Vodafone claims Sure Signal femto fix but hacking concerns persist

Vodafone claims to have patched a flaw in its Sure Signal femtocell product which could allow users to listen to other Vodafone UK users' calls and voicemails, but researchers suggest that the underlying vulnerability still exists.

The Hacker's Choice explained in a blog post and wiki on Wednesday that it had managed to reverse-engineer the equipment, which acts as a home router to boost a mobile phone's 3G signal when indoors, and turn it into a "full blown 3G/UMTC/WCDMA interception device".

The group said that it found two main flaws. The first allows anyone, not just registered customers, to use the femtocell device, while the second turns it into an International Mobile Subscriber Identity grabber for any phone within 50 metres.

Vodafone explained in a statement that the claims relate to a vulnerability "that was detected at the start of 2010".

"A security patch was issued a few weeks later automatically to all Sure Signal boxes," it continued. "As a result, Vodafone Sure Signal customers do not need to take any action to secure their device."

The mobile operator said in a posting on its eForum site that only a handful of devices have been identified as running software which pre-dates the patch.

"The only time a customer could theoretically have been at risk was if they were registered on, and within 50 metres of, a box which the owner had tampered with," Vodafone said.

"This would have required that person to dismantle the device and solder additional components onto it, as well as taking the conscious decision to prevent the device from receiving our automatic software updates."

However, in an update to the original blog post, The Hacker's Choice claims that Vodafone's fix only addresses how it gained administrator access to the femto and not the core problem.

"The femto transfers key material from the core network right down to the femto. This is in gross violation of the 3G/UMTS security recommendation which clearly states that the 3G/UMTS encryption should go all the way up to the core network," it said.

"The Hacker's Choice retrieved key material from the core Vodafone network from customers not registered to the femto."

Vodafone disagreed, however, saying that the Sure Signal's design conforms with 3GPP femotcell standards.

"In addition to this, the device has been and continues to be rigorously tested by Vodafone, our partners and independent security experts," the firm added.

"As a result of this, we can say with confidence that Vodafone Sure Signals currently in operation are not vulnerable to the reported exploits."