Yaru Yang (Tsinghua University), Yiming Zhang (Tsinghua University), Tao Wan (CableLabs & Carleton University), Haixin Duan (Tsinghua University & Quancheng Laboratory), Deliang Chang (QI-ANXIN Technology Research Institute), Yishen Li (Tsinghua University), Shujun Tang (Tsinghua University & QI-ANXIN Technology Research Institute)

Femtocells are small, operator-deployed base stations designed to extend mobile network coverage, but their integration into operator mobile infrastructure introduces significant new attack surfaces. While 5G femtocell standards were only recently finalized, 4G LTE femtocells have already been standardized and widely implemented. In this work, we conducted the first systematic security evaluation of 4G LTE femtocells based on both real-world commercial devices and large-scale Internet measurements. We systematically analyzed both the software and hardware of 4 commercial femtocell devices and identified 5 critical and common vulnerabilities that can lead to local or remote compromise. Our Internet-wide measurement identified 86,108 suspected femtocell deployments, many of which are exposed to remote attack. Further, we experimentally validated in a real operator network that a single compromised femtocell can serve as a powerful entry point for attacks on both the mobile core network and its subscribers. Our findings highlight that femtocell security in operational 4G LTE networks remains an urgent concern. We reported our results to Global System for Mobile Communications Association (GSMA) and the 3rd Generation Partnership Project (3GPP) Service and System Aspects Working Group 3 (SA3). 3GPP SA3 has subsequently approved both a study item to further enhance the security of 5G femtocells and a work item to define the Security Assurance Specification (SCAS) for 5G femtocells.

View More Papers

Analysis of the Security Design, Engineering, and Implementation of...

Alan T. Sherman (University of Maryland, Baltimore County (UMBC)), Jeremy J. Romanik Romano (University of Maryland, Baltimore County (UMBC)), Edward Zieglar (University of Maryland, Baltimore County (UMBC)), Enis Golaszewski (University of Maryland, Baltimore County (UMBC)), Jonathan D. Fuchs (University of Maryland, Baltimore County (UMBC)), William E. Byrd (University of Alabama at Birmingham)

Read More

Crack in the Armor: Underlying Infrastructure Threats to RPKI...

Yunhao Liu (Tsinghua University & Zhongguancun Laboratory), Jessie Hui Wang (Tsinghua University & Zhongguancun Laboratory), Yuedong Xu (Fudan University), Zongpeng Li (Tsinghua University), Yangyang Wang (Tsinghua University & Zhongguancun Laboratory), Jilong Wang (Tsinghua University & Zhongguancun Laboratory)

Read More

Revealing The Secret Power: How Algorithms Can Influence Content...

Alessandro Galeazzi (University of Padua), Pujan Paudel (Boston University), Mauro Conti (University of Padua and Orebro University), Emiliano De Cristofaro (University of California, Riverside), Gianluca Stringhini (Boston University)

Read More