back to article Hackers crack femtocells to pwn then clone phones

Security researchers have warned against the industry's use of femtocells after successfully hacking into two popular models of femtocell, allowing them to intercept voice and SMS information from nearby mobile devices. The exploit was detailed by iSEC Partners at the Black Hat conference in Vegas after being revealed earlier …


This topic is closed for new posts.
  1. Wzrd1 Silver badge

    "Though these vulnerabilities have been subsequently patched, the researchers are not confident in the continuing integrity of the femtocell as an architecture. This is because the hardware can never be totally locked down by the vendor, and so there will always be some kind of exploit, they reckon."

    By their principle, no platform, be it desktop, server, router, switch or other device is worthy and should be abandoned, as *no* device is totally locked down by the vendor and any that might be would be rejected for security reasons.

    So, as we can't trust anyone on anything, we should abandon all electronic communication.

    Or gain a small sense of reality.

    1. Lennart Sorensen

      The issue here is that a femtocell is part of the cell network, but physical security of it is with some random person. This is a concern for cell phone users in the area should their phone happen to choose to connect to that femtocell.

  2. B-D


    I'm flip flopping between asking WTF is an HDMI port doing on a femtocell and wondering whether it is mistyped.

    1. auburnman

      Re: HDMI?

      Don't you know them no good dangerous criminals can hack your brain through that thar teevee nowadays?!

  3. A Non e-mouse Silver badge

    Another route would be to have carriers mandate that femtocell users register expected numbers with the operator in advance.

    In the UK, that's the default with the Vodafone SureSignal & O2 Boost Box. Although this can be switched off if the device is used in a commercial location.

    1. Phil O'Sophical Silver badge

      It's also the approach taken by SFR in France, you can register up to 5 numbers.

  4. A Non e-mouse Silver badge

    They instead recommend the use of secured VoIP on WiFI, when out of tower range,

    Did they consider the remote possibility that not every user has a smart phone, and hence can't run VoIP over WiFi ?

    (Heck, we've even got users with phones that are GSM only, so don't work with femtocells which are 3G only)

  5. plrndl

    End of the world?

    To paraphrase: "the world can never be perfect, so we should all give up and die now".

  6. another_vulture

    It's your phone, not your femtocell

    You don't need to worry about your own femtocell if you keep it physically secure. Instead, you need to worry about your phone when it connects to someone else's femtocell. But this is just like using someone else's WIFI hotspot: It means you need phone-based security.

    Basically, unless you have phone-based security, you are trusting the (extended) phone network to not be evil. why are you more afraid of the femtocell owner than you are of the phone company equyipment? Oh right! we know we can trust the phone company to never make our connections available to a third party. Silly me.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's your phone, not your femtocell

      "You don't need to worry about your own femtocell if you keep it physically secure"

      Well they do usually run a flavour of Linux, so unless patched regularly the remote vulnerability list is likely extensive....

      1. Anonymous Coward
        Anonymous Coward

        Re: It's your phone, not your femtocell

        "they do usually run a flavour of Linux". Just switch to Windows, problem solved.

  7. chipxtreme

    Oh dear, I have a 3 and EE femtocell at my house as I live near a main road and the builders put a nice barrier between my house and road to help block the noise, but in reality it just blocks mobile phone signals.

    The 3 one you have to register phone numbers on to use so I've had to register a few of my friends numbers with 3 for when they come round but the EE one is open to anyone.

    Should I be worried?

    1. justincormack

      No you should be hacking it!

  8. PyLETS

    As much a human security issue as a technical one

    Presumably, a cell tower also isn't secure if someone can physically break into it. So the trust issue is mainly to do with the security of the individual/s and premises where the femtocell is housed, assuming it's intended for public as opposed to private service. It's still a good idea to make the hardware tamper resistant, as having femtocells hosted privately and not on secured premises owned by the network operators blurs the distinction between untrusted network outsiders and network insiders who have to be trusted and kept accountable.

    Making hardware reasonably tamper resistant is then a question of general risk management. There's no such thing as fully tamper proof. Even a bank ATM machine can be dragged out of a wall with a tractor and chains and taken and attacked elsewhere.

  9. another_vulture

    No, but your neighbors do.

    You don't need to worry unless you let someone come inside your house and connect a cable to the femtocell to get access to the OS. This report is about a local hack, not a remote hack to the femtocell,

    On the other hand, your neighbors, to whom you provided access, need to worry, because you have that physical access. This means that you can use this hack to monitor their phone calls and SMS messages.

    If you are really paranoid, you can protect against any future remote attack on your femtocell by ensuring that your router firewall is configured to stop all incoming access other than the IPsec tunnel, but there is currently no published remote attack. We can hope that the femtocell has internal firewall rules and other configurations that prevent remote logins.

  10. Anonymous Coward
    Anonymous Coward

    Proves the rule: no physical security, no security.

This topic is closed for new posts.