Was the Vodafone Femtocell hack new?
Yesterday, 14 July, news that The Hacker's Choice had published details on how to use a Vodafone "Sure Signal" femtocell as a 3G phone interception point was circulated around the internet. The group had published detailed instructions covering how to wire a serial console up to gain access, break into the device and then modify the device's Linux-based software to intercept and decode traffic. It also covered how to remove the location device to stop the network provider confirming the unit's location. The proof of concept hack was both impressive and comprehensive.
The only problem, for those that wish to replicate the work, is that the project, according to its own timeline in the document, stopped in July 2010. According to Vodafone, the holes that the group exploited to gain access to the device were closed in a software update – since July 2010, a new version of femtocells has been deployed by Vodafone and other phone networks, which may or may not be more secure. Vodafone have identified a number of devices running software which predates the patch and have now disabled their access to their phone network.
The Hacker's Choice admitted that they did not "know about any femto after Jul 2010" but said that they were more interested in the architectural flaws of the femtocell network which sees cell phone network secret information requested and sent to the relatively insecure femtocell stations.
The acquisition of root access was not new. Researchers Zack Fasel and Matthew Jakubowski had presented a technique for obtaining root access to femtocells in February 2010 and were looking into techniques to intercept calls by modifying the software on the system.
The researchers at Hacker's Choice successfully managed to prove that it was not just possible to perform that interception, but also to acquire the network secrets and work out a process which could decode audio messages. Other elements of the hack allowed them to place calls or send SMS messages but have them billed to a target SIM card, use the femtocell and a server to tunnel calls from outside the UK and capture passing mobile phones' IMSI numbers.
The Hacker's Choice point to continued research in the field, including a talk by the TU Berlin's SeCT research group at August's Blackhat conference: "Femtocells: A poisonous needle in the operator's hay stack" which will cover a range of attacks that can be performed on end-users and network operators.