Meet the $250 Verizon device that lets hackers take over your phone

femtocell verizon hack samsung
Femtocell

If you’ve never heard of a femtocell, now would be a good time to learn.

At the Black Hat hacker conference in Las Vegas, NV, on Wednesday, a pair of security researchers detailed their ability to use a Verizon signal-boosting device, a $250 consumer unit called a femtocell, to secretly intercept voice calls, data, and SMS text messages of any handset that connects to the device.

A femtocell is, basically, a miniature cell phone tower that anyone can use to boost their wireless signal in their home. Most of the major U.S. wireless carriers sell femtocells, as do other retailers, and they can typically be purchased for $150 to $250.

For a cell phone or tablet to connect to a femtocell, it must be within 15 feet of the device, and remain within 40 feet to maintain a connection, explains Doug DePerry of security firm iSEC Partners and one of the researchers who discovered the vulnerability. But when your device does connect to the femtocell, you will not know it.

femtocell-talk

“Your phone will associate to a femtocell without your knowledge,” says DePerry. “This is not like joining a Wi-Fi network. You don’t have a choice.”

The iSEC Partners team, led by DePerry and fellow researchers Tom Ritter and Andrew Rahimi, successfully tapped into the root of two femtocells sold by Verizon and manufactured by Samsung, which allowed them to intercept SMS messages in real-time, and even record voice calls.

During a demonstration of their exploit, Ritter and DePerry showed how they could begin recording audio from a cell phone even before the call began. And the recording included both sides of the conversation. The duo also demonstrated how it could trick Apple’s iMessage – which encrypts texts sent over its network using SSL, rendering them unreadable to snoopers, including the NSA – into defaulting to SMS, allowing the femtocell to intercept the messages.

“If you block the SSL connection back home to Apple, iMessages fails over to SMS, which is plain text,” explains Ritter. “And that we can see just fine.”

In their final demonstration, DePerry and Ritter showed off their ability to “clone” a cell phone that runs on a CDMA network (like Verizon’s) by remotely collecting its device ID number through the femtocell, in spite of added security measures to prevent against cloning of CDMA phones. Once a phone is cloned to another handset – meaning the network thinks both phones are the same device, assigned to a single account – a hacker can make expensive phone calls (i.e. 1-900 numbers), or use excessive amounts of data, and the charges are all attributed to the cloning victim.

Because both the cloned phone and its evil twin device must be connected to a femtocell to work – “any femtocell,” says DePerry, not just one that’s been hacked – the cloning dangers are limited. However, when it comes to intercepting calls and text messages, the eavesdropping potential is significant – especially if someone with a hacked femtocell sets up camp in a heavily trafficked area, like Times Square, to listen in on passersby.

Fortunately for Verizon customers, the company has since issued a patch to all affected femtocells. Sprint currently offers a femtocell that is similar to the vulnerable models from Verizon, but the company has said it plans to discontinue the device. And while AT&T also offers femtocells, it requires an extra level of authentication that makes much of the iSEC Partner’s findings irrelevant. Still, says Ritter, the femtocell vulnerability is a major problem.

“It’d be easy to think this is all about Verizon,” says Ritter. “But this really about everybody. Remember, there are 30 carriers worldwide who have femtocells, and three of the four U.S. carriers.”

Ritter suggests that all carriers that offer femtocells require owners to provide a list of approved devices that are allowed to connect to their femtocell. And also prevent customers’ cell phones from connecting to any unauthorized femtocell.

Product Review

We never wanted a smart doorbell, until we met Nest Hello

You can answer your door while sitting on the couch with the Nest Hello smart doorbell, which brings vision, intelligence and convenience to your doorstep.
Mobile

Find out how to keep tabs on your phone with these helpful tracking tips

Need to keep tabs on the location of your cell phone or smartphone? Consult this guide for tips and tricks on how to track a phone, whether you're currently rocking Android, iOS, or something more old-school.
Deals

The best iPhone deals for October 2018

Apple devices can get expensive, but if you just can't live without iOS, don't despair: We've curated an up-to-date list of all of the absolute best iPhone deals available for September 2018.
Mobile

Which Verizon plan is best for you? We check out family, individual, and prepaid

Verizon offers lots of plans for individuals, your family, and folks who want prepaid service. Here is everything you need to know about Verizon's plans, from data packages and smartphones to Big Red's prepaid plans.
Mobile

It’s about time! A USB-C magnetic charger for the Apple Watch has finally arrived

While most of the buzz surrounding Apple has been about the iPhone XR, the company also introduced a new Apple Watch accessory. Starting October 24, a USB-C magnetic charger will be available for purchase.
Home Theater

Google Chromecast and Chromecast Ultra: Everything you need to know

Google's Chromecast plugs into your TV's HDMI port, allowing you to stream content from your tablet, laptop, or smartphone directly to your TV. Here's what you need to know about all iterations, including the 4K-ready Chromecast Ultra.
Product Review

Amazon’s child-friendly tablet is the complete package

Kids are tough on electronics and it’s difficult to police screen time and manage what they’re doing. The Amazon Fire HD 8 Kids Edition could be the affordable answer to your prayers, with a rugged case and worry-free warranty.
Mobile

Huawei Mate 20 Pro vs. P20 Pro: Which 2018 Huawei flagship is best for you?

If you're tempted by Huawei's latest flagship, the Mate 20 Pro, but you're uncertain how it differs from the P20 Pro which Huawei released earlier this year, then we have you covered. Find out exactly what sets these two phones apart.
Product Review

Simple, smart, and affordable, Google’s USB-C earbuds are a must-buy

Google’s follow-up to its wireless Pixel Buds are the wired Google Pixel USB-C earbuds. It’s the simpler route, but the earbuds are still smart, deliver good sound, and -- best of all -- they’re affordable.
Mobile

Strapped after your latest smartphone purchase? Check out our favorite MVNOs

Looking to switch from a major carrier to something a little more affordable? Luckily, there are a ton of great MVNO options to choose from. Check out our guide to the best MVNOs, from Boost Mobile to Google Project Fi.
Mobile

How to take great photos with the iPhone XS, Apple’s finest camera phone yet

The iPhone XS and iPhone XS Max feature the best cameras yet seen on an Apple smartphone, ready for you to get out and take great photos. Here's our guide to help ensure each shot you take is a winner.
Mobile

If you're light on memory, these are the best lite apps for Android and iOS

Looking to save data, storage, and reduce performance issues? Lite apps and Progressive Web Apps (PWAs) are the best options. Here's our roundup of lite apps and PWAs for all the most popular apps on the market.
Mobile

Master your new LG phone with these V40 ThinQ tips and tricks

With five cameras and awesome specs, the LG V40 ThinQ is one of the most innovative phones of 2018. While the V40 can get a great shot in any scenario, it's capable of so much more. Here are a few of our favorite tips and tricks.
Gaming

The Xbox app lets you access your console while away from home. Here's how

Microsoft's Xbox app can't do it all, but it does allow you to access your profile information and launch media content directly from your mobile device. Check out our quick guide on how to connect your smartphone to an Xbox One.