Risk of using Femtocell

Family member has bought a femtocell because he has a poor signal strength on his phone inside the house. What happens is the phone connects to the femtocell and all Calls and SMS/MMS data gets transferred over the internet. Now I got a bad feeling about having the femtocell connected directly to my router. Because in Mr. Robot they used femtocell to place a backdoor into Evil-corp’s network. I checked online and found out that they can be exploited and the user’s data can be snooped on.
http://www.securityweek.com/carriers-should-ditch-femtocells-over-security-risks-researchers

However I didn’t find any information that it could infect the rest of my computers connected to the router. People were saying that you should isolate the femtocell in its own vlan to stop it from getting access to the rest of the network.

Anyone know how would i go about doing that? I have DD-WRT installed on my router.

Shameless bump.

I haven’t used DD-WRT, but I can point you in the right direction for vlans.

How many lan ports does your router have?

4 ports.

Maybe this might help.

1 Like

Ok good. Can you put the Femtocell on a dedicated port?

EDIT

I’m assuming it plugs in and isn’t completely wireless…

It is already plugged in.

Ok cool. Then you should be able to put it on it’s own vlan via the instructions from @behindthetimesgamer.

It is slightly more complicated if it’s on a switch separate from the router because the switch would also need to be configured for the vlan.

I got stuck right away. Where it says go to Setup > VLAN.
I go to Setup on my router but there is no VLAN tab. The closest thing I could find was VLAN tagging in the Networking section.
vlan page
ddwrt

Put a PFSense box in your network if you want. Optimally ONLY to the femtocell.

I don’t have pfsense box and there isn’t any more space for it either.

VLAN tagging is what you want. Add a new vlan (any number 2 – 4000-something). Assign it to the port your femtocell is plugged into. Priority 0 is probably fine.

You should be prompted to give it a network address. Just use a private network that’s different from what you’re using on the rest of your network (and different from any private networks you connect to via vpn – you probably don’t need to worry about that though).

Enable DNSMasq as it says on the right unless the femtocell has a static IP. You’ll need to configure a separate dhcp pool for the vlan network.

1 Like

What interface should i use. I have a choice of ath0, ath1, br0, eth0, eth1

I don’t understand. How do i know which network is mine and which is private one?

One of those corresponds to the port you have the femtocell plugged into. I’m not sure I can help you figure that out. It’s not br0.

Private networks are 192.168.X.X 10.X.X.X or 172.16-31.X.X

Are you familiar with ipv4 addressing, subnets, etc.?

All I know is that it’s plugged into port 4.

No not really.

If you want to secure against the fear of this femtocell than you might want to learn some networking.


This should be good start to learning the basics and then keep on googling and asking questions and I will help in anyway I can
1 Like

Ok, so I’m not sure I can help you out any further because I’ve never worked with a DD-WRT router.

I can tell you abstractly, that these are the steps you’ll need to complete:

  1. Identify which physical ports correspond to ath0, ath1, eth0 and eth1.

  2. Add a vlan tag to the femtocell port.

  3. Configure a private network for the vlan (network, gateway, subnet mask, NAT, etc…). Some of this will probably be configured automatically by DD-WRT. Minimally, you’ll need to tell it a gateway address and a subnet mask.

  4. Optionally, configure a DHCP pool for the new vlan network.

  5. If any special port forwarding or firewall settings need to be configured for femtocell, then that’ll need to be done as well.

ath0 and ath1 are your wireless networks.
https://www.dd-wrt.com/phpBB2/viewtopic.php?p=937688&sid=8b59e40133b88b3fe4a6469275daa06c
This should help with the eth ports naming.
Let me know if this info helps you understand where to move forward

1 Like

@sanfordvdev - Is it possible that there’s a WAN port and a LAN port that’s wired into a layer 2 switch?

If that’s the case, the vlan config will require a smart switch.

Not for sure but possible since you can add the wan port as a switch port in the ddwrt config.