A $250 piece of hardware known as a femtocell, used to boost mobile phone signals for consumers and small businesses, is vulnerable to a complete takeover that attackers can use to intercept Internet traffic and cell phone calls.
Two researchers from iSEC Partners are expected to provide more details on the technique at the Black Hat Briefings and DEF CON in Las Vegas in two weeks. In the meantime, a firmware update released by Verizon patches the vulnerabilities in two versions of its Verizon Wireless Network Extender, models SCS-26UC4 and SCS-2U01, both made by Samsung. The researchers said that up to 30 carriers’ hardware could be impacted, leaving many devices vulnerable.
The femtocell works as a low-power cellular base station that connects to a mobile network provider via a subscriber’s home Internet connection. Mobile phones within range of the femtocell will connect to it and the device acts as a cell tower and will route calls. Researchers Tom Ritter and Doug DePerry of iSEC customized a HDMI cable to exploit the vulnerability. According to an alert from CERT at Carnegie Mellon University, the researchers also found a separate vulnerability in the CDMA authentication code used by the femtocells that could allow an attacker to clone a mobile phone.
Ritter and DePerry demonstrated their attack for Reuters, the news agency said. A Verizon spokesman told Reuters there have been no reports of customers impacted by the bug. A video of part of the demonstration can be seen here.
“The level of technical skill you need to break into one of these, people are learning in college,” Ritter said in the video. “Frankly, these devices scare us.”
According to CERT, with the older SCS-26UC4 model, attackers are able to exploit a built-in delay of the device’s bootloader to gain root access. “To be able to exploit this vulnerability, a special console cable must be created with an HDMI connector to connect to the device,” the alert said, adding that once an attacker is able to view boot output, they are five steps away from a root shell.
As for the SCS-2U01 model, root access is possible even without the bootloader delay, which is not present in this model. Instead, an attacker would take advantage of a System Request (SysReq) interrupt.
“If successfully applied, this command will halt boot process and drop the user to a login prompt, where it is possible to login as the root user,” the alert said. “As with the previous exploit, it is first necessary to create a console cable to be able to view and send commands to the device.”
Finally, CERT said the Verizon Network Extender does not use CAVE or Cellular Authentication and Voice Encryption, using instead the electronic serial number (ESN) or mobile identification number (MIN) as a unique identifier.
“These numbers can usually be obtained with physical access to a phone, or by sniffing registration packets as they transit the Network Extender. Combining the above root access flaws with a lack of proper authentication, it is possible to run custom code on the Network Extender that will obtain the ESN and MIN from any phone within range,” said the alert, which also suggests a number of mitigations. “Using these numbers, a phone can be cloned without direct physical access and without a user’s knowledge, although association to the Network Extender is required.”
_Image courtesy of Digitpedia. _