back to article MAJOR HACK: Voda femtocells open phones up to intercept

Security researchers claim to have uncovered a serious security hole in Vodafone's mobile network. Security shortcomings in the femtocell technology supplied by the mobile phone giant create a means to extract information that would allow hackers to intercept calls or impersonate users that connect through a compromised device …


This topic is closed for new posts.
  1. Gordon 10

    Must be a significant hack

    Even a modified firmware.

    Voda's Femtocells check with Vodafone whether the phone has been registered to use it before allowing access. The hackers must also have to compromise that process too.

    1. SamCrawford

      Not a modified firmware

      Methodology is at

      It doesn't use a modified firmware, and the Femtocell doesn't check with VF prior to the call being made that the phone is authorised. Instead, it relies on a local list of authorised phones (that I assume are pushed to it from VF upon updates). As discussed in section 8.2.1 of the methodology, you can completely disable checking of this list anyway, which effectively allows the device to run promiscuously.

  2. Anonymous Coward
    Paris Hilton

    Ho hum. Blah. Humbug.

    The fact that most if not all handsets were basically at the mercy of whichever strange base station AND that it wasn't all that hard to set up your own rogue base station AND make just about all phones in the vicinity has been known for quite a while. The police (or possibly whichever secret services) did it first, of course, but any person with reasonable technical skill could do it, and it's only become easier with the availability of open base station software.

    So this isn't really something new, though easier to obtain and cheaper than previous approaches. As a result, I wouldn't call it "major". We've just had rebels take over an entire country's mobile infrastructure. Now THAT would be MAJOR.

    What's much more interesting is that the network will inevitably grow more open and as such we're all walking around with the equivalent of unpatched windows XP on a hostile internet without any firewall, and moreover, the security people know this and nobody is doing anything whatsoever about it. It's not about these rather insignificant femtocell things. It's about the nature of the network.

    <wanders off, mumbling about security scares, clueless hacks, and so on, and so forth>

    Paris, for shurely she knows what to do with a cellfone.

  3. StickyBit

    Please don't tell ...

    Newscorp ...

  4. dogged
    Thumb Up


    Bound by an O2 contract, no signal in the house, O2 won't do femto.

    This means I can go buy a Voda femto, hack it and all our problems are solved!

  5. Anonymous Coward
    Anonymous Coward

    Femtocells are also a nice hole

    to hack into the mobile company's SS7 network (and from there the rest of the world) as shown in recent security conferences.

    Nice presentation here:

  6. Anonymous Coward


    posted by an anonymous node....

    sucks to now be in the secret service or any other agency looking to hunt down dodgy terrorists/ or NewsCorp Hack's,

    they can now use thier own dodgy phones on thier own dodgy network node..(ANYWHERE)!.

    1. Just Thinking


      What's the point in posting as AC if you consistently mis-spell their? You might as well call yourself Thier.

    2. Matt Bryant Silver badge

      RE: HAHAHAHAHAAHA!!!....

      Well, firstly you'd have to make your own femto-cell, or steal one and modify it. The you'd also have to carry it around with you wherever you went, or cough up for hundreds of dodgy femto-cells just to cover a small town (and that's it you do femto-to-femto-cell transmissions, otherwise you have to invest in a complete network of mobile masts - just slightly obvious). Anyone buying enough kit to make even a small network would be flagged up on a simple check of equipemnt suppliers' databases. Secondly, a femto-cell has to connect back to the operator (in this case, VF) by a DSL or cable link in order to complete the call or rip off another user's account, so the appearance of a new and unexplained femto-cell connecting to the VF system would probably set the alarmbells ringing. The hundred required for your small network would be downright obvious.

      Sucks to be a twit, doesn't it?

  7. Simon Coyne

    re: News Int

    Where do you think the technical details came from?

  8. Anonymous Coward
    Big Brother

    FemtoForum won't be pleased

    This kind of story tends to go viral and creates untold issues for Industry Professionals. Femtocells haven't really achieved the promised sales they've hinted at in recent years - this certainly won't help their case.

    Watch Ericsson jump all over this also.

