Recently Frank Esser the CIO of SFR one of the major french ISP/cellphones operator has announce that they wish to deploy 3G femtocell in their user home. A 3G femtocell is a small 3G antenna designed to improve the coverage of the 3G network on a local site.
If someone is ready to introduce a 3G antenna at home, despite the health risk, why not. My concern is more about the uses of such antenna. SFR says that they wish to use it as a relay for all their customers in exchange of the subscription reduction. Giving up the control of GSM/3G antenna is a huge risk, since the antenna is linked to the Internet router by an ethernet cable their is no way to prevent the owner of the antenna to snoop customer traffic.
You might argue that this is not a problem because the GSM protocol is secure… Well no, it is NOT secure. We know since 1999 that the GSM A5 encryption scheme is broken, and that any communication can be decypted in real time (You might wish to read the Shamir paper on the subject). Here it is even worst, because the attacker will be able not only to decrypt but even alter the communication because he is between the antenna and the SFR network.
Hence unless there is a strong mutual authentification between the SFR network and the antenna, then it will be a real nightmare. There is simply no way to choose which relay you use from your cellphone… For instance you go to visit your customer to make a deal, somewhere in the midle of the negotiation you decide to call your office to decide what to do. Unfortunalty for you, you use your customer femtocell as a relay: your conversation with your boss is snooped in realtime by your customer which of course will tampers with the issue of the negotiation.
Fun facts: the device will power a mere 10 mW (i.e. 10 times less than any standard WiFi access point).
The results is double: health concerns are clearly reduced, more over because the terminal itself will require less power to grab the cell.
The femtocell is made to cover the surface of a standard house (basically 10 meters of radius).
As an addition, the cell will only accept to connect a user-defined list of mobile phones, meaning one wouldn’t just be able to connect that easily.
I’m not saying an attack as described above couldn’t happen, but risks are reduced as the attacker would more likely have to be in covering range and both attacker and target be connecter to the femtocell.
“There is simply no way to choose which relay you use from your cellphone” ain’t correct. You’ll know whether you are connected to a femtocell or to the macro network as it will clearly appear on the mobile screen (e.g. the operator name will go from “F SFR” to “SFR Femtocell”).
Last thing I promise: the device you see in the pictures are prototypes, design concepts more specifically.
Hi Bertrand,
Thanks for the insight
Actually as long as the femto is used for the adsl owner only, I thinks this is a very cool idea.
My concern is that in some statements SFR say that they might use them to extend the coverage of their cell network. This is this use that raise a security issue.
This is not an unrealistic scenario as it as already happened for wifi network. A few years ago the wifi capability of a DSL box was restricted to the subscriber use. Nowadays it is use to extend ISP wifi public network…