42
Hacking Exposed: Mobile Security Secrets & Solutions
Some carriers have chosen to limit femtocell device associations only to a customercontrolled whitelist, whereas others have simply said that any phone capable of connecting to the MNO’s network can also connect to their femtocells. Let’s take a second and dissect that decision, shall we? If the femtocell allows only connections from a whitelist, we have a trade-off among a number of factors—customer experience, MNO benefit, and security. In current deployments, we see mostly a compromise between customer experience (they don’t have to do anything to make a femtocell “work”) and benefit to the MNO (all customers can enjoy improved service even if they don’t purchase a femtocell; they only have to be near a customer who did). Combine this with the current femtocell design, which gives you a highly capable network platform, and you end up with a potential security problem: people can create rogue base stations that they, not the MNO, control. This setup provides those with, let’s say, low moral fiber the opportunity to sniff phone conversations, SMS, and data connections from unsuspecting passersby whose mobile devices will promiscuously join the rogue base station. The only real limit to this problem is physics: most femtocells employ very basic antennas, and those antennas have limited coverage. However, in our experience, it takes less than $100 to enhance the antenna, increase the transmit power, and dramatically increase the range of the compromised femtocell. A pretty nasty piece of gear. On the other hand, those MNOs that have limited their femtocell membership to a few IMSIs still have the problem of a highly capable platform being deployed that can, in some cases, request extremely valuable information from the backhaul, for instance, encryption keys. So although those MNOs that have limited their membership have limited the “rogue base station attack” problem, they still have let a (relatively) open gateway onto the cellular network itself, which in the wrong hands could yield access to sensitive customer information—information that could be used to clone a subscriber identity module successfully and potentially harm both the customer and the MNO.
Countermeasures for Rogue Femtocells Given the popularity and widespread use of femtocells, we’re not going to put this genie back in the bottle anytime soon. However, there are some things that MNOs and others can do about femtocell design that could improve the situation. Ideally, what would be easiest here would be to create a device that looks a lot like today’s femtocell, yet lacks the authority to request information regarding a particular subscriber. This new-age femtocell would protect MNOs and customers from most attacks, but it would still give a determined attacker the capability to pretend to be an MNO—something that, most likely, the MNO would not enjoy. To solve this problem, we have to swing our gaze over to handset makers and the standards committees that write up protocols and interfaces. Funny enough, GSM networks never really had the notion that the network would have to identify itself to the handset; rather, the security is supposed to go from “outside in,” you might say. To get on the network, a mobile station has to go through hoops like answering challenges, providing a valid serial or equipment number, obey all traffic