This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below.
Black Hat 2013 – Femtocell Presentation Slides, Videos and App
19 Aug 2013 – Tom Ritter
We’re back from Las Vegas, rested, and finally ready to release the slides, videos, and our app from our presentation at Black Hat and Defcon: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell.
Slides and videos
The slides are available here. The videos of our demos are up on Youtube:
- Phone Interception
- SMS Interception
- MMS Interception
- Active Attack on Data Traffic
- Two-and-a-Half Way Phone Call, demonstrating Cloning
An Android app to detect femtocells
The CDMA Femtocells we examined differ from other types of personal wireless access points because the user does not have a choice in whether or not they connect to a femtocell. Because your phone doesn’t give you a choice when it comes to selecting what tower to connect to, the only way we could find to avoid communicating through a femtocell was to turn off the phone’s cellular radio when it was connected to a femtocell.
FemtoCatcher runs on your Verizon Android smartphone and automatically switches your device into Airplane Mode, thus disabling all cellular connectivity, if it detects that your phone has connected to a femtocell. While this does render your cellular connectivity unavailable in areas where the strongest signal is a femtocell, we would rather have no service than be connected to a tower that could be used by an attacker to intercept our communications.
Some important notes on how FemtoCatcher works:
- FemtoCatcher uses the network ID information available through Android API calls to determine if the phone is connected to a Femtocell.
- We did not test how easy it would be for an attacker to change this information to fool the app, but certainly don’t rule out the possibility.
- Some Verizon Android phones display an icon in the status bar and/or display an ERI banner of “Network Extender” when connected to a femtocell. The strategy used by FemtoCatcher to detect the presence of a femtocell is based on the same techniques used by these indicators in Verizon ROMs.
- FemtoCatcher will not automatically take your phone out of airplane mode when you move away from a femtocell. You will be without service until you manually re-enable your connectivity. If FemtoCatcher is running and you are in range of a femtocell when you disable airplane mode, FemtoCatcher will quickly put your phone back in airplane mode.
Because of its imperfect and potentially confusing nature, we are not marketing FemtoCatcher to the general public, but rather to security minded people and those that are interested in femtocells. We built this tool for our own testing, but we encourage you to poke at the source code and use it as you see fit.