Vodafone Sure Signal femtocell hack allows call recording, spoofing [Update: Fixed]

Vodafone's Sure Signal femtocell has been hacked so as to allow calls to be intercepted and recorded, as well as enabling SMS messages and calls to be sent via other subscriber's accounts. The hack, documented by The Hackers Choice, takes advantage of the Sure Signal's common root password and, through modifying the software and physically removing the tracking chip Vodafone use to locate the femtocell, means the on-board decryption system for Vodafone customers is also accessible.

"The Femto cell contains a Mini-RNC/Node-B which is not a real RNC nor a Node-B. It's something inbetween. The mini-RNC can request real encryption keys and authentication vectors for any vodafone UK customer from the vodafone core network (like a real RNC). The vodafone core network still authenticates every single phone (like a Node-B)"

As the modders explain, the end result is a femtocell that can be used to record all voice calls made by phones connected to it, stored in AMR12.2 format. Although usually Vodafone requires each connected handset to be registered to the Sure Signal, the hack can bypass that and, if a phone is in range, can inadvertently register to the femtocell as if it were a regular base-station.

A similar hack allows outgoing calls and SMS messages to be sent via another Vodafone customer's phone, if registered to the compromised Sure Signal, though incoming traffic can only be collected if the account is registered through Vodafone to the femtocell itself. Other instructions suggest how the Sure Signal could be transported abroad and used to create a personal network wherever there's a broadband connection, rather than solely in the UK as Vodafone mandates.

However, while potentially dangerous to users who inadvertently connect their phones to a hacked Sure Signal, the fact that it also requires a physical modification to the hardware so as to prevent remote upgrades means it's highly unlikely that those units already in people's homes could be remotely co-opted. The femtocells themselves have limited range, too, restricting the potential collection area within which phones might be harvested.

We've reached out to Vodafone UK for a comment, and will update when we hear back from the carrier.

Update: Vodafone UK has given us the following statement:

"Overnight on July 12, a claim appeared that hackers had found security loopholes in Vodafone Sure Signal which could compromise the security of Vodafone's network. This is untrue: the Vodafone network has not been compromised.

The claims regarding Vodafone Sure Signal, which is a signal booster used indoors, relate to a vulnerability that was detected at the start of 2010. A security patch was issued a few weeks later automatically to all Sure Signal boxes.

As a result, Vodafone Sure Signal customers do not need to take any action to secure their device.

We monitor the security of all of our products and services on an ongoing basis and will continue to do so."

Update 2: [07/15/11] Vodafone has taken extra steps beyond its firmware update of last year to ensure no call monitoring/spoofing is possible from hacked Sure Signal boxes. The carrier is now blocking network access to any units which do not upgrade to the most recent firmware. That means, if you have an old Sure Signal, as soon as you plug it in it should automatically upgrade and then give you network access; if you've hacked your femtocell so as not to update, the unit simply won't work. Vodafone echoes what we pointed out in our original report, which is that the potential for harm was always – given the low range of the Sure Signal – relatively limited:

"We have identified just a handful of devices running software which pre-dates the patch we issued to fix this vulnerability (originally issued in February 2010).

These devices will no longer access our network unless they are carrying the most recent software update. Devices will automatically poll for this update upon being powered up.

The only time a customer could theoretically have been at risk was if they were registered on, and within 50 metres of, a box which the owner had tampered with. This would have required that person to dismantle the device and solder additional components onto it, as well as taking the conscious decision to prevent the device from receiving our automatic software updates."

Update 3: After further allegations by THC regarding the effectiveness of Vodafone's fix, the carrier has given SlashGear a further comment:

"The design of the Vodafone Sure Signal is based on and conforms with the industry 3GPP femtocell standards. Therefore, claims that it violates the security requirements for 3G/UMTS are completely untrue.

In addition to this, the device has been and continues to be rigorously tested by Vodafone, our partners and independent security experts. As a result of this, we can say with confidence that Vodafone Sure Signals currently in operation are not vulnerable to the reported exploits."

[via cellular-news]