Vodafone femtocells hacked, root password revealed


As phone systems have evolved over time, the desire to break them and exploit their usage continues to flourish. Just recently, [The Hacker’s Choice (THC)] announced that they had accessed secure data from Vodafone’s mobile phone network last year, via their femtocell product.

The purpose of the femtocell is to extend mobiile network coverage to locations where reception might not be ideal, routing calls to Vodafone’s network via IPSec tunnels. [THC] knew that this meant the femtocells required a high-level of interaction with the carrier’s traditional mobile network, so they started poking around to see what could be exploited.

After gaining administrative access to the femtocell itself using the root password “newsys”, they found that they were able to allow unauthorized users to utilize the service – a simple ToS violation. However, they also had the ability to force any nearby Vodafone subscriber’s phone to use their femtocell. This enabled them to request secret keys from Vodafone, which they could then use to spoof calls and SMS messages from the victim’s phone without their knowledge.

They have been kind enough to release all of the pertinent information about the hack on their wiki for any interested parties to peruse. Now we’re just wondering how long it takes before stateside carriers’ femtocells are exploited in the same fashion.

[Thanks, kresp0]


  1. Terry says:

    eesh! this could be pretty bad news if the AT&T femtocells get the same treatment.

  2. Jon says:

    But what color is the box that I use to do it?

  3. Gomiboy99 says:
  4. tutnixzursache1 says:

    god damnd old! THC is presenting stuff from 2009.

    LAAAME !

  5. Someonecool says:

    I hope that ATT does get hit with this, it would put a nice big smile on my face if they get some problems and have any difficulty what so ever with this exploit.

  6. Tim says:

    Anyone notice the Vodafone ad below this article! ;)

  7. biozz says:


  8. Anonymous says:

    Nice, but I want GSM/UTMS -> hacked femtocell -> VoIP
    50£ for a Vodafone Sure Signal, anyone buying one?

  9. lobo says:

    Yeah, this is old news and was patched months ago. The ‘gaining root access’ pieces are sound but any risk to Voda’s network is overstated at best.

  10. blue carbuncle says:

    Wow a trusted source MITM attack. Color me impressed :P

    1974 called and wants its “hack” back.

  11. samuel maina says:

    its cool

  12. voxellabs says:

    The diagram is wrong; The HLR is interfaced with the SGSN via the Gr interface for MAP signalling, not the GGSN!!

  13. mark says:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,670 other followers