Working in a research lab devoted entirely to security for wireless and mobility networks, I am becoming much more aware to the security and privacy aspects of wireless communications. In other words, while I was studying digital communications, wireless communications, equalization and channel coding, GSM, UMTS, LTE, etc, I would never think in terms of security.

Now I am aware of many things and I am including the whole security aspect of wireless networks into my passion for these kind of technologies. This is why I try to keep myself updated on all kinds of hacks and attacks and I keep an eye open on what people present at the BlackHat conference.

Recently, I was told about a big threat that a popular Vodafone Femtocell is creating. A group of hackers have demonstrated an attack that, after gaining root access to the Linux-based femtocell and hacking the IPSec connection, they get full access to the device. This allows them to do things no one is supposed to do.

Without going into details, a base station (NodeB in UMTS) communicates with the core network for many reasons, including the identification and authentication of the phones camped in that cell. A base station is supposed to be secure and owned by the provider, so it is able to request encryption keys and perform all kinds of  operations with the core network. Basically, a base station is trusted by the network.

I worked for 2 years on a femtocell project and I have to admit that this never occurred to me: when a user installs a femtocell in her/his apartment, you are basically giving one of this trusted base stations to her/him. Not only that, a femtocell is more like a combination of a NodeB and a RNC. And if they manage to hack it and control it, they basically control a full rogue 3G base station that can request all keys and, therefore, eavesdrop and hijack all connections. They can even send messages that look like if they were originated from your phone.

The Femto cell contains a Mini-RNC/Node-B which is not a real RNC nor a Node-B. It’s something inbetween. The mini-RNC can request real encryption keys and authentication vectors for any vodafone UK customer from the vodafone core network (like a real RNC). The vodafone core network still authenticates every single phone (like a Node-B).

Vodafone claims that the security whole was fixed back in 2010 but, still, if somebody did not update the firmware for that femtocell, they basically own a device that presents a great threat to both the network and user’s privacy. Actually, if anyone owns one of those with an old firmware from before the patch, I’d love to get my hands on it. I would be using them in a contained environment without breaking any laws, but the experiments and tests I could run would be very cool!

Vodafone’s first statement:

Overnight on July 12, a claim appeared that hackers had found security loopholes in Vodafone Sure Signal which could compromise the security of Vodafone’s network. This is untrue: the Vodafone network has not been compromised.

The claims regarding Vodafone Sure Signal, which is a signal booster used indoors, relate to a vulnerability that was detected at the start of 2010. A security patch was issued a few weeks later automatically to all Sure Signal boxes.

As a result, Vodafone Sure Signal customers do not need to take any action to secure their device.

We monitor the security of all of our products and services on an ongoing basis and will continue to do so.

And a second statement:

We have identified just a handful of devices running software which pre-dates the patch we issued to fix this vulnerability (originally issued in February 2010).

These devices will no longer access our network unless they are carrying the most recent software update. Devices will automatically poll for this update upon being powered up.

The only time a customer could theoretically have been at risk was if they were registered on, and within 50 metres of, a box which the owner had tampered with. This would have required that person to dismantle the device and solder additional components onto it, as well as taking the conscious decision to prevent the device from receiving our automatic software updates.

Read more about the hacked femtocell here and here.