14 DAY TRIAL // After serious vulnerabilities were discovered in Vodafone UK femtocells security researchers found that similar products from other telecom operators can also be hijacked to intercept phone calls.
Femtocells are cellular base stations designed to improve 3G coverage in homes or offices by routing local traffic over Internet broadband connections.
Last month, a group called The Hacker's Choice (THC) published information about vulnerabilities in Vodafone UK's Sure Signal product which allowed attackers to transform the femtocells into call interception devices.
Vodafone said the vulnerabilities were known for over a year and a firmware upgrade had been available for just as long. The company forced an upgrade onto users who still hadn't deployed the update.
A team of security researchers made up of Ravishankar Borgaonkar, Nico Golde and Kevin Redon presented similar issues at Black Hat, but in a femtocell product distributed by SFR, the second-largest French mobile carrier.
The researchers discovered that devices manufactured by Ubiquisys have a special function which allows SFR support engineers to push firmware remotely. This is probably intended to prevent on-site interventions.
However, this happens without authenticating the update servers, which allows an attacker to execute a man-in-the-middle attack and serve rogue firmware to the devices. SFR responded to the problem by signing firmware images, however, the key can be easily retrieved from the configuration file.
"The images are signed, but the public key can be provided in the configuration file (which is not signed). We were able to analyse the procedure because an unencrypted recovery image could be retrieved. This has been fixed, but we now have the tools to decrypt them," the researchers told The Register.
The main issue here is that such flaws are likely to be found in similar products from other operators and next time it might not be well-intentioned researchers who discovers them. "This is definitely not only a problem limited to one operator," Nico Golde concluded.