The Hackerโs Choice, a body that describes itself as a non-commercial security group that โaims at analyzing and preventing novel, emerging security problemsโ, has published details of a hack it says it has carried out on Vodafoneโs Sure Signal femtocell that could lead to calls being intercepted and listened to.
The group claims that unlike in a normal UMTS network, where encrypted data is sent from a phone through the network to the RNC where it is decrypted, the femto itself contains a โmini RNCโ, meaning that the decryption key value is sent from the core network to the femto itself. It is this aspect that the group claims could lead to the ability to intercept and listen to calls.
A brief note on the home page of THCโs website said:
โVodafone customers are exposed to phone tapping. THC reveals secrets of Vodafoneโs insecure Femto equipment. Crappy and braindead design of femto puts customers at risk. Problem can not be fixed by hardening femto. Redesign (e.g. removing mini RNC from the femto) is the only secure way forward. Vodafone urget to improve security. 3G/UMTS/WCDMA has such nice security features. Shame to see how one operator can f*ck it up so badlyโฆโ
The group claims that by exploiting the Sagem femtocellโs connection to Vodafoneโs core network, HLR and authentication systems, it has been able to prove that a hacked femtocell could:
- Intercept and listen to traffic
- Commit fraud by placing calls or SMS using somebody elseโs SIM
- Tunnel back to the UK, using he femtocell anywhere in the world
- Attract other mobile phones to the femtocell
THC said that the main vulnerability it exploited is the femtoโs ability to request encryption keys from the core network.
The groups article on the subject claimed: โThe Femto cell contains a Mini-RNC/Node-B which is not a real RNC nor a Node-B. Itโs something inbetween. The mini-RNC can request real encryption keys and authentication vectors for any vodafone UK customer from the vodafone core network (like a real RNC). The vodafone core network still authenticates every single phone (like a Node-B).โ
The hack also involved some hardware elements, for example physically removing the Sagem HILO Module, to disable tracking.
Hacks like these can prove existing security design, or implementation flaws. They donโt mean itโs likely that the millions of femto users that exist are likely to equip themselves with some soldering irons, fairly deep knowledge of system code and protocols, and start listening in to calls.
But Vodafone at least seems to have some questions to answer.
A THC blog on the hack can be read here: http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html
The full details of the hack are here: http://wiki.thc.org/vodafone