A hardware hacking group is claiming to have found a way to turn Vodafone’s Sure Signal Femtocell base stations into hacking devices that can siphon off subscribers’ phone data and then use it to make calls on their account.
The analysis of the Sure Signal product was published on Wednesday by a group calling itself The Hackers Choice (THC). Poor design and an insecure default administrative password may make Sure Signal devices easy prey for hackers, the group warned. Vodafone was not able to respond to a request for comment prior to publication.
Femtocell devices act as personal cell towers for homes and small offices that have spotty 3G coverage. The Linux-based Sure Signal devices from Vodafone have been available for more than a year and are connected through a home or small office broadband connection to Vodafone’s core cellular network. The devices can be acquired for as little as £50 by Vodafone subscribers with active contracts and allow cell phones to establish 3G connections through the Sure Signal device and benefit from increase data and voice speeds.
Shortly after the release of Sure Signal, the hackers who make up THC undertook an extensive analysis of the device, looking for ways to modify it, disable unwanted features (security and otherwise) and see how the device might be vulnerable to attack. The fruits of their labor are contained in a public Wiki and suggest that the Sure Signal Femto devices are hardly immune to attacks.
Among other things, THC members found that, by manipulating the netlink interface of a Sure Signal device’s Linux kernel, a malicious Sure Signal owner could intercept and record voice traffic sent through the Sure Signal device -effectively recording cell phone calls.
Further analysis yieleded a method for hijacking a Vodafon users’s cell phone identity and using it to place calls or send SMS text messages that appear to come from the victim’s phone.
In most cases, Vodafone users would need to be tricked into connecting to the rogue Sure Signal device before being attacked. That means they would need to be within 50 meters of the device.
Alternatively, an attacker could take over a Sure Signal device. The default root password for the Vodafone Sure Signal Femto devices was found to be weak and easily guessed, making devices running in the default configuration vulnerable to attack.
Design weaknesses also make the devices subject to manipulation by a skilled and technical attacker. In particular, the THC group noted that Femto cells contain a mini Radio Network Controller (RNC) that can be manipulated to authenticate a victim’s phone to the Vodafone network, but then place calls and send text messages directly from the Femto, all at a cost to the victim.
Vulnerabilities within cell phone networks are increasingly attracting the attention of security researchers. In April, for example, a presentation at the SOURCE Boston security conference showed how the data and GSM information from cell phone users could be exposed in an attack. That attack relied on access the a caller ID database mobile providers use to match the names of subscribers to mobile numbers. The same database that contains the subscriber information for landlines, but most mobile users don’t realize that their data is entered into this repository. The researchers showed how information stored in the database could, for example, be used to determine which mobile phones had been issued to a particular company for use by its employees.
