What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Femtocell Security in Theory and PracticeNordSec 2013
Fabian van den Broek
& Ronny Wichers Schreur
Institute for Computing and Information Sciences – Digital SecurityRadboud University Nijmegen
20 October 2013
Fabian van den Broek 20 October 2013 Femtocell Security 1 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Femtocells
• “Small” cell tower• Small range• Low powered• Cheap• Installed by user• Remote controlled by provider
Fabian van den Broek 20 October 2013 Femtocell Security 2 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Other cells
• Macro cell• Micro cell• Nano cell• Femto cell
Fabian van den Broek 20 October 2013 Femtocell Security 3 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
The Telco network
Fabian van den Broek 20 October 2013 Femtocell Security 4 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Authentication Keys
HNB Internet
RNC
HNB-GW
SGSN
HSS
Core NetworkRAN
SeGW
HMS
Fabian van den Broek 20 October 2013 Femtocell Security 5 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Crypto Keys in GSM
HNB Internet
RNC
HNB-GW
SGSN
HSS
Core NetworkRAN
SeGW
HMS
Fabian van den Broek 20 October 2013 Femtocell Security 6 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Crypto Keys in UMTS
HNB Internet
RNC
HNB-GW
SGSN
HSS
Core NetworkRAN
SeGW
HMS
Fabian van den Broek 20 October 2013 Femtocell Security 7 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Crypto Keys in Femtocells (Ideally)
HNB Internet
RNC
HNB-GW
SGSN
HSS
Core NetworkRAN
SeGW
HMS
Fabian van den Broek 20 October 2013 Femtocell Security 8 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Crypto Keys in Femtocells
HNB Internet
RNC
HNB-GW
SGSN
HSS
Core NetworkRAN
SeGW
HMS
Fabian van den Broek 20 October 2013 Femtocell Security 9 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Femtocell Security
Fabian van den Broek 20 October 2013 Femtocell Security 10 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Which security goals are threatened by acompromised femtocell?
Security goal Femto w/o session keys Femto with session keys
User data confidentiality & integrity
Network authentication
Subscriber identity authentication
Subscriber identity confidentiality
Signaling confidentiality & integrity
Subscriber location privacy and untraceability
Availability
Fabian van den Broek 20 October 2013 Femtocell Security 11 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Earlier Femtocell Hacks
Vendor TypeSagemcom Vodafone SureSignal 1
Samsung Verizon SCS-24UC42
& SCS-2U01& Sprint Airave
Ubiquisys SFR Home 3G3
1The Hackers Choice2Fasel and Jakubowski – Trustwave3Borgaonkar, Redon and Seifert – TU Berlin
Fabian van den Broek 20 October 2013 Femtocell Security 12 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Our Attack
Fabian van den Broek 20 October 2013 Femtocell Security 13 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Our Attack
Secured against the previous attacks:• no SSH running,• different code published under GPL,• holding power button did not trigger unsafe updates.
Fabian van den Broek 20 October 2013 Femtocell Security 14 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Our Attack
Fabian van den Broek 20 October 2013 Femtocell Security 15 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
What we found in the memory
• A recovery partition• A port-knocking daemon ;-)• A binary listening to the opened port
adam#!/command/execlineb -S1# download command scriptif -n {
forx -x 1 i { 1 2 3 }foreground { s6-sleep 5 }if -n { /bin/tftp -g -r femto3xx/originalsin -l /tmp/eve ${1} }
}
# add exec rightsif { s6-chmod 0755 /tmp/eve }
# execute script/tmp/eve ${1}
Fabian van den Broek 20 October 2013 Femtocell Security 16 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
What we found in the memory
• A recovery partition
• A port-knocking daemon ;-)• A binary listening to the opened port
adam#!/command/execlineb -S1# download command scriptif -n {
forx -x 1 i { 1 2 3 }foreground { s6-sleep 5 }if -n { /bin/tftp -g -r femto3xx/originalsin -l /tmp/eve ${1} }
}
# add exec rightsif { s6-chmod 0755 /tmp/eve }
# execute script/tmp/eve ${1}
Fabian van den Broek 20 October 2013 Femtocell Security 16 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
What we found in the memory
• A recovery partition• A port-knocking daemon ;-)
• A binary listening to the opened port
adam#!/command/execlineb -S1# download command scriptif -n {
forx -x 1 i { 1 2 3 }foreground { s6-sleep 5 }if -n { /bin/tftp -g -r femto3xx/originalsin -l /tmp/eve ${1} }
}
# add exec rightsif { s6-chmod 0755 /tmp/eve }
# execute script/tmp/eve ${1}
Fabian van den Broek 20 October 2013 Femtocell Security 16 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
What we found in the memory
• A recovery partition• A port-knocking daemon ;-)• A binary listening to the opened port
adam#!/command/execlineb -S1# download command scriptif -n {
forx -x 1 i { 1 2 3 }foreground { s6-sleep 5 }if -n { /bin/tftp -g -r femto3xx/originalsin -l /tmp/eve ${1} }
}
# add exec rightsif { s6-chmod 0755 /tmp/eve }
# execute script/tmp/eve ${1}
Fabian van den Broek 20 October 2013 Femtocell Security 16 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
What we found in the memory
• A recovery partition• A port-knocking daemon ;-)• A binary listening to the opened port
adam#!/command/execlineb -S1# download command scriptif -n {forx -x 1 i { 1 2 3 }foreground { s6-sleep 5 }if -n { /bin/tftp -g -r femto3xx/originalsin -l /tmp/eve ${1} }
}
# add exec rightsif { s6-chmod 0755 /tmp/eve }
# execute script/tmp/eve ${1}
Fabian van den Broek 20 October 2013 Femtocell Security 16 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Conclusions
• Femtocells should not receive user keys.• Still femtocells introduce new weaknesses and make
existing weaknesses easier to exploit.
Fabian van den Broek 20 October 2013 Femtocell Security 17 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Responsible disclosure
We informed Vodafone Netherlands of our findings.
Newer firmware versions already disabled the recovery mode.Our attack no longer works on this newer version.
Current femtos are shipped with the newer firmware andvulnerable femtos in the field were remotely upgraded.
Fabian van den Broek 20 October 2013 Femtocell Security 18 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
Questions?
Fabian van den Broek 20 October 2013 Femtocell Security 19 / 20
What are femtocells?Femtocell Security in Theory
Femtocell security in PracticeRadboud University Nijmegen
(Most) Relevant Specifications
• 3GPP TS 25.467 UTRAN architecture for 3G Home NodeB(HNB)
• 3GPP TS 33.320 Security of Home Node B (HNB) /Homeevolved Node B (HeNB)
Fabian van den Broek 20 October 2013 Femtocell Security 20 / 20
![[D. Broek] Elementary Engineering Fracture Mechanics](https://static.documents.pub/doc/80x56/544fc455b1af9f07188b4595/d-broek-elementary-engineering-fracture-mechanics.jpg)
