Vodafone rejects femtocell security fears, but hackers claim problem still exists

Vodafone's squashed worries about security on its its Sure Signal femtocell, and claimed that the software vulnerability was patched a year ago.

The concern, which spurred a wave of reports within the European technical press, was triggered by a proof-of-concept report released by The Hacker's Choice. This group, which labels itself non-commercial with an aim of analysing and preventing emerging security problems, claimed to have hacked the Sure Signal femtocell to enable calls to be intercepted and monitored.

However, the procedure to reconfigure the femtocell would, according to the report, seem to require considerable engineering skill, and even then only offer limited eavesdropping. Although the hacking occurred last year, it was not made public until last week.

For its part, Vodafone claimed it became aware of the issue early last year, and a software patch was sent to all Sure Signal femtocells a few weeks later. "As a result, Vodafone Sure Signal customers do not need to take any action to secure their device," Vodafone said in a company forum blog. "We monitor the security of all of our products and services on an ongoing basis and will continue to do so." 

"The only time a customer could theoretically have been at risk was if they were registered on, and within 50 metres of, a box which the owner had tampered with," the company said in a statement. "This would have required that person to dismantle the device and solder additional components onto it, as well as taking the conscious decision to prevent the device from receiving our automatic software updates." The Hackers' Choice claimed that they followed this procedure and exposed the vulnerability, according to the Wall Street Journal.

According to Vodafone, Sure Signal femtocells automatically poll for the security update during power-up, and any units not running this new software will be blocked from accessing the network.

However, the Hacker's Choice replied to Vodafone and said the company only corrected the vulnerability which allowed them to obtain root access to the device. "This does not fix the core of the problem" say the group, as reported by The H Security. The group said that important data is transferred from the core network to the femtocell in "gross violation of the 3G/UMTS security recommendation which clearly states that 3G/UMTS encryption should go all the way up to the core network."

For more:
- see this WSJ blog post (sub. req.)
- see this Vodafone Forum blog
- see this Ars Technica article
- see this The Hacker's Choice blog
- see this The H Security article

Related Articles:
Rogue femtocells could be used to steal user data
3G encryption can be broken in 2 hours, 'suggest' security experts
50% of second-hand phones contain PIN numbers and personal messages, claims study
Financial regulator calls for share traders' mobile calls to be taped