7

At our office we have bad reception for 3G. We bought a Femtocell device that provides a 3G connection for one specific mobile provider. This device is connected to our network via ethernet. I cannot use this device at our office, because I use another provider.

Thinking about this - it could be that I use connections like this without knowing it. Take imaginary John, living in an area where connection is bad. He has bought and installed his own Femtocell at home. Not only he connects to this device, but everybody in range of this device - not?

When my direct connection to my provider fails, and I'm in range of John's home femtocell, my SMS, phone conversations and internet data are transferred over his home network.

  1. Is this traffic encrypted and safe?
  2. Is it true that anybody can connect to this device and use bandwidth?
  3. When a phone connects to this femtocell, does it have access to the local LAN?
SPRBRN
  • 7,449
  • 6
  • 35
  • 37

3 Answers3

5

Whether the traffic is encrypted it's up to the femtocell manufacturer. You haven't provided much details, so I can only suggest you pull out wireshark and see what happens. Most likely traffic should go through via SSL, although I won't be surprised if there was no mechanism for updating CRLs and/or maintenance and open ports on the cell itself.

If I were to implement it, a low-cost solution would be to put a self-signed certificate on the box. The chances of somebody breaking into the hardware, stealing the certificate and using it for impersonating MitM attacks are small and if somebody is so well intentioned there are better devices such as stingrays which are less apparent. I've mentioned the need to stay low-cost as these devices are produced with tiny margins and often subsidised by the mobile operator.

Regarding your second question - whether anybody can connect to the device - the answer is both yes and no. When I asked my provider to set me up with a femtocell they asked for my mobile number and I suppose they set up the cell to recognise my IMEI - and since the device has no 'control panel' and it's behind my home router as NAT I assume there is some kind of ACL the device pulls remotely to see who is allowed to connect and who is not. Therefore, anyone authorized can connect, and this is probably defined server-side. Unfortunately I do not know enough about GSM standards to be sure how this is done in detail.

Lastly, regarding whether a phone has access to the local LAN, in the device I use this is not the case. In fact, I can "go online with 3G" through the femtocell and my phone's IP is of the mobile provider, not of my ISP. Therefore all traffic (data and voice) must be simply sent over the SSL tunnel to the mobile operator, which then takes care of routing it accordingly. I'm again assuming that, given the low cost of the device, a mobile operator has no interest in setting up complex routing policies to let data traffic go through a customer's LAN. This would also reduce helpdesk costs, as dealing with a home network might be very complex.

lorenzog
  • 1,911
  • 11
  • 18
4

According to this , your traffic is encrypted and safe (ipsec)

According to wikipedia's article on Femtocells, you have to manually authorize what phone is able to connect to the network (and there is an upper limit), and these phones have to be on the same mobile provider as the femtocell's.

So if John wants to spy on you, he has to authorize your phone and you have to be on the same provider. He also has to act as MitM and break the encryption, or install a rogue femtocell (you definitively have really interesting information on your phone if it comes to that).

From what i've read here and there, no, you don't have access to local LAN, everything is encapsulated with their telecom specific protocols, so you do go through the local LAN but you can't see it. It's as transparent as using a regular cell tower, except coverage.

Now if John works for the NSA, he probably uses a fake femtocell, and you'r screwed. (check here)

zX8iqV
  • 413
  • 2
  • 12
1

This is based on personal experience with a femtocell issued by the German chapter of O2 (a branded Alcatel-Lucent 9361). For other femtocells and operators, the configuration might be different.

Setting up a Whitelist of Cell Users

By default, every O2 customer (and those roaming from other operators and countries, of course) is allowed to connect to their femtocells, but you can call them and register a bunch of numbers as a whitelist, denying all others from using the cell.

Usually, all configuration is performed remote by the network operator, you have no direct access to the box. To be sure whether you could configure a whitelist, you will probably have to get in touch with the network operator issuing the box.

As the range is rather limited anyway, I did not have to apply a whitelist. I observe another phone making a call or data transfer every now and then (there is an LED indicating sessions), but it's rare enough I don't mind (especially, I never had problems with all four possible sessions being occupied by others); and in the end I'm just nice to the neighbors who would also suffer from bad reception.

Data Transmission

At least the Alcatel box as configured by O2 seems to do security right: no open ports, and all data is transmitted through an IPsec VPN. I didn't try any man in the middle attacks with faked certificates or similar attacks, though.

At 31C3, there was a talk about getting access to SS7 (the inter-network mobile backbone communication infrastructure), It was discussed that one of the possible ways is having a femtocell; at least in the beginng of femtocells being issued, it seems there have been providers considering your own network and the internet in-between as a trusted network.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96