Hackers have claimed that they have successfully re-engineered a standard consumer hardware available from Vodafone store to intercept calls and gain administrator access into other user accounts.
The Hacker’s Choice (THC) said in a blogpost http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html that their engineers managed to reverse engineer Femto Cell into a full blown 3G/UMTC/WCDMA interception device.
A Femto Cell is a tiny home router which boosts the 3G Phone signal. It is available from the Vodafone Store to any customer for 160 GBP, said THC
THC said that engineers exploited a design flaw and got full control of the Vodafone UK network.
Senior Security Researcher Eduart Steiner said, "A Femto is linked to the Vodafone core network via your home Internet connection. The Femto uses this access to retrieve the secret key material of a Vodafone customer who wants to use the Femto."
"The Femto can only be used by the person who purchased the femto. At least that is what Vodafone tells you."
"THC found a way to circumvent this and to allow any subscriber – even those not registered with the Femto – to use the Femto. They turned it into an IMSI grabber."
The hackers also found another vulnerability in Vodafone’s network which led them to the database that stores secret subscriber information.
"The second vulnerability is that Vodafone grants the femto to the Vodafone Core Network HLR /AuC which store the secret subscriber information. This means an attacker with administrator access to the Femto can request the secret key material of a UK Vodafone Mobile Phone User," Eduart Steiner said.
THC has said that the group has gained administrator access to the Femto and that they can retrieve the secret information of other Vodafone customers.
The group also revealed that Vodafone uses the same ‘newsys’ administrator password across all devices.
With the administrator password, one can listen to other people’s phone calls and impersonate the victim’s phone, to make phone calls on the victim’s cost and access the victim’s voice mail, said THC.
The group said engineers were shocked to see how easy it was to break into the network of Vodafone UK.
"This is clearly a design flaw by Vodafone," says Eduart Steiner.
"It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password, thus allowing anyone to retrieve secret data of other people."
