Infosec Pals

Cell phone carriers are constantly exploring ways to expand their coverage and penetrate the last mile to offer convergence services to their customers. UMA and femtocells are new technologies on the horizon which offer these benefits to Wireless Telecom carriers at huge cost savings.

ABI market research firm predicts that by 2012 there will be an installed base of 70 million femtocells deployed serving more than 150 million people with a 70 billion dollar savings for the providers. Femtocells are like home routers with a built-in transceiver to serve a femto-cellular network (10^-15th area ~ 4000 sq.feet)

FemtoCells are in-home cellular access points that connect via home broadband connection to the carrier’s switching system and in turn provide a localized cell phone service. Mainly introduced as a way to increase inbuiding coverage, its now seen as a cheap way to deliver mobile 3G services to the last mile.

Since femto-cells function like actual cell phone towers there is no modification needed on existing handsets, this is what makes femtocells more desirable compared to UMAs. Further in the CDMA world power efficiency increases with stronger signal. In the presence of femtocells, the signal is stronger and CDMA phones exhibit higher power conservation.

Unlicensed Mobile Access (UMA) (aka Generic Access Network - GAN) is a technology for inbuidling coverage which relies on unlicensed radio access technologies like bluetooth or 802.11(WLAN) to provide coverage while the mobile handset is indoors or near public WiFi networks. UMAs require Dual-mode phones WiFi-GSM, Bluetooth-GSM which seamless transition between cellular and unlicensed wireless spectrum, new equipment requirement makes it an upfront additional cost for the subscriber. In the short run UMAs are gaining more popularity in US and Europe but it is expected in the long run femtocells will lead. T-mobile USA has the hotspot@home UMA service and Sprint has limited launch of femtocells in some markets.

From a security perspective both these technologies create a secure tunnel to the carrier’s gateway and interact with exchange to switch the call to the desired circuit. UMA capable mobile handsets use EAP/SIM [rfc4186] to create IPSec VPN tunnels to the UMA Network Controllers [UNCs] in the carrier network. UNC’s don’t distinguish a authenticated connection from a phone vs. a laptop as long the EAP/SIM authentication succeeds the device is attached to the providers network giving attackers a nifty way to attach to the carriers core network. EAP-SIM uses a secret key stored in the SM as the starting material (among others) for the key-derivation process for the VPN tunnel. This key can be copied from the SIM using SIM card reading tools. Armed with the secret key and a EAP/SIM supplicant an attacker can authenticate her workstation to the UNC and create a successful VPN tunnel. EAP/SIM does not provide session independence i.e. the cipher key produces remains the same as long the initial SIM secret key is the same. Knowledge of the cipher key allows an attacker to eavesdrop on the the communications. Dual-mode phones can also be targeted by localized DoS attacks/resource starvation to prevent a user’s phone from handing off to the UMA network.

UMA networks should use EAP/AKA [rfc4187] to mitigate key compromise risks associated with EAP/SIM, however this requires the dual-mode phone be 3rd generation and use USIM (UMTS-SIM). DoS issues are difficult to defend against in dual-mode handsets, mobile phone OS can help some in this regard by implementing basic firewalls. Similarly femtocell manufactures need to ensure every device has unique encryption keys and are not recoverable from the hardware. Mutual authentication and session independence are key to a secure femtocell transceiver design.

It is essential for carriers to place IDS and network segregation devices to monitor network intrusion from UMA/femtocell mobile devices. Femtocells have certain provisioning parameters that carriers can remotely set to make sure only the subscriber’s phones are able to use the particular femtocell, this ensures your neighbor doesn’t talk on your femtocell.

To recap:

femtocells/UMA open up carrier networks to external threat

UMA phones are susceptible to client side DoS attacks

Confidentiality of encryption key is important, compromise could lead to eavesdropping