A vulnerability that allows hackers to convert a Sure Signal femtocell into a call interception device has prompted Vodafone UK to force all users to perform a firmware upgrade.The Internet was abuzz yesterday with news about how a group called The Hacker's Choice (THC) published information that would allow people to use modified Sure Signal devices to record other people's phone calls.
Sure Signal is an indoor cellular base station sold by Vodafone UK and designed to boost signal in areas with bad reception.
Such devices are known as femtocells and work by routing communications over broadband connections. They can service a limited number of cell phones over a restricted distance.
It turns out that at the time when THC chose to make its research public, the exploited vulnerability had been patched for over a year.
"The claims regarding Vodafone Sure Signal, which is a signal booster used indoors, relate to a vulnerability that was detected at the start of 2010. A security patch was issued a few weeks later automatically to all Sure Signal boxes," Vodafoke UK said in a statement, according to SlashGear.
Most users have since upgraded their boxes, but to make sure that no one remains vulnerable, Vodafone killed the ability of femtocells with unpatched firmware to connect to its network.
This is the exact solution we suggested yesterday and leaves Sure Signal hackers with two options, either they upgrade or they can't use their device in a meaningful way.
Sony took a similar approach after the PS3 was hacked and its secret key was leaked on the Internet. The company released a patched firmware and prevented consoles from connecting to the PlayStation Network until upgrading.
"We have identified just a handful of devices running software which pre-dates the patch we issued to fix this vulnerability (originally issued in February 2010). These devices will no longer access our network unless they are carrying the most recent software update. Devices will automatically poll for this update upon being powered up," Vodafone UK explained.