Presentation Material
Abstract
Femtocells are an emerging technology deployed by the operators around the world to enhance 3G connectivity. These secured devices are installed in the customers home and connect the mobile phone to the mobile network operator’s core network using an existing broadband connection.
Various researchers have shown in the past that these devices are not secure and it is possible to compromise these devices. However, nobody has actually published further attacks that utilized the device. We will give a short introduction to femtocell technology and show different attacks based on a rogue femtocell. These attacks can target end-users being logged into a femtocell, femtocell owners, as well as network operators.
AI Generated Summary
This talk examines security vulnerabilities in 3G femtocells, small consumer-deployed base stations used by operators for coverage extension and traffic offloading. The research focuses on practical attacks enabled by compromising a commercially available femtocell from a major European operator.
The presenters first detail a method to gain root access on the device by exploiting flaws in its factory recovery procedure. The firmware download over HTTPS lacks proper server certificate validation, and the configuration list specifying the firmware’s public key is unsigned, allowing an attacker to install malicious firmware.
With a compromised femtocell, several attacks become feasible. The device’s built-in “open access mode” and configurable network identifiers allow it to function as a full 3G IMSI catcher. This bypasses 3G’s mutual authentication because the femtocell obtains valid authentication tokens from the operator’s backend network. Intercepted voice traffic, encapsulated in unencrypted RTP streams within an IPsec tunnel, can be decrypted by hooking key management functions. SMS messages, carried over the proprietary GAN (Generic Access Network) signaling protocol, can be intercepted and modified via a developed proxy that relays and alters traffic between the phone and network.
More severe attacks include subscriber impersonation. By caching authentication vectors from a victim’s initial registration and using a paging oracle to force the victim’s phone to respond to network challenges, an attacker can fully impersonate that subscriber to send premium-rate SMS or initiate free calls. Furthermore, a denial-of-service attack allows any femtocell user to be detached from the network by sending a forged, unauthenticated IMSI detach message; this works universally because all femtocells in the operator’s network are served by a single Visitor Location Register (VLR).
The work demonstrates that femtocells, due to their complex software stacks and remote management, introduce a concentrated attack surface. Compromising a single device threatens not only its owner but any subscriber within its radio range and, in some cases, any femtocell user on the same operator’s network. The vulnerabilities stem primarily from vendor implementation flaws in firmware update mechanisms and protocol handling.