    Shame + Big Fail Sagem

    1. Anonymous Coward
      Anonymous Coward

      Better to find out sooner rather than later

      Much better for the insecure nature of what is being attempted here to be exposed before there are femtocells everywhere, we've all become dependent upon them and we're told the hardware or firmware or both can't be upgraded to fix the problem. There are still WEP WiFi networks advertising themselves on my street in a similar position whose owners probably wouldn't appreciate plod kicking their door down at 4am, taking away all their computers for extended forensic analysis and being accused of illegal downloads which they know nothing about.

      Having a network in which all the routing nodes are inside physically secure premises is a very different beast from a network where anyone can buy an off the shelf routing base-station node and plug it in.

  9. Anonymous Coward
    Anonymous Coward

    well once you have root

    The new SS are Alcatel Lucent badged rather than Sagem, they are also only £50 now...

    It's certainly a "clever" hack.

  10. Jean-Paul

    Ah well

    Where I live you'd need a long power extension lead and network cable as no other property is within at least 200m.

    I know it is not perfect security, but I do wonder why in a more densly populated area one would need a femtocell in the first place.

    1. Matt Bryant Silver badge

      RE: Ah well

      ".....but I do wonder why in a more densly populated area one would need a femtocell in the first place." Radio reception can be affected by buildings. A colleague bought a 3G dongle for his laptop, only to find he could ony get a 3G signal in his upstairs toilet! Even town centres can have radio blackspots, often inside building structures. For many malls and superstores, being labelled a mobile blackspot is a no-no, so they pay out for femto-cells. Some out-of-town areas are also blackspots, such as remote theme parks, so they pay for femto-cells to give their customers mobile access whilst onsite.

      1. Anonymous Coward
        Thumb Up


        Additionally, better coverage means lower power transmissions all round (higher power being used to improve coverage in areas of high attenuation) which saves power at the station and your phone and would placate those that are not happy with the signal strength of current base stations.

        If it could be made to work securely, it's a good idea/

  11. Refugee from Windows

    HM Prison Service

    Come on guys, this is what you've been waiting for. Nick all the lags' credit, than you won't need to keep searching for the illicit phones. Unless you've already done this.

    Nuff said, I'll leave quietly in the van with dark windows.

  12. Anonymous Coward

    Wahey, Davey Cameroon beware

    isn't Dave-O a big Yoda customer / supporter? Seen photos with him and their CEO &/or COO so I'm sure Dave-O's happy and safe....NOT(w).....

  13. Ilgaz

    Must be accident

    If you ask Greeks about Vodafone, they will assure you that this bug must be an accident.

  14. Colin Miller


    Does this work if you have roaming turned off? i.e. Do the femtocells act as a Vodafone cell, or just a vodafone-partner cell, like how t-mobile and orange allow their customers to use each others cells?

  15. Anonymous Coward

    Completely out of date

    THC hack is completely out of date - it is based on a very early hardware and firmware version which has long since been hardened against such trivial hacking techniques.

    BTW Please don't call a hackers website 'Security researchers'

    1. Anonymous Coward


      A visitor from Vodafone PR deptartment trying to put a lid on the can of worms!

  16. Anonymous Coward

    If the mountain does not come to Mohammed, Mohammed comes to the mountain.

    "All these hacks would only work once a victim had been tricked into using a compromised base station, something that can happen automatically, but only over a short distance of around 50m, within range of the device."

    If the mountain does not come to Mohammed, Mohammed comes to the mountain.

    So once again, what is the problem for me to use mobile broadband from let's say 3 (and a VPN to mask the IP address) and fish out the details of all the interesting marks?

    In any case, this hack is simply a repeat of functionality which most femto device manufacturers sell as special kits to special people. In fact, it has been in use for many years by said special people (usually when hunting someone not as cute than Sandra Bullock(s) who is not pretending to be a hacker).

  17. Anonymous Coward
    Anonymous Coward

    Femto cells haven't taken off because... have to be a chump or really desperate to pay Vodaphone twice to carry their phone traffic for them!

  18. This post has been deleted by its author

  19. Anonymous Coward

    What happens?

    " have to be a chump or really desperate to pay Vodaphone twice to carry their phone traffic for them!"

    What happens if you live in the middle of nowhere or a basement etc. and get NO signal from any network? If you did you would happily pay £50 and an insignificant amount of your broadband connection for 5 bars.

This topic is closed for new posts.

Other stories you might like