Vodafone Sure Signal Subject To Phone Hacking

A security flaw discovered in Vodafone’s Sure Signal femtocells allows the user’s calls and voice mails to be hacked, according to a group of researchers.

Femtocells are miniature routers which boost 3G phone signal in buildings, using broadband connections to join up with the mobile network. They are often used to boost coverage in rural areas where signal is particularly poor. The technology has been gaining momentum in recent years, and companies such as Picochip and Ubiquisys have been working on variations of femtocells that allow 3G access in public outdoor areas and while travelling abroad.

However, a research group, which calls itself The Hacker’s Choice, managed to reverse engineer a Vodafone femtocell and turn it into an interception device – allowing someone with a femto to eavesdrop on calls and make calls at another person’s expense, as long as their phone is within 50m of the hacked femtocell.

Reverse-engineered femtocells

The attack is based on the fact that tasks normally carried out by the mobile network are delegated to the femto device which is sitting in the user’s house and potentially vulnerable.

“The Femto can only be used by the person who purchased the Femto. At least that is what Vodafone tells you,” said senior security researcher Eduart Steiner on The Hacker’s Choice blog.

“THC found a way to circumvent this and to allow any subscriber – even those not registered with the Femto – to use the Femto. They turned it into an IMSI [International Mobile Subscriber Identity] grabber. The attacker has to be within 50m range of the UK Vodafone customer to make the customer’s phone use the attacker’s femto.”

The flaw means that hackers are able to listen to the victim’s phone calls, make calls from their phone and access their voice mail.

“It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password, thus allowing anyone to retrieve secret data of other people,” added Steiner.

Vodafone has released a statement, saying that the claims relate to a vulnerability that was detected at the start of 2010. “A security patch was issued a few weeks later automatically to all Sure Signal boxes,” said the operator, reiterating that its network had not been compromised.

The Hacker’s Choice responded that Vodafone’s patch only prevents hackers from gaining administrator access, and does not fix the core of the problem, which allows data to be transfered from the core network right down to the femtocell. “This is in gross violation of the 3G/UMTS security recommendation which clearly states that the 3G/UMTS encryption should go all the way up to the core network,” the group said.

Vodafone added that it monitors the security of all of its products and services on an ongoing basis, and said that Sure Signal customers do not need to take any action to secure their device.

Phone hacking hype

The news comes amid ongoing controversy around the News of the World phone hacking scandal. Rupert Murdoch’s Sunday tabloid obtained illegal access to the voice mail accounts of a number of high profile figures, including former Prime Minister Gordon Brown, a wide variety of celebrities, kidnapped teenager Milly Dowler, and soldiers killed in combat in Afghanistan.

As a result, the News of the World has been shut down, News International has backed out of plans to take over BSkyB, and former NotW editor Rebekah Brooks has bowed to pressure and resigned as chief executive of the company. US senators have also asked the authorities to investigate allegations that 9/11 victims’ phones were hacked by News International journalists.

In the case of News International, the so-called ‘phone hacking’ involved almost no technical skill. Journalists would merely ring a phone and see whether its voice mail service had a default or easy-to-guess passcode. This femtocell hacking, on the other hand, involves modifying the software on a SureSignal femtocell to record live telephone conversations – something that requires considerable technological knowledge.

However, the The Hacker’s Choice has published a wiki, which covers many of the steps in minute detail. Thinq magazine points out that anyone with a reasonable grasp of command-line Linux would be able to carry out the same steps and turn their femtocell into an eavesdropping device.