Vodafone femtocell hack lets intruders listen to calls
Researchers have claimed Vodafone’s Sure Signal femtocells can be adapted to listen to mobile phone calls and to intercept text messages made by customers.
Intruders can also use the femtocells to hijack a number and make calls and send SMS messages from that number, The Hackers Choice (THC) said on Wednesday.
Vodafone Sure Signal femtocells are small base stations, costing as little as £50, that people can put in their houses so they have mobile coverage in areas of poor reception. The femtocells can be reverse-engineered and turned into a device that intercepts mobile communications from any UK Vodafone subscriber, according to the researchers.
“THC is now able to turn this femtocell into a full-blown 3G/[UMTS]/W-CDMA interception device,” the group said in a blog post.
Once you have root access to the internal Linux that drives the femtocell, you can do all the attacks that we described.
– ‘Eduart Steiner’
The femtocell has to be within 50 metres of a mobile phone for it to be used to listen to traffic, a group member going by the pseudonym ‘Eduart Steiner’ said in the blog post.
The group gave a detailed technical account of how they modified the device, which entailed altering the hardware and hacking the software.
The researchers said the root administrator password for the embedded Linux running on Sure Signal femtocells is “newsys”. The group reverse-engineered the administrator password by extracting the firmware from the femtocell and looking through it.
“Once you have root access to the internal Linux that drives the femtocell, you can do all the attacks that we described,” Steiner told ZDNet UK.
In addition to listening in to mobile communications, the modified device could be used for call fraud. This is where a phone owner is billed for calls or SMS messages made by the intruder. In addition, an attacker can access the voicemail on a target device.
IPSec protocol
Steiner told ZDNet UK that data passing between the femtocell and Vodafone’s core network is encrypted using a protocol suite called IPSec. Once an attacker has the root password they have admin access, which means they can retrieve IPSec details.
Once the IPSec details are known, they can be used to decrypt the internet traffic between the femtocell and the Vodafone core network, according to Steiner. This traffic contains the RTP (Real-time Transport Protocol) voice stream, which is used by VoIP, and all 3G/UMTS signalling, including SMS messages.
Sign up to ZDNet UK’s daily newsletter and get all the latest tech news as well as an app recommendation of the day, hand-picked by our editorial team
In addition, data traffic sent over the air between the femtocell and the mobile phone is protected using 3G/UMTS encryption, according to Steiner. This encryption material is requested by the femtocell from the Vodafone core network via IPSec.
“Because we can decrypt IPSec, we also see the secret 3G/UMTS key material,” Steiner told ZDNet UK.
THC, which was set up in Germany in 1995, first started researching Sure Signal femtocells in August 2009. It halted this research on 14 July, 2010 and decided not to publish its results immediately, in part to give Vodafone time to come up with a solution, according to Steiner. Vodafone may have fixed the loophole that let THC gain root access, Steiner said, but he did not know for certain. There are other known ways to get that access, the researcher added.
The group decided to make its findings public because a separate group of researchers — Ravishankar Borgaonkar, Nico Golde and Kevin Redon — are expected to talk about femtocell hijacking at the Black Hat security conference at the end of July in Las Vegas.
Vodafone had not responded to a request for comment at the time of writing.
By on 15/07/2011