Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunication Nico Golde, K´evin Redon, Ravishankar Borgaonkar Security in Telecommunications Technische Universit¨at Berlin {nico,kredon,ravii}@sec.t-labs.tu-berlin.de Abstract to fixed-line networks through dual-stack handsets (radio communication over Wi-Fi) or femtocells. Mobile phones and carriers trust the traditional base A femtocell is a small cellular base station that is typi- stations which serve as the interface between the mobile cally deployed in home or business environments. It is con- devices and the fixed-line communication network. Fem- nected to the operator’s network via a broadbandconnection tocells, miniature cellular base stations installed in homes such as DSL. By deploying these inexpensive devices, car- and businesses, are equally trusted yet are placed in possi- riers are offloading mobile data and voice traffic from their bly untrustworthy hands. By making several modifications infrastructure to a fixed broadband line provided by the cus- to a commercially available femtocell, we evaluate the im- tomer. Furthermore, the customer takes care of the device pact of attacks originating from a compromised device. We installation and maintenance by simply attaching it to a lo- show that such a rogue device can violate all the important cal network. This enables operators to both reduce their aspects of security for mobile subscribers, including track- costs and solve targeted reception problems in indoor envi- ing phones, intercepting communication and even modify- ronments. Unlike techniques where the phone directly of- ing and impersonating traffic. The specification also en- floads the connection through a Wi-Fi network, femtocells ables femtocells to directly communicate with other fem- do not require handsets to operate in a dual-stack mode, as tocells over a VPN and the carrier we examined had no the femtocell is acting as a normal base station, offering filtering on such communication, enabling a single rogue improved radio coverage, high mobile data rates, and high femtocell to directly communicate with (and thus potentially voice quality to subscribers. attack) all other femtocells within the carrier’s network. As of the first quarter of 2011, 19 operatorshave adopted femtocell technology in 13 countries around the world and many others are running field trials [25]. This number has increased to 31 operators in 20 countries during the sec- 1 Introduction ond quarter of 2011 [26], including high profile operators such as Vodafone, Movistar, AT&T, SFR, China Unicom, During the last years, there has been significant growth in and NTT DoCoMo. Informa estimated that carriers have Fixed Mobile Convergence (FMC), mostly due to the popu- deployed 2.3 million femtocell access points at the end of larity of Wi-Fi networks, inexpensive mobile data rates, and 2010 and forecasts it to reach 49 million in 2014 [26]. the increasing usage of smartphones. At the end of 2010, Thus there are now large fractions of operator infrastruc- one fifth of more than five billion mobile subscriptions glob- ture which communicate over the Internet and which are de- ally had access to mobile broadband [15]. Subsequently, ployed at locations where users and adversaries have phys- mobile generated data traffic is rapidly increasing and has ical access to the equipment. Due to this situation, these been predicted [18] to reach a compoundannual growth rate devices may become an appealing target to perform attacks (CAGR) of 92% between 2010 and 2015. Therefore, Mo- on mobile communication, or use them as a stepping-stone bile Network Operators (MNOs) are exploring different so- for attacks targeting the operator’s network. Therefore, se- lutions to offload the increasing data traffic and bandwidth curity is one of the top priorities for operators during the requirements towards networks such as Wi-Fi and femto- deployment process of these devices. cells, instead of expanding their existing expensive Third We believe that it is a fundamental flaw of the 3G spec- Generation (3G) networks. One estimate suggests [19] that ifications to treat base stations as trusted devices. This 31% of the global smartphone traffic in 2010 was offloaded becomes even more important in the context of femto- cells. Femtocells involve different aspects of security in- The key contributions of this paper are: cluding integrity of the device, access control mechanisms, • End-User Risk Assessment: We demonstrate that at- and protection of the software update process. Among the tacks based on a rogue femtocell can easily compro- top threats [4] identified by the industry are: booting the mise all important security aspects for mobile phone device with modified firmware; software and configura- users, namely integrity, authenticity, confidentiality, tion changes; eavesdropping on user data; masquerading as and availability. Such attacks include intercepting, other users; traffic tunneling between femtocells; Denial of modifying or impersonating user-generated mobile Service attacks against femtocells and core network parts. communication traffic. These attacks