Security group claims Vodafone femto hack enables call interception

The Hacker’s Choice, a body that describes itself as a non-commercial security group that “aims at analyzing and preventing novel, emerging security problems”, has published details of a hack it says it has carried out on Vodafone’s Sure Signal femtocell that could lead to calls being intercepted and listened to.

The group claims that unlike in a normal UMTS network, where encrypted data is sent from a phone through the network to the RNC where it is decrypted, the femto itself contains a “mini RNC”, meaning that the decryption key value is sent from the core network to the femto itself. It is this aspect that the group claims could lead to the ability to intercept and listen to calls.

A brief note on the home page of THC’s website said:
“Vodafone customers are exposed to phone tapping. THC reveals secrets of Vodafone’s insecure Femto equipment. Crappy and braindead design of femto puts customers at risk. Problem can not be fixed by hardening femto. Redesign (e.g. removing mini RNC from the femto) is the only secure way forward. Vodafone urget to improve security. 3G/UMTS/WCDMA has such nice security features. Shame to see how one operator can f*ck it up so badly…”

The group claims that by exploiting the Sagem femtocell’s connection to Vodafone’s core network, HLR and authentication systems, it has been able to prove that a hacked femtocell could:

  • Intercept and listen to traffic
  • Commit fraud by placing calls or SMS using somebody else’s SIM
  • Tunnel back to the UK, using he femtocell anywhere in the world
  • Attract other mobile phones to the femtocell

THC said that the main vulnerability it exploited is the femto’s ability to request encryption keys from the core network.

The groups article on the subject claimed: “The Femto cell contains a Mini-RNC/Node-B which is not a real RNC nor a Node-B. It’s something inbetween. The mini-RNC can request real encryption keys and authentication vectors for any vodafone UK customer from the vodafone core network (like a real RNC). The vodafone core network still authenticates every single phone (like a Node-B).”

The hack also involved some hardware elements, for example physically removing the Sagem HILO Module, to disable tracking.

Hacks like these can prove existing security design, or implementation flaws. They don’t mean it’s likely that the millions of femto users that exist are likely to equip themselves with some soldering irons, fairly deep knowledge of system code and protocols, and start listening in to calls.

But Vodafone at least seems to have some questions to answer.

A THC blog on the hack can be read here: http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html

The full details of the hack are here: http://wiki.thc.org/vodafone