Skip to main content

Meet the $250 Verizon device that lets hackers take over your phone

femtocell verizon hack samsung
Femtocell Image used with permission by copyright holder

If you’ve never heard of a femtocell, now would be a good time to learn.

At the Black Hat hacker conference in Las Vegas, NV, on Wednesday, a pair of security researchers detailed their ability to use a Verizon signal-boosting device, a $250 consumer unit called a femtocell, to secretly intercept voice calls, data, and SMS text messages of any handset that connects to the device.

A femtocell is, basically, a miniature cell phone tower that anyone can use to boost their wireless signal in their home. Most of the major U.S. wireless carriers sell femtocells, as do other retailers, and they can typically be purchased for $150 to $250.

For a cell phone or tablet to connect to a femtocell, it must be within 15 feet of the device, and remain within 40 feet to maintain a connection, explains Doug DePerry of security firm iSEC Partners and one of the researchers who discovered the vulnerability. But when your device does connect to the femtocell, you will not know it.

femtocell-talk
Image used with permission by copyright holder

“Your phone will associate to a femtocell without your knowledge,” says DePerry. “This is not like joining a Wi-Fi network. You don’t have a choice.”

The iSEC Partners team, led by DePerry and fellow researchers Tom Ritter and Andrew Rahimi, successfully tapped into the root of two femtocells sold by Verizon and manufactured by Samsung, which allowed them to intercept SMS messages in real-time, and even record voice calls.

During a demonstration of their exploit, Ritter and DePerry showed how they could begin recording audio from a cell phone even before the call began. And the recording included both sides of the conversation. The duo also demonstrated how it could trick Apple’s iMessage – which encrypts texts sent over its network using SSL, rendering them unreadable to snoopers, including the NSA – into defaulting to SMS, allowing the femtocell to intercept the messages.

“If you block the SSL connection back home to Apple, iMessages fails over to SMS, which is plain text,” explains Ritter. “And that we can see just fine.”

In their final demonstration, DePerry and Ritter showed off their ability to “clone” a cell phone that runs on a CDMA network (like Verizon’s) by remotely collecting its device ID number through the femtocell, in spite of added security measures to prevent against cloning of CDMA phones. Once a phone is cloned to another handset – meaning the network thinks both phones are the same device, assigned to a single account – a hacker can make expensive phone calls (i.e. 1-900 numbers), or use excessive amounts of data, and the charges are all attributed to the cloning victim.

Because both the cloned phone and its evil twin device must be connected to a femtocell to work – “any femtocell,” says DePerry, not just one that’s been hacked – the cloning dangers are limited. However, when it comes to intercepting calls and text messages, the eavesdropping potential is significant – especially if someone with a hacked femtocell sets up camp in a heavily trafficked area, like Times Square, to listen in on passersby.

Fortunately for Verizon customers, the company has since issued a patch to all affected femtocells. Sprint currently offers a femtocell that is similar to the vulnerable models from Verizon, but the company has said it plans to discontinue the device. And while AT&T also offers femtocells, it requires an extra level of authentication that makes much of the iSEC Partner’s findings irrelevant. Still, says Ritter, the femtocell vulnerability is a major problem.

“It’d be easy to think this is all about Verizon,” says Ritter. “But this really about everybody. Remember, there are 30 carriers worldwide who have femtocells, and three of the four U.S. carriers.”

Ritter suggests that all carriers that offer femtocells require owners to provide a list of approved devices that are allowed to connect to their femtocell. And also prevent customers’ cell phones from connecting to any unauthorized femtocell.

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
AT&T just made it a lot easier to upgrade your phone
AT&T Storefront with logo.

Do you want to upgrade your phone more than once a year? What about three times a year? Are you on AT&T? If you answered yes to those questions, then AT&T’s new “Next Up Anytime” early upgrade program is made for you. With this add-on, you’ll be able to upgrade your phone three times a year for just $10 extra every month. It will be available starting July 16.

Currently, AT&T has its “Next Up” add-on, which has been available for the past several years. This program costs $6 extra per month and lets you upgrade by trading in your existing phone after at least half of it is paid off. But the new Next Up Anytime option gives you some more flexibility.

Read more
Motorola is selling unlocked smartphones for just $150 today
Someone holding the Moto G Stylus 5G (2024).

Have you been looking for phone deals but don’t want to spend a ton of money on flagship devices from Apple and Samsung? Have you ever considered investing in an unlocked Motorola? For a limited time, the company is offering a $100 markdown on the Motorola Moto G 5G. It can be yours for just $150, and your days and nights of phone-shopping will finally be over!

Why you should buy the Motorola Moto G 5G
Powered by the Snapdragon 480+ 5G CPU and 4GB of RAM, the Moto G delivers exceptional performance across the board. From UI navigation to apps, games, and camera functions, you can expect fast load times, next to no buffering, and smooth animations. You’ll also get up to 128GB of internal storage that you’ll be able to use for photos, videos, music, and any other mobile content you can store locally. 

Read more
The Nokia 3210 is the worst phone I’ve used in 2024
A person holding the Nokia 3210, showing the screen.

Where do I even start with the Nokia 3210? Not the original, which was one of the coolest phones to own back in a time when Star Wars: Episode 1 -- The Phantom Menace wasn’t even a thing, but the latest 2024 reissue that has come along to save us all from digital overload, the horror of social media, and the endless distraction that is the modern smartphone.

Except behind this facade of marketing-friendly do-goodery hides a weapon of torture, a device so foul that I’d rather sit through multiple showings of Jar Jar Binks and the gang hopelessly trying to bring back the magic of A New Hope than use it.
The Nokia 3210 really is that bad

Read more