Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Cellphones Communications United Kingdom IT

Vodafone Femtocells Rooted, Secret Keys Exposed 77

AmiMoJo writes "Hackers have discovered the root password for Vodafone femtocells, devices that provide the user with a mobile phone signal piggybacked onto their home broadband. The root password was 'newsys.' Once root access is obtained, phones can be forced to connect to the cell and private keys captured, allowing the user to spoof the victim's phone and potentially make calls or send texts on their account, not to mention eavesdrop."
This discussion has been archived. No new comments can be posted.

Vodafone Femtocells Rooted, Secret Keys Exposed

Comments Filter:
  • Wait, we're still explaining to people on Slashdot what the function of one is?
    • by EdIII ( 1114411 )

      Wait, we're still explaining to people on Slashdot what the function of one is?

      The function of a femtocell is to expand the cellular range of a provider, while providing revenue to the provider instead of being an expense. Additionally, the bandwidth consumed is not on their network (cellular network), but on the customers bandwidth.

      In the US at least this is abhorrent because the people, through government, granted them so many easements and right of ways, financial incentives, tax breaks, etc.

      Despite how much has been given to them they continue to raise prices, encourage "mystery

      • by EdIII ( 1114411 )

        Ohhhh, and to add insult to injury in this case the dipshits who configured the femtocells setup a 6 character password.


        So now every femtocell they charged a consumer for to get, so they could get better reception and download speeds of their own bandwidth is not only exposing themselves to danger, but the femtocell itself can be used to wreak havoc on the cellular customers in general.

        I hate to admit this, but part of me wants to laugh hysterically. The only option is to no longer accept connect

  • old news (Score:5, Insightful)

    by shortscruffydave ( 638529 ) on Friday July 15, 2011 @05:10AM (#36772834)
    • Re:old news (Score:4, Informative)

      by EdZ ( 755139 ) on Friday July 15, 2011 @05:41AM (#36772916)
      They 'fixed' it by changing the default password, not by preventing the devices from sniffing and decrypting data from passers by. Break the new password, and the attack still works as before.
    • by kyz ( 225372 )

      http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html [blogspot.com]

      "What we have seen is that Vodafone fixed the way THC gained administrator access to the femto.

      This of course does not fix the core of the problem: The femto transfers key material from the core network right down to the femto."

      • by Rich0 ( 548339 )

        This of course does not fix the core of the problem: The femto transfers key material from the core network right down to the femto."

        I'd say the core of the problem is that authentication credentials ever leave the phone in the first place. Didn't they ever hear of RSA/etc?

        I just don't get it - why doesn't ANYBODY use asymmetric crypto for authentication. And when they do something remotely clever, why don't they ever use a proven off-the-shelf cryptosystem to do it? DRM may be mathematically impossible to achieve, but authentication is something that is completely achievable with the right key infrastructure. And they obviously have

        • by Timmmm ( 636430 )

          Because authentication is done on the SIM card. When GSM was created I doubt they were capable of public key cryptography.

          • by Rich0 ( 548339 )

            Sure, but there was no reason that this couldn't have been upgraded ages ago. Support both protocols in parallel for a few years until tower software is updated.

            Instead, we're going to hit a wall at some point when GSM is completely cracked, and suffer with a ton of issues as a result.

            I would say the problem is the market, but even the NPV of a hit that big is large today. The real problem is that nobody holds managers accountable for the real consequences of failing to take action over the long term. Su

  • Don't you think that the marketing guys are overdoing it with all these S.I. preffix's

    You couldn't even see a femtocell (10 to the minus 15) in an electron microscope

    • by Rich0 ( 548339 )

      The base unit is parsec, you insensitive clod!

      • The base unit should be "distance light travels in vacuum in 1 cycle of radiation corresponding to the transition between two energy levels of the cesium-133 atom"
        This is the distance light travels in 1/9,192,631,770 second. Light travels at 299 792 458 m/s, so this is 299,792,458 / 9,192,631,770 = 0.0326122557174941 m (=1.28394708 inch).
        That would be a distance that's based on the constants in physics.
        However, if we can't convince the USA to switch to the metric system, how can we ever hope to force
        • However, if we can't convince the USA to switch to the metric system, how can we ever hope to force the complete world to switch?

          The USA does use the metric system. Their military, scientists and medical practitioners do. (Hint: "Click = Kilometer")

          It's only the general populous that is forced into using antiquated and difficult to convert between standards by the USA's school system, and thus parents as well (being that they were taught to use those units too).

          FTWA [wikipedia.org]

          According to the American Central Intelligence Agency's Factbook, the International System of Units is the official system of measurement for all nations in the wor

          • It's only the general populous that is forced into using antiquated and difficult to convert between standards by the USA's school system, and thus parents as well (being that they were taught to use those units too).

            I wouldn't term it as forced.

            For the most part...the avg US citizen can't really see any major benefit to their day to day lives switching over vs the bit of upheaval and increased monetary costs it would encounter forcing us to change to metric for everything in our ever day lives.

            I mean,

    • by Megane ( 129182 )
      I think they should start using S.I. prefixes on reward points. They could call them "atto-boys".
  • by improfane ( 855034 ) on Friday July 15, 2011 @05:21AM (#36772858) Journal

    I can't say I am surprised.

