Must be a significant hack
Even a modified firmware.
Voda's Femtocells check with Vodafone whether the phone has been registered to use it before allowing access. The hackers must also have to compromise that process too.
Security researchers claim to have uncovered a serious security hole in Vodafone's mobile network. Security shortcomings in the femtocell technology supplied by the mobile phone giant create a means to extract information that would allow hackers to intercept calls or impersonate users that connect through a compromised device …
Methodology is at http://wiki.thc.org/vodafone.
It doesn't use a modified firmware, and the Femtocell doesn't check with VF prior to the call being made that the phone is authorised. Instead, it relies on a local list of authorised phones (that I assume are pushed to it from VF upon updates). As discussed in section 8.2.1 of the methodology, you can completely disable checking of this list anyway, which effectively allows the device to run promiscuously.
The fact that most if not all handsets were basically at the mercy of whichever strange base station AND that it wasn't all that hard to set up your own rogue base station AND make just about all phones in the vicinity has been known for quite a while. The police (or possibly whichever secret services) did it first, of course, but any person with reasonable technical skill could do it, and it's only become easier with the availability of open base station software.
So this isn't really something new, though easier to obtain and cheaper than previous approaches. As a result, I wouldn't call it "major". We've just had rebels take over an entire country's mobile infrastructure. Now THAT would be MAJOR.
What's much more interesting is that the network will inevitably grow more open and as such we're all walking around with the equivalent of unpatched windows XP on a hostile internet without any firewall, and moreover, the security people know this and nobody is doing anything whatsoever about it. It's not about these rather insignificant femtocell things. It's about the nature of the network.
<wanders off, mumbling about security scares, clueless hacks, and so on, and so forth>
Paris, for shurely she knows what to do with a cellfone.
Well, firstly you'd have to make your own femto-cell, or steal one and modify it. The you'd also have to carry it around with you wherever you went, or cough up for hundreds of dodgy femto-cells just to cover a small town (and that's it you do femto-to-femto-cell transmissions, otherwise you have to invest in a complete network of mobile masts - just slightly obvious). Anyone buying enough kit to make even a small network would be flagged up on a simple check of equipemnt suppliers' databases. Secondly, a femto-cell has to connect back to the operator (in this case, VF) by a DSL or cable link in order to complete the call or rip off another user's account, so the appearance of a new and unexplained femto-cell connecting to the VF system would probably set the alarmbells ringing. The hundred required for your small network would be downright obvious.
Sucks to be a twit, doesn't it?
This kind of story tends to go viral and creates untold issues for Industry Professionals. Femtocells haven't really achieved the promised sales they've hinted at in recent years - this certainly won't help their case.
Watch Ericsson jump all over this also.
Shame + Big Fail Sagem
Much better for the insecure nature of what is being attempted here to be exposed before there are femtocells everywhere, we've all become dependent upon them and we're told the hardware or firmware or both can't be upgraded to fix the problem. There are still WEP WiFi networks advertising themselves on my street in a similar position whose owners probably wouldn't appreciate plod kicking their door down at 4am, taking away all their computers for extended forensic analysis and being accused of illegal downloads which they know nothing about.
Having a network in which all the routing nodes are inside physically secure premises is a very different beast from a network where anyone can buy an off the shelf routing base-station node and plug it in.
".....but I do wonder why in a more densly populated area one would need a femtocell in the first place." Radio reception can be affected by buildings. A colleague bought a 3G dongle for his laptop, only to find he could ony get a 3G signal in his upstairs toilet! Even town centres can have radio blackspots, often inside building structures. For many malls and superstores, being labelled a mobile blackspot is a no-no, so they pay out for femto-cells. Some out-of-town areas are also blackspots, such as remote theme parks, so they pay for femto-cells to give their customers mobile access whilst onsite.
Additionally, better coverage means lower power transmissions all round (higher power being used to improve coverage in areas of high attenuation) which saves power at the station and your phone and would placate those that are not happy with the signal strength of current base stations.
If it could be made to work securely, it's a good idea/
"All these hacks would only work once a victim had been tricked into using a compromised base station, something that can happen automatically, but only over a short distance of around 50m, within range of the device."
If the mountain does not come to Mohammed, Mohammed comes to the mountain.
So once again, what is the problem for me to use mobile broadband from let's say 3 (and a VPN to mask the IP address) and fish out the details of all the interesting marks?
In any case, this hack is simply a repeat of functionality which most femto device manufacturers sell as special kits to special people. In fact, it has been in use for many years by said special people (usually when hunting someone not as cute than Sandra Bullock(s) who is not pretending to be a hacker).
This post has been deleted by its author
"...you have to be a chump or really desperate to pay Vodaphone twice to carry their phone traffic for them!"
What happens if you live in the middle of nowhere or a basement etc. and get NO signal from any network? If you did you would happily pay £50 and an insignificant amount of your broadband connection for 5 bars.