Mobile phones and carriers trust the traditional base stations which serve as the interface between the mobile devices and the fixed-line communication network. Femtocells, miniature cellular base stations installed in homes and businesses, are equally trusted yet are placed in possibly untrustworthy hands. By making several modifications to a commercially available femtocell, we evaluate the impact of attacks originating from a compromised device. We show that such a rogue device can violate all the important aspects of security for mobile subscribers, including tracking phones, intercepting communication and even modifying and impersonating traffic. The specification also enables femtocells to directly communicate with other femtocells over a VPN and the carrier we examined had no filtering on such communication, enabling a single rogue femtocell to directly communicate with (and thus potentially attack) all other femtocells within the carrier’s network.
Kévin Redon first learned about telecommunication networks during a lecture at University. He preferred computer networks though, which are far less complicated and cumbersome. Later another teacher gave him the opportunity to play with a base station. Since then he looked at the security of different aspects, going from the SIM card, through basebands, to femtocells. After showing several vulnerabilities at conferences, he joined the product security team of Qualcomm to try improve the state.