
The Hacker’s Choice (
http://www.thc.org) announced a security problem with Vodafone’s Mobile Phone Network today.
An attacker can listen to _any_ UK Vodafone customer’s phone call.
An attacker can exploit a vulnerability in 3G/UMTS/WCDMA – the latest and most secure mobile phone standard in use today.
THC was not immediately available for comments but an associated member of the group commented that ‘the problem lies within Vodafone’s Sure Signal / Femto equipment’.
A Femto Cell is a tiny little home router which boosts the 3G Phone signal. It’s available from the Vodafone Store to any customer for 160 GBP.
THC managed to reverse engineer – a process of revealing the secrets – of the equipment. THC is now able to turn this Femto Cell into a full blown 3G/UMTC/WCDMA interception device.
Eduart Steiner, Senior Security Researcher, explains the details to us:
“A Femto is linked to the Vodafone core network via your home Internet connection. The Femto uses this access to retrieve the secret key material of a Vodafone customer who wants to use the Femto.”
“The Femto can only be used by the person who purchased the femto. At least that is what Vodafone tells you.”
“THC found a way to circumvent this and to allow any subscriber – even those not registered with the Femto – to use the Femto. They turned it into an IMSI grabber.”
“The second
vulnerability is that Vodafone grants the femto to the Vodafone Core Network HLR /AuC which store the secret subscriber information. This means an attacker with
administrator access to the Femto can request the secret key material of a
UK Vodafone Mobile Phone User”.

This is exactly what happened. The group gained administrator access to the Femto. An attacker can now retrieve the secret key material of other Vodafone customers.
This secret key material enables an attacker to listen to other people’s phone calls and to impersonate the victim’s phone, to make phone calls on the victim’s cost and access the victim’s voice mail.
The easiness at how fast THC was able to get to these secrets is shocking. “This is clearly a design flaw by Vodafone.” says Eduart Steiner. “It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password, thus allowing anyone to retrieve secret data of other people”.
In light of recent the Phone Hacking Scandal involving the News of the World the question has to be asked if Vodafone should be held liable for not protecting their customers adequately.
Who is liable if the brakes on my car malfunction? The drive or the manufacture? Or the guys who tell us how insecure they are?
Vodafone was not available to comment.
There’s an update from vodafone.co.uk, you can see at comments section below.
Share this article if you found it was useful: