Vodafone femtos still vulnerable
A hacker collective has refuted Vodafone’s claims its femtocell service is secure, claiming it gained access to customer data regardless of whether they used the service or not.
The Hacker’s Choice states it accessed customer data on Vodafone’s core network from subscribers not signed up to Sure Signal, and that a fix issued by the carrier was too narrow because it only focused on how the hackers gained access to administrator rights on the femto boxes.
It notes that Vodafone’s security set up breaches 3G security recommendations, by transferring “key material from the core network right down to the femto,” and rubbishes the carrier’s assertion that a software update has secured the majority of femtocell boxes by warning users not to “base your security on the fact that the hardware is un-breakable. You know it will fail.”
The hackers were responding to two Vodafone statements regarding the security of the femtocell boxes used in Sure Signal – a service designed to boost indoor cell coverage.
Vodafone claims it became aware of the problem in February 2010 and quickly issued a software patch via regular automatic updates. A review last week found “a handful of devices running software which pre-dates the patch…These devices will no longer access our network unless they are carrying the most recent software update.”
The carrier also claims the risk of being hacked was minimal, requiring the intruder to be within 50m of a box that had been altered with new internal components and that the owner had taken “the conscious decision to prevent the device from receiving our automatic software updates.”