VZW hub small

If you're having reception issues or dropped calls at your home or office, Verizon Wireless (and other carriers) might recommend you pick up a femtocell. This is a small device that plugs into your router and acts like a miniature cell tower. However, a pair of security researchers have revealed how they managed to use that same device to snoop on phone calls and other communications.

When you plug a femtocell into your internet connection, it doesn't connect only to your phone. It can provide cellular access to any compatible phone nearby. If the femtocell offers a better signal, most phones will hop on it instead of the regular tower. A person could be connected to the femtocell and not even realize it, thus giving a malicious individual the opportunity to intercept data surreptitiously. With a mobile broadband connection and power source, a compromised femtocell could be take to a public space and used to record many individuals' activities. The device could even be outfitted with a higher power antenna to get more phones to connect.

VZW hub small

After identifying the vulnerabilities, and recording all the phone calls and messages sent through it, the researchers went to Verizon. A fix was developed after Verizon was alerted to the issue, but it wasn't an easy hole to patch. While the vulnerability demonstrated here is fixed, there could be many other bugs that allow similar attacks. Given enough time, someone with mayhem in mind will find them, and then we're all going to have a headache to deal with.


Ryan Whitwam
Ryan is a tech/science writer, skeptic, lover of all things electronic, and Android fan. In his spare time he reads golden-age sci-fi and sleeps, but rarely at the same time. His wife tolerates him as few would.

He's the author of a sci-fi novel called The Crooked City, which is available on Amazon and Google Play. http://goo.gl/WQIXBM

  • Tom

    Conspiracy bacon time. The NSA has already been using these as spy tools since they have been in bed with Verizon for a while. Boom bacon for your consumption.

    • MasterMuffin

      I was just thinking that NSA is going to hire these guys but you're already way ahead of me!

      • MistiXF


        • MasterMuffin

          I saw that already but still funny :D

  • AndrewNeo

    If you're sending sensitive data over plaintext you're practically begging to have it stolen, even over the cellular network.

    • Qliphah

      It isn't as simple as plaintext or encryption. Using this they can scrape all incoming/outgoing data on all devices no matter how good the security is on the network. The only defence would be if verizon updated all their phones to detect these rouge routers, and considering those that want to use them, spoofing whatever new code they gave to their towers wouldn't be hard.

      • solbin

        Yup, it can record all information, it won't care if it is encrypted or not, because (correct me if I am wrong) it will just continually write information to a file so the person who is doing this can dig through later it later and see if they got anything useful or not. Its especially dangerous because the users will have no idea what they are connected to.

      • AndrewNeo

        They can't do a whole lot with the encrypted data, for the most part. Besides, the video has animations of them asking for sensitive information over SMS.

  • SAI

    Just like an episode of Burn Notice....

  • Wesley Modderkolk

    Is this really something new?

  • hp420

    OK, so we all know how easy it is to read an sms with one of these, but let's say, for example, both the sender and recipient are using a service like what's app or google voice. Are they still as vulnerable, less, or not at all?

    • HopelesslyFaithful

      yes... i would assume. it would record anything type of data voice or data so what you are surfing and streaming too.

      It is like a full blown wire tap

      • hp420

        Don't be so sure....

        Google voice uses a very similar technology as iMessage, and DEA has gone on the record stating they can not tap in, and they aren't happy about it. IMHO, if the DEA can't get in, there's a high probability some dude with a computer science degree and a signal booster won't have much better luck

        • HopelesslyFaithful

          thanks for the link. Saved it and nice work ^^

        • Luigi90210

          you will be surprised at what people can do, just look at geohotz
          he hacked the iphone when it was brand new, and he hacked the PS3 soon afterwards

          you would be surprised at how stupid some of the government workers are(most of the time, they dont get paid enough to hack into things so they simply dont do it), a good example would be, if you encrypt your HDD, the government can not get into it no matter what they do, but if a hacker had to break your encryption to know where you are hiding all your drug money, the hacker will do so simply because there is more incentive to do it(think about it, will someone who makes $24 an hour as a computer tech want to spend countless hours to hack into a HDD that has drug money location and not be able to get a single dime of it? i know i wouldnt)

          • Mike Harris

            I'm sorry, but government officials have LOTS of incentive to break these encryptions. Your logic is just silly and is based on those officials acting like employees at a fast food place. These are grown adults with lots of motives other than personal gain, but even if their motives are selfish, being the one to crack the code is probably very rewarding on many levels.

  • Qliphah

    Wish they detailed what the fix was because I don't see a way to defend against this. The updated their software but every phone out there still connects to the first/strongest point.

    • Jaymoon

      The Sprint femtocell required you to type in a * number (*99 I think?) to connect. Why is the Verizon one set to auto-connect?!

      That's just asking for trouble, unless the "auto-connect" is part of the hack.

      • HopelesslyFaithful

        can someone just reprogram the firmware than? the tech is there all they need to do is reprogram it. If someone is smart enough to use this they are probably smart enough to be able to rewrite the updated software

      • Josh

        It definitely doesn't by default. I have one and I've never had to do that, and when friends with Sprint visit their phones automatically use it. I think you can restrict it though somehow, but it's not a default setting.

  • Jaymoon

    * Fixed image for you: http://i.imgur.com/aPprH4s.jpg

  • HopelesslyFaithful

    does it even matter at this point? The FBI does it all the time -_- The fact cell phones are not better protected and communications are not by default encrypted has always bothered me :/

  • nahbro25

    When you call or answer you phone when it is connected to a Verizon femtocell there is a series of beeps that let you know you are not connected to a normal cell tower.