Hackers turn Vodafone's SureSignal into bug

Hackers have published details of what they claim is a way to modify Vodafone's SureSignal femtocell device in order to eavesdrop on private mobile conversations.

The group, which calls itself The Hacker's Choice, has been working on cracking SureSignal since August 2009, but stopped in July 2010 due to a lack of interest in continuing the project. It's not until now that the team have published their findings, at a time when the world is on-edge over mobile phone hacking.

Unlike the 'hacks' allegedly carried out by Murdoch's minions, however, THC's work is the real deal: by modifying the software on a SureSignal femtocell, the team were able to record live telephone conversations as they happened.

The SureSignal is Vodafone's implementation of a femtocell, a small-scale mobile base station used for indoor use. If you get poor reception in your house, you can buy a SureSignal and connect it to your home broadband. Like a full-size base station, it provides a mobile phone signal where your home Internet connection is used as the backhaul.

It's a clever system, and one that is unique to Vodafone in the UK. To prevent the devices from being misused, Vodafone locks the SureSignal device to a list of mobile numbers that the owner wants to allow to route through their Internet connection. While that stops freeloaders, it doesn't make the device much more secure.

In files declassified by the THC earlier this month, a step-by-step guide to modifying a SureSignal femotocell is provided. If carried out correctly, the device becomes a clever bug for any and all Vodafone mobiles within range.

"The sniffer will log all voice telephone calls into a file in AMR12.2 format," the instructions note, before moving on to methods of capturing other data such as SMS contents. A modified SureSignal, the group further claims, can be used to hijack a user's session to make phone calls and send messages for which they will receive the bill.

The modifications suggested by the group are pretty technical, but the THC's wiki covers many of the steps in fine detail. As a result, it's likely that anyone with a reasonable grasp of command-line Linux would be able to carry out the same steps and turn their SureStart into an eavesdropping device.

"Set femtoACLenable from true to false," the instructions read. "The femto will allow any IMSI onto the femto. Careful, you are attracting other people's phones now! Vodafone will find out about it as the victim's phone will now use your femto to place and receive phone calls."

As the group warns, using the device to actively capture mobile traffic is likely to attract Vodafone's attention. Whether that would put someone intent on doing wrong off their chosen course of action is, however questionable.

Combined with a wireless gateway, it would be possible to rig a SureSignal up to a public wireless network - as an example - making the user much harder to trace while ensuring that they will still be able to record their target's conversations.

There are drawbacks to the group's modification work, however. While it's possible to modify the SureSignal to allow any passing Vodafone mobile to make calls - which can be recorded - it's not possible for the mobile to receive any calls, unless the number is officially registered via Vodafone.

Despite these drawbacks offering partial mitigation, it's a serious attack. Our attempts to contact Vodafone's press office have, thus far, failed, and the company has yet to issue a statement. Once we have more information, we will update the story.

UPDATE 15/07/2011 10:12:

Vodafone has issued a statement claiming that the flaw has long been fixed. "Overnight on July 12, a claim appeared that hackers had found security loopholes in Vodafone SureSignal which could compromise the security of Vodafone’s network," the company admits. "We want to reassure our customers that the Vodafone network has not been compromised. The claims regarding Vodafone SureSignal, which is a signal booster used indoors, relate to a vulnerability that was detected at the start of 2010.

"A security patch was issued a few weeks later automatically to all Sure Signal boxes," the company explains. "As a result, Vodafone Sure Signal customers do not need to take any action to secure their device. We monitor the security of all of our products and services on an ongoing basis and will continue to do so."

The company has also claimed that any boxes modified to reject the security update - and thus retain the ability to act as a call-recording bug - will be prevented from connecting to the network, and thus rendered useless.