are inherent in While these threats are defined abstractly, their practical im- the basic architecture of current femtocells and are car- pact on mobile communication is rather unclear. We aim to rier independent. measure the scale of such impact in a real operator network, conducting a practical security analysis of a femtocell de- • Femtocell/Infrastructure Weakness Analysis: We vice available to the public. characterize network based attacks originating from a Despite the importance of femtocell security, it is well rogue femtocell device. Moreover, we highlight the known [29, 17, 16, 46] that it is possible to get root level ac- design concerns of the femtocell security architecture cess to these devices. However, the negative consequences in the procedure of attack exploration and experimen- of rogue devices on mobile communication have not been tation. We exhibit how these issues conflict with some thoroughly analyzed yet. In this paper, we show that rogue of the basic 3G security principles and requirements. devices pose a serious threat to mobile communication by • Implementation and Evaluation: We developed a set evaluating the security impact of femtocell-originated at- of attack-software to both implement attacks and en- tacks. We begin with an experimental analysis of security able interactions with critical components of the op- threats affecting end-users; both end-users deliberately us- erator infrastructure. Furthermore, we evaluated the ing such a device as well as those who are not intention- presented attacks based on a commercially deployed ally booked into the cell (e.g. by means of a 3G IMSI- femtocell in a real operator network, highlighting the Catcher). Furthermore, we evaluate the risk of femtocell- problems inherent with this new technology. based attacks against the mobile communication infrastruc- ture. This includes operator components and femtocells Both the operator as well as the vendor have been notified owned by other subscribers. We investigate how these com- of our research results. The implementation specific flaws ponents can be accessed and what type of network-based have been addressed by the femtocell vendor in firmware attacks are possible against them. Moreover, we argue how version V2.0.24.1. femtocell features in combination with common software vulnerabilities can provide a suitable environment to per- The remainder of the paper is organized as follows. In form signaling attacks or allow to turn the femtocell net- Section 2 we provide a brief overview of the femtocell in- work into a global interception and attacking network. frastructure and involved network components as well as describing how they are cooperating with each other. In While these devices run flavors of the Linux operating Section 3 we demonstrate attacks based on a rogue femto- system, large parts of the functionality are provided by un- cell against end-users and their impact on mobile commu- documented, proprietary binaries. Therefore, we conducted nication. Section 4 describes experimental attacks targeting a vulnerability analysis of the femtocell and network archi- the femtocell infrastructure. In Section 5, we present vul- tecture using a mixture of reverse engineering and experi- nerabilities in the femtocell security architecture and dis- mental testing. In our work, we concentrate on a device de- cuss the overall effect on the 3G security principles. Sec- ployed by the operator Soci´et´eFranc¸aise du Radiot´el´ephone tion 6 discusses related work and how our research extends (SFR): the SFR Home 3G [41] femtocell. SFR is the sec- previous work in this area. Finally, we briefly conclude our ond largest mobile phone operator in France and has been research in Section 7. among the early adopters of this technology [42]. However, due to the design of the femtocell architecture, most of the attacks presented in this work are not limited to this specific 2 Background and Overview of the 3G Sys- operator or device. During our analysis, we have found sev- tem Architecture eral security critical attack vectors that can be leveraged to the previously mentioned threats defined by the industry. This section briefly describes the 3G infrastructure and We will outline the risks of the femtocell technology that exhibits how the architecture integrates femtocells. Addi- are caused due to a combination of operator specific config- tionally we discuss how femtocells can be compromised uration mistakes and problems inherent in the design of the by an attacker and turned into rogue devices. The techni- femtocell architecture. cal term for a femtocell in a 3G network is Home Node B (HNB) [14]. We will attempt to use common terms rather than industry specific terms throughoutthis work, but some- times using industry acronyms is unavoidable, thus a com- plete list of abbreviations can be found in the appendices. 2.1 3G Architecture Mobile Station Core Network (CN) In the following paragraph, we give an overview of the (MS) 3G architecture as defined by 3rd Generation Partnership Access Network (AN) Project (3GPP) [9] and as illustrated in a simplified version in Figure 1.