July 15, 2013
Verizon Femtocell Device Hacked, Turned Into Spying Machine
Michael Harper for redOrbit.com - Your Universe Online
After modifying the hardware of the network expander, the researchers were able to circumvent an update pushed out in March to prevent this kind of snooping. The duo demonstrated the proof-of-concept device to Reuters and said they plan to explain their methods later this summer at the BlackHat and DefCon conventions to take place in Las Vegas.
As it stands, this hack leaves only those devices on Verizon's network vulnerable and only those hackers who have altered the femtocell hardware in the same way as Tom Ritter and Doug DePerry, researchers with iSEC Partners, have done.
Femtocells are often offered by cell phone carriers to boost network strength in areas where customers experience low coverage. These network expanders can be purchased through Verizon for about $250 new, though used femtocells are available for closer to $150.
In their interview with Reuters, DePerry and Ritter were quick to point out that the NSA likely isn't using these techniques to surveil American citizens. That the pair felt it necessary to point this out reflects the amount of attention and concern held by the general public following the leak of documents which detailed the NSA's PRISM program meant to accommodate an unrestricted flow of information between tech companies like Apple and Google and the NSA and FBI.
"This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people," explained Ritter.
With their proof-of-concept device, DePerry and Ritter are able to use the Femtocell to spy on Verizon customers. Text messages sent back and forth between both Android and iPhones can be seen, including the pictures embedded in these messages. With this device, hackers could also spy on phone conversations. Though Android devices are often hailed as less secure than iPhones, the fact that this hack can affect both platforms is proof that the vulnerability exists on the network side as opposed to the software.
The researchers did not tell Reuters exactly how they had executed the hack, noting they did not want other hackers to create their own device and begin spying on hapless Verizon customers. Though they used a piece of Verizon-offered hardware, the carrier says they issued a patch for the specific hole exploited by DePerry and Ritter last March.
"The Verizon Wireless Network Extender remains a very secure and effective solution for our customers," explained David Samberg, a spokesperson for the carrier. He later mentioned there have been no reports of any customers being affected by this flaw. What's more, the researchers say the software fix did patch the hole, but because they modified the Samsung femtocells before the fix was released, they're still able to execute the hack today.
DePerry and Ritter also told Reuters that, with some work, they could use the general principles executed in this hack to build a larger, more intrusive device to spy on Verizon devices outside of a 40-foot range.