Femtocell Hack Reveals Cell Phone Security Hole (zz)# PDA - 掌中宝
m*d
1 楼
据说fix了,结果还是一个鸟样。基本上如果有人想搞,40ft之内可以随便截获你所有
通信
By: CNN
Updated: July 15, 2013
Tweet
NEW YORK (CNNMoney) -- An increasingly popular technology for extending cell
-phone coverage ranges had a major security hole that went undetected for
years, through which an attacker could eavesdrop on everything a target did
on their phone, according to new research released on Monday.
The research brings to light previously unknown vulnerabilities in some
models of femtocells, devices that mobile network operators use to bring
wireless service to low-coverage zones. The compact boxes, which are
typically as small as a standard cable modem, can be deployed in hard-to-
reach spots like the top of an apartment building or a home in the mountains
. Femtocells are also referred to as "network extenders," and analysts
project that as many as 50 million of them will be in use by 2014.
In a demonstration for CNNMoney, researchers at iSEC Partners, who
discovered the security hole, covertly recorded one of our phone
conversations and played it back for us. They were also able to record our
browsing history, text messages, and even view pictures we sent from one
smartphone to another by hacking the network extender.
"We see everything that your phone would send to a cell phone tower: phone
calls, text messages, picture messages, mobile Web surfing," said iSEC
Partners senior security consultant Tom Ritter.
ISEC discovered the security flaw a year ago and contacted the affected
vendors, who quickly began working on a fix. The company focused its
research on femtocells operating on Verizon's 3G CDMA network, though iSEC
believes similar holes could exist on other network extenders.
A Verizon spokesman said the problem has been repaired in all of the
femtocells it is currently using.
"The demonstration CNN saw was for an identified issue that was fixed
earlier this year on all network extender devices," the company said in a
written statement. "The fix prevents the network extender from being
compromised in the same manner."
Verizon said it has not received any customer complaints about the security
glitch.
Samsung, the company that manufactures Verizon's network extenders, also
issued a statement saying the problem has been fixed. ISEC plan to show off
more details of its hack later this month at the Black Hat security
conference in Las Vegas.
Security researchers say these kinds of flaws are inevitable. As new
technologies get more powerful, though, the risks get bigger.
"Once you first saw this product was available, you said, 'If there are any
vulnerabilities, it'll be really bad," hacker Chris Wysopal, the chief
technology officer for security software maker Veracode.
When he learned about femotcells, he says he immediately thought: "Somebody'
s bound to break this."
ISEC, which specializes in security research, says the attack it pioneered
doesn't require very sophisticated hacking.
"You do need some level of technical skills, but people are learning those
skills in college," Ritter said. "Breaking into one of these devices, or a
device like this, is within the realm of people working at home."
Security pros say that using encryption apps like Wickr, Cellcrypt, Redphone
and TextSecure can help users looking for a more secure connection. But
researchers at iSEC have resigned themselves to the idea that nothing is
confidential.
"You should assume that everything you're saying is being intercepted," said
Doug DePerry, one of the company's senior consultants. "That is a bit of a
defeatist opinion, but sometimes that has to be the way it is."
通信
By: CNN
Updated: July 15, 2013
Tweet
NEW YORK (CNNMoney) -- An increasingly popular technology for extending cell
-phone coverage ranges had a major security hole that went undetected for
years, through which an attacker could eavesdrop on everything a target did
on their phone, according to new research released on Monday.
The research brings to light previously unknown vulnerabilities in some
models of femtocells, devices that mobile network operators use to bring
wireless service to low-coverage zones. The compact boxes, which are
typically as small as a standard cable modem, can be deployed in hard-to-
reach spots like the top of an apartment building or a home in the mountains
. Femtocells are also referred to as "network extenders," and analysts
project that as many as 50 million of them will be in use by 2014.
In a demonstration for CNNMoney, researchers at iSEC Partners, who
discovered the security hole, covertly recorded one of our phone
conversations and played it back for us. They were also able to record our
browsing history, text messages, and even view pictures we sent from one
smartphone to another by hacking the network extender.
"We see everything that your phone would send to a cell phone tower: phone
calls, text messages, picture messages, mobile Web surfing," said iSEC
Partners senior security consultant Tom Ritter.
ISEC discovered the security flaw a year ago and contacted the affected
vendors, who quickly began working on a fix. The company focused its
research on femtocells operating on Verizon's 3G CDMA network, though iSEC
believes similar holes could exist on other network extenders.
A Verizon spokesman said the problem has been repaired in all of the
femtocells it is currently using.
"The demonstration CNN saw was for an identified issue that was fixed
earlier this year on all network extender devices," the company said in a
written statement. "The fix prevents the network extender from being
compromised in the same manner."
Verizon said it has not received any customer complaints about the security
glitch.
Samsung, the company that manufactures Verizon's network extenders, also
issued a statement saying the problem has been fixed. ISEC plan to show off
more details of its hack later this month at the Black Hat security
conference in Las Vegas.
Security researchers say these kinds of flaws are inevitable. As new
technologies get more powerful, though, the risks get bigger.
"Once you first saw this product was available, you said, 'If there are any
vulnerabilities, it'll be really bad," hacker Chris Wysopal, the chief
technology officer for security software maker Veracode.
When he learned about femotcells, he says he immediately thought: "Somebody'
s bound to break this."
ISEC, which specializes in security research, says the attack it pioneered
doesn't require very sophisticated hacking.
"You do need some level of technical skills, but people are learning those
skills in college," Ritter said. "Breaking into one of these devices, or a
device like this, is within the realm of people working at home."
Security pros say that using encryption apps like Wickr, Cellcrypt, Redphone
and TextSecure can help users looking for a more secure connection. But
researchers at iSEC have resigned themselves to the idea that nothing is
confidential.
"You should assume that everything you're saying is being intercepted," said
Doug DePerry, one of the company's senior consultants. "That is a bit of a
defeatist opinion, but sometimes that has to be the way it is."