Femtocells are low-power cellular base stations used in homes and small offices to improve indoor mobile coverage. They connect to the operator’s core network over broadband and broadcast a local cellular signal, typically covering 10 to 50 metres.
They operate within standard mobile infrastructure, using licensed spectrum such as:
• 3G UMTS bands (Band 1 2100 MHz in the UK)
• Some later units support LTE bands depending on deployment
Unlike signal boosters, femtocells do not amplify an existing signal. They create a new one, and devices will automatically connect if it presents the strongest signal.
Image 1: Legacy femtocell device originally deployed by mobile networks, now circulating in secondary markets despite being phased out.
The issue
Femtocells extend the cellular network directly into private environments.
• Traffic is routed through broadband
• Devices connect based on signal strength, not trust
• The cellular layer becomes localised and harder to monitor
This creates a gap between:
• What is visible on the IP network
• What is happening over the air interface
This is where visibility breaks.
Image 2: Femtocell architecture highlighting the visibility gap between IP network monitoring and the air interface.
How to identify them
Femtocells are not visible through traditional network scanning.
They are identified through signal behaviour.
Using mobile apps such as Network Cell Info Lite or NetMonster, look for:
• Very strong signal indoors
• Rapid signal drop when leaving the building
• Unusual or isolated Cell ID
• Cell location appearing extremely close or inaccurate
If the cell is not mapped, it may indicate a small cell or femtocell.
Image 3: Analysing cellular signals using Network Cell Info Lite (left) and CellMapper (right) to identify signal strength, band, and local cell infrastructure.
These are not just indicators. They reflect how femtocells operate at the network edge.
Security implications
While modern units are more secure, historically femtocells have presented:
• Firmware attack surface
• Potential interception if compromised
• Reliance on broadband
• Single operator dependency
They are trusted by design but deployed in uncontrolled environments.
Still in circulation
Consumer femtocells have been phased out in the UK following 3G shutdowns.
However:
• Legacy devices remain active
• Units are still being sold on secondary markets
• Small cell technology continues in enterprise environments
How to reduce risk
• Use Wi-Fi Calling instead of legacy femtocell hardware
• Avoid unsupported or second hand telecom devices
• Monitor RF environments in sensitive locations
• Validate unexpected strong indoor cellular signals
• Treat local cellular infrastructure as part of the attack surface
Takeaway
Femtocells highlight a fundamental issue.
Security monitoring focuses on networks and endpoints.
Cellular operates in RF. If you are not looking at the spectrum, you are not seeing the full environment.
For more insight on wireless weaknesses, visit intspired.co.uk/blog
INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.
Top comments (0)