Loophole closed, but core architecture still at fault, hacker claims
The hacker that yesterday released details of a femtocell hack is sticking by his claims that Vodafone's Sure Signal is inherently insecure, despite Vodafone's claims to have patched the vulnerability he exploited a year ago.
This week, The Hacker's Choice released into the public domain work it carried out between August 2009 and July 2010. That work claimed to have gained administrative access to the femtocell, and to have used that to gain decryption keys from the Vodafone core network. They then used these keys to decrypt traffic and intercept traffic going through that femtocell.
Vodafone released a statement that said that the claims "relate to a vulnerability that was detected at the start of 2010. A security patch was issued a few weeks later automatically to all Sure Signal boxes." The operator reiterated that its network had not been compromised.
Yet Eduart Steiner, Senior Security Researcher at The Hacker's Choice, told Mobile Europe that Vodafone's patch related only the the manner in which THC had gained administration access to the femtocell. The wider issue, as he sees it, of encryption keys being passed to the Access Point itself, instead of decryption remaining in the core, still remains.
"What Vodafone has fixed is the access vulnerability, but that's not the one we are talking about. We are concerned that the femtocell is retrieving keys from the core architecture. The 3G UMTS architecture is very good, in that key material is never transported to the NodeBs. This femtocell architecture transfers the keys to [the Access Point], and what we are saying is that this must never be done."
So does Steiner think it possible that a new method of gaining access to the femtocell could be found? "Yes. After the access we found they closed that method and somebody else found access using a DHCP exploit. There could still be different methods."
So why has THC released this information now, given that is all based on work that finished a year ago - and even then could only exploit phones that are attached to the femtocell (and that have been registered to do so)?
"There are two reasons. The first is that the Black Hat security conference is taking place soon and we thought if this information is going to come out of the bag we would publish ours first," Steiner said.
"The second reason is that we were in contact with Vodafone in 2009 but we never heard back, but in one year they have only fixed a part of the problem."
Mobile Europe has asked Vodafone for further comment related to Steiner's claims.