that’s exchanged between the phone and femtocell
Apparently the femtocells are on a different PLMN. This is why phones to be registered with a femtocell receive a SIM Update. This is to add the femtocell’s PLMN to the list of approved PLMNs. So phones in automatic mode without the femtocell’s PLMN will never attempt to connect to it.
> Could bad guys take a femtocell and modify …
It’s supposed to be secure, however it does have a debug interface… so time will tell on this one.
> What stops the phones of people just walking past my house registering with my femtocell?
PLMN not in approved list. See above.
Also there are no GPS in the femtocells used by Voda. They use IP geo-location to enforce use where Voda has a license.
(Another interesting somewhat related recent article is Cellphones Leave Electronic Tracks for Investigators, Raising Privacy Concerns.)
br -d
Tyson Key said
Thanks for the clarification, Craig and David. If I could afford one, had a Vodafone SIM card handy, and had ADSL here, I’d get one just to see what the network traffic from the thing looks like, for what it’s worth.
Anyone want to open a bounty? 😉
Tyson Key said
Oops, I should have added this to my last comment. Does anyone know who’s supplying the GeoIP database for this, out of interest?
From what I’ve seen, they tend to be extremely inaccurate, and usually give the location of the main “connectivity point” (e.g. an ISP’s Point of Presence or head office) for the user’s connection, rather than their “real” location. For example, most GeoIP implementations reckon that I’m in Maidenhead or Birmingham about 90% of the time, since I use 3’s HSDPA Mobile Broadband service, even though I live in a small town somewhere near Harrogate and York…
JD said
Check out http://wiki.thc.org/vodafone for some more tech info.
Apps for the Paranoid Needed? | Symbian Foundation Security Blog said
[…] catching is detectable from [the] phone, but no detect apps exist” (we have mentioned IMSI catching in this blog […]