VODAFONE PHONE HACKING SCANDAL
*** SEE BOTTOM REGARDING VODAFONE'S STATEMENT TO OUR ATTACK ***
The Hacker's Choice (http://www.thc.org
) announced a security problem with Vodafone's Mobile Phone Network today.
An attacker can listen to UK Vodafone mobile phone calls.
An attacker can exploit a vulnerability in 3G/UMTS/WCDMA - the latest and most secure mobile phone standard in use today.
THC was not immediately available for comments but an associated member of the group commented that 'the problem lies within Vodafone's Sure Signal / Femto equipment'.
A Femto Cell is a tiny little home router which boosts the 3G Phone signal. It's available from the Vodafone Store to any customer for 160 GBP.
THC managed to reverse engineer - a process of revealing the secrets - of the equipment. THC is now able to turn this Femto Cell into a full blown 3G/UMTC/WCDMA interception device.
Eduart Steiner, Senior Security Researcher, explains the details to us:
"A Femto is linked to the Vodafone core network via your home Internet connection. The Femto uses this access to retrieve the secret key material of a Vodafone customer who wants to use the Femto."
"The Femto can only be used by the person who purchased the femto. At least that is what Vodafone tells you."
"THC found a way to circumvent this and to allow any subscriber - even those not registered with the Femto - to use the Femto. They turned it into an IMSI grabber. The attacker has to be within 50m range of the UK Vodafone customer to make the customer's phone use the attacker's femto."
"The second vulnerability is that Vodafone grants the femto to the Vodafone Core Network HLR /AuC which store the secret subscriber information. This means an attacker with administrator access to the Femto can request the secret key material of a UK Vodafone Mobile Phone User".
This is exactly what happened. The group gained administrator access to the Femto. An attacker can now retrieve the secret key material of other Vodafone customers.
This secret key material enables an attacker to listen to other people's phone calls and to impersonate the victim's phone, to make phone calls on the victim's cost and access the victim's voice mail.
The easiness at how fast THC was able to get to these secrets is shocking. “This is clearly a design flaw by Vodafone.” says Eduart Steiner. “It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password, thus allowing anyone to retrieve secret data of other people”.
In light of recent the Phone Hacking Scandal involving the News of the World the question has to be asked if Vodafone should be held liable for not protecting their customers adequately.
Who is liable if the brakes on my car malfunction? The drive or the manufacture? Or the guys who tell us how insecure they are?
Vodafone was not available to comment.
*************** UPDATE REGARDING VODAFONE STATEMENT *********** STATEMENT 1:
Vodafone released a statement that the vulnerability has been fixed in early 2010.
We welcome the effort! We are disappointed by the results!
What we have seen is that Vodafone fixed the way THC gained administrator access to the femto.
This of course does not fix the core of the problem:
The femto transfers key material from the core network right down to the femto.
(This is in gross violation of the 3G/UMTS security recommendation which clearly states that the 3G/UMTS encryption should go all the way up to the core network.)
We would have expected Vodafone to have learned from the PS3, Xbox and pay-tv hacks and done better.
Do not base your security on the fact that the hardware is un-breakable. You know you will fail.
Different methods have since been disclosed to gain administrator access to the femto.STATEMENT 2:
Vodafone states "The Vodafone network has not been compromised."
THC retrieved key material from the core Vodafone network from customers not registered to the femto.
This should not be to hard to understand. Maybe repeating it helps (fingers crossed!):
THC retrieved key material from the core Vodafone network from customers not registered to the femto.STATEMENT 3:
THC informed Vodafone in 2009 about the problem.SUPPORT CITIZENS. SUPPORT FREEDOM. SUPPORT THC.