14 DAY TRIAL // A group of hackers known as The Hacker's Choice (THC) have managed to transform Vodafone UK's "Sure Signal" cellular base station product into a device that can intercept other people's calls over 3G/UMTS/WCDMA networks.
Sure Signal is a small cellular base station, also called femtocell, designed to boost the signal in homes or business offices where cellular reception is bad.
The femtocell communicates with the provider's gateway through a broadband connection and relays the signal from multiple phones. It can be acquired for £50 ($80).
Whenever a mobile user connects to a Sure Signal device, their secret key is retrieved from Vodafone's core network, allowing the 3G communication to happen.
The THC hackers have found two vulnerabilities in the product which allows them to execute the mobile equivalent of ARP spoofing attacks.
One of the security holes allows attackers to force all mobile users within a 50 meters radius to use the femtocell, even though they are not registered with it.
The other vulnerability give hackers root access to the device which means they can see the secret keys retrieved by the femto. The keys allow listening to other people's phone calls, making phone calls in their name and accessing their voicemails.
With $80 and the information released by THC anyone can build a 3G call interception device that can be used against Vodafone UK subscribers. The company has not released a comment regarding the security breach yet, but its options to address the problem are limited.
The obvious choice would be to cut all devices from the network and have their owners bring them in for a mandatory firmware update, or have them do it themselves if the operation is simple enough. The new firmware can contain a fix for the root vulnerability, but this is not a guarantee that a similar flaw won't be found later.