Femtocell Security in Theory and Practice

  • Fabian van den Broek
  • Ronny Wichers Schreur
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8208)

Abstract

Femtocells are low-powered cellular base stations for mobile telephone networks, meant for home use, but still operator managed. They are an increasingly popular solution, with the number of femtocells expected to outnumber the normal cell towers by Q1 of 2013 [1].

However, femtocells also introduce a number of security concerns. Several earlier femtocells have been hacked to varying degree and analyzed. Naturally, the industry has responded and tries to create more secure femtocells.

We provide a first comprehensive analysis of the risks of attacks, given a general femtocell model. This analysis results in two new attacks. We then illustrate some of the dangers by successfully compromising a specific femtocell: the SignaalPlus Plug & Play, sold in the Netherlands by Vodafone.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Small Cell Forum. Homepage of the Small Cell Forum, http://www.smallcellforum.org/ (visited in February 2013)
  2. 2.
    European Telecommunications Standards Institute, France. Universal Mobile Telecommunications System (UMTS); UTRAN architecture for 3G Home Node B (HNB); Stage 2, 3GPP TS 25.467 version 11.0.0 Release 11 (2012)Google Scholar
  3. 3.
    European Telecommunications Standards Institute, France. Universal Mobile Telecommunications System (UMTS); LTE; Security of Home Node B (HNB) / Home evolved Node B (HeNB) 3GPP TS 33.320 version 10.5.0 Release 10 (2012)Google Scholar
  4. 4.
    Chambers, D.: Femtocell Primer, 2nd edn. Lulu Enterprises Inc. (2010)Google Scholar
  5. 5.
    Zhang, J., de la Roche, G. (eds.): Femtocells: Technologies and Deployment. John Wiley & Sons, Ltd. (2009)Google Scholar
  6. 6.
    Ruggiero, M., Boccuzzi, J.: Femtocells: Design & Application. McGraw Hill Professional (2010)Google Scholar
  7. 7.
    Rajavelsamy, R., Lee, J., Choi, S.: Towards security architecture for home (evolved) nodeb: challenges, requirements and solutions. Security and Communication Networks 4(4), 471–481 (2011)CrossRefGoogle Scholar
  8. 8.
    Han, C.-K., Choi, H.-K., Kim, I.-H.: Building femtocell more secure with improved proxy signature. In: GLOBECOM IEEE (December 2009)Google Scholar
  9. 9.
    Segura, V., Lahuerta, J.: Modeling the economic incentives of ddos attacks: Femtocell case study. In: EISP 2010. Springer US (2010)Google Scholar
  10. 10.
    THC. THC website detailing an attack against a Vodafone SureSignal femtocell, http://wiki.thc.org/vodafone (visited in February 2013)
  11. 11.
    Trustwave. Announcement of the samsung femtocell, https://www.trustwave.com/pressReleases.php?n=012810 (visited in March 2013)
  12. 12.
    Fasel, Z., Jakubowski, M.: Website detailing how to root the samsung femtocell, http://rsaxvc.net/blog/2011/7/17/Gaining%20root%20on%20Samsung%20FemtoCells.html (visited in March 2013)
  13. 13.
    Borgaonkar, R., Redon, K., Seifert, J.-P.: Security analysis of a femtocell device. In: SIN 2011. ACM, New York (2011)Google Scholar
  14. 14.
    Golde, N., Redon, K., Borgaonkar, R.: Weaponizing femtocells: the effect of roque devices on mobile telecommunication. In: NDSS 2012. The Internet Society (2012)Google Scholar
  15. 15.
    Arapinis, M., Mancini, L., Ritter, E., Ryan, M., Golde, N., Redon, K., Borgaonkar, R.: New privacy issues in mobile telephony: fix and verification. In: CCS 2012. ACM, New York (2012)Google Scholar
  16. 16.
    European Telecommunications Standards Institute, France. Universal Mobile Telecommunications System (UMTS); 3G Security; Security Principles and Objectives, 3GPP TS 33.120 version 4.0.0 Release 4 (2001)Google Scholar
  17. 17.
    European Telecommunications Standards Institute, France. Universal Mobile Telecommunications System (UMTS); Formal Analysis of the 3G Authentication Protocol, 3GPP TR 33.902 version 4.0.0, Release 4 (2001)Google Scholar
  18. 18.
    European Telecommunications Standards Institute, France. Digital cellular telecommunications system (Phase 2+);UMTS;LTE;3G security;Security architecture, 3GPP TS 33.102 version 11.5.0 Release 11 (2013)Google Scholar
  19. 19.
    European Telecommunications Standards Institute, France. Digital cellular telecommunications system (Phase 2+); Security aspects, EN 300 920 / GSM 02.09 (1998)Google Scholar
  20. 20.
    Tsay, J.-K., Mjølsnes, S.F.: A vulnerability in the UMTS and LTE authentication and key agreement protocols. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 65–76. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  21. 21.
  22. 22.
    European Telecommunications Standards Institute, France. Universal Mobile Telecommunications System (UMTS); 3G Security; Security Threats and Requirements. 3GPP TS 21.133 version 4.1.0 Release 4 (2001)Google Scholar
  23. 23.
    Mulliner, C., Golde, N., Seifert, J.-P.: Sms of death: From analyzing to attacking mobile phones on a large scale. In: USENIX Security Symposium (2011)Google Scholar
  24. 24.
    Munaut, S.: IMSI detach DoS (April 2001), http://www.blackhat.com/presentations/bh-asia-01/gadiax.ppt
  25. 25.
    P1Security. website detailing a fuzzing product for telco core-networks, http://www.p1sec.com/corp/products/p1-telecom-fuzzer-ptf/ (visited in March 2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Fabian van den Broek
    • 1
  • Ronny Wichers Schreur
    • 1
  1. 1.Digital SecurityRadboud University NijmegenThe Netherlands

Personalised recommendations