Femtocells offer a user the ability to have a small base station located within their house or other area. These small base stations provide access to the core telecom network where poor reception from an eNodeB would normally prevent consistent coverage. Femtocells has been standardized in LTE since release 8, and is referred as Home eNodeB, or HeNB. HeNBs are mandated to have an IPsec connection back to a security gateway (SeGW) to protect traffic flowing into and out of a Mobile Network Operator (MNO)’s core network.
If the HeNB is within the physical possession of an attacker, this provides unlimited time to identify a flaw on the HeNB. A compromised HeNB can be used in a manner similar to a rogue base station, but will also provide the attacker access to clear text traffic before it is sent back to the core network. There are more than ten different types of HeNBs deployed in China. Ericsson ENC-nRBS01B40 is one of them – a TD-LTE base station working on band B40.
In this talk, we will cover:
1.) How to root a 4G LTE femtocell.
2.) How to make the femtocell portable.
3.) How to perform man-in-the-middle attack with the femtocell.
4.) Show the prototype of Hacking Box of S1 Interface (HBoS)