Vodafone femtocell hack lets intruders listen to calls

Vodafone's Sure Signal femtocells can be adapted to listen to mobile phone calls and to intercept text messages made by the operator's customers, according to a group of researchers.

Researchers have claimed Vodafone's Sure Signal femtocells can be adapted to listen to mobile phone calls and to intercept text messages made by customers.

Intruders can also use the femtocells to hijack a number and make calls and send SMS messages from that number, The Hackers Choice (THC) said on Wednesday.

Vodafone Sure Signal femtocells are small base stations, costing as little as £50, that people can put in their houses so they have mobile coverage in areas of poor reception. The femtocells can be reverse-engineered and turned into a device that intercepts mobile communications from any UK Vodafone subscriber, according to the researchers.

"THC is now able to turn this femtocell into a full-blown 3G/[UMTS]/W-CDMA interception device," the group said in a blog post.

Once you have root access to the internal Linux that drives the femtocell, you can do all the attacks that we described.

– 'Eduart Steiner'

The femtocell has to be within 50 metres of a mobile phone for it to be used to listen to traffic, a group member going by the pseudonym 'Eduart Steiner' said in the blog post.

The group gave a detailed technical account of how they modified the device, which entailed altering the hardware and hacking the software.

The researchers said the root administrator password for the embedded Linux running on Sure Signal femtocells is "newsys". The group reverse-engineered the administrator password by extracting the firmware from the femtocell and looking through it.

"Once you have root access to the internal Linux that drives the femtocell, you can do all the attacks that we described," Steiner told ZDNet UK.

In addition to listening in to mobile communications, the modified device could be used for call fraud. This is where a phone owner is billed for calls or SMS messages made by the intruder. In addition, an attacker can access the voicemail on a target device.

IPSec protocol

Steiner told ZDNet UK that data passing between the femtocell and Vodafone's core network is encrypted using a protocol suite called IPSec. Once an attacker has the root password they have admin access, which means they can retrieve IPSec details.

Once the IPSec details are known, they can be used to decrypt the internet traffic between the femtocell and the Vodafone core network, according to Steiner. This traffic contains the RTP (Real-time Transport Protocol) voice stream, which is used by VoIP, and all 3G/UMTS signalling, including SMS messages.

In addition, data traffic sent over the air between the femtocell and the mobile phone is protected using 3G/UMTS encryption, according to Steiner. This encryption material is requested by the femtocell from the Vodafone core network via IPSec.

"Because we can decrypt IPSec, we also see the secret 3G/UMTS key material," Steiner told ZDNet UK.

THC, which was set up in Germany in 1995, first started researching Sure Signal femtocells in August 2009. It halted this research on 14 July, 2010 and decided not to publish its results immediately, in part to give Vodafone time to come up with a solution, according to Steiner. Vodafone may have fixed the loophole that let THC gain root access, Steiner said, but he did not know for certain. There are other known ways to get that access, the researcher added.

The group decided to make its findings public because a separate group of researchers — Ravishankar Borgaonkar, Nico Golde and Kevin Redon — are expected to talk about femtocell hijacking at the Black Hat security conference at the end of July in Las Vegas.

Vodafone said it had patched a vulnerability in Sure Signal in 2010 in a statement on Thursday.

"Overnight on July 12, a claim appeared that hackers had found security loopholes in Vodafone Sure Signal which could compromise the security of Vodafone's network. This is untrue: the Vodafone network has not been compromised," said the statement.

"The claims regarding Vodafone Sure Signal, which is a signal booster used indoors, relate to a vulnerability that was detected at the start of 2010. A security patch was issued a few weeks later automatically to all Sure Signal boxes.

"As a result, Vodafone Sure Signal customers do not need to take any action to secure their device.

"We monitor the security of all of our products and services on an ongoing basis and will continue to do so."