    Vodafone are a terrible company. They are one of the most expensive in the UK. They gouge me. I am changing as soon as I can. They claim to offer unlimited texts but if you send a text that is bigger than 160 characters, they charge you. They also don't pay taxes in the UK, they owe 4.8 billion in taxes but our government decided 'to let it go [guardian.co.uk]'.

    Now in the UK we're facing cuts to public services, education, electricity rises. I'm not bitter. Vodafone is a bad business. You should change from them and warn people of the same. Didn't they have something to do with Egypt censorship too?

    Their website is also littered with Java exceptions.

    Vodafone = Incompetent

    • by Inda ( 580031 )
      " if you send a text that is bigger than 160 characters, they charge you."

      How does that work?

      My phone automatically chops messages up into 160 char parts, one SMS message per part. It's not a modern phone either.

      Just curious.

      I use Tesco, btw. I can't fault them.
      • Its likely that the phone is sending the longer messages as MMS or EMS, which is likely NOT covered by the "unlimited text messages" plan.
        • by Timmmm ( 636430 )

          Yeah Android had (maybe still has) a bug where texts longer than 3*160 are sent as an MMS.

        • My Nokkia 1661 does not support MMS.

          Vodafone treat multipart text messages as separate texts on the server side to rip people off. Especially when you consider that it does not charge if you break up a text manually by yourself.

        • That seems weird, the common way to do it is to have an ID imbedded in the message so that the receiving device can tell which messages are actually parts of the same longer message.

          The biggest problem with this scheme is when a device receives only part of the message, all phones seem to handle this differently. Some show what they got after a while, others simply chuck it, others still will hang on to the data just in case a matching ID shows up later (which can lead to hilarity since the IDs are far from

      • My phone chops it up into small messages but the 'unlimited' only applies to the first message. I get charged a for additional texts if my message spans more than one. It's a money grab because if I break the text manually into two separate texts, I do not get charged.

        This happens on my old W595 (supports MMS) and my current Nokia 1661 (no MMS, no 3G).

  • Isn't that kind of insecure? As in, the sort of thing that you would slap people for setting a root password as?
  • End-to-end (Score:4, Funny)

    by bWareiWare.co.uk ( 660144 ) on Friday July 15, 2011 @05:42AM (#36772928) Homepage
    Why dose having root on any cell, let alone a femtocell give you the ability to impersonate and eavesdrop? They should be simply forwarding the encrypted streams to/from Vodaphone they have no need to interpret or modify them. In fact it would have been trivial to design a phone system where even the operators can't eavesdrop, encrypting each call with the receiver's public key. The first time you rang a new number you would have to trust you were getting the correct public-key, but any abuse would be easy to detect and prove. This would mean that voice-mail etc. was only accessible with the original SIM, but that may not be too much of a compromise! You could still require that any phone connecting to the network submits its private keys to law enforcement.
    • by Anonymous Coward

      Are you crazy? Vodafone is notorious for enabling easy and unquestioned access to law enforcement. Any form of encryption would make it harder for them to hand over your data.

    • by drolli ( 522659 )

      It would not be legally trivial, for a number of reasons.

    • by kyz ( 225372 )

      Cell networks have the same need for time-critical end-to-end delivery as fixed line networks, and thus have a very similar architecture. They don't look anything like IP networks.

      Cell sites place calls on behalf of the mobile, and talk with other cell sites to handover calls in progress as the mobile passes through. They have to be trusted to do that.

      GSM encryption works on the basis that the company who issued the SIM card also knows the secret keys inside the SIM card. That way, both ends can synchronise

      • As you say the cells need to be trusted with the routing and hand-off. Obviously the cell can always block/drop/throttle calls but that don't mean you should trust them with everything.
        To place a call on behalf of a mobile should require a time-limited signed token from the mobile's SIM. Once the call is established it makes no difference if you are routing an unencrypted voice codec or some encrypted data.
        Public-key encryption could simply be used for the initial A5/1 initialization key, the voice data its

        • by Rich0 ( 548339 )

          Mod parent up - either symmetric or public-key encryption requires authentication with some trusted server (is the phone's account activated, etc), and if the central server can hold a copy of a symmetric key it can hold a copy of a public key.

          There is also no need to escrow private keys - the network already needs access to the clear voice conversation and dialing info just to complete the call, and that is all the FBI needs. There is no need to be able to clone phones. Plus, if you wanted to clone a pho

  • A 6 digit, all alpha, all lowercase password, made from real words.

    While it's entirely possible the password would have been hacked if the password was 16 alpha-numeric-punc chars, it's hard to by sympathetic to Vodaphone when they're this sloppy.

  • 'Can everyone hear me now?'
  • Their blog archive goes all the way back to July 2011!

  • I worked for a company that made a security device with a default password for updates. The password was changed, post build, using the asset (serial) number of the device, a label added to the bottom of the device after install, with the default password added to the end of the string. This ensured that every device had a semi-unique password that required physical access to the device for anyone to figure out the first part of the manufacturer password. Not being a dumb ass company, that was not suffic

  • How could a major project at a major public company start without addressing security?

  • why does anyone ship anything with a six-character password? why does any website allow them? eight is barely sufficient given recent gpu-based attacks, and i seriously doubt people who have trouble remembering eight characters have any less trouble with six.

"I will make no bargains with terrorist hardware." -- Peter da Silva