http://wiki.thc.org/vodafone

the register have got an article on this, but I find the source far more interesting, for example:


7.2. Call Fraud

The femto can be used to place calls or send SMS on somebodies else SIM card. This means the attacker is not charged for the call/sms.

The attack:

1. Catch a target phone with your femto cell.
2. Let the target phone register and authenticate via the vodafone core network.
3. From the femto deny all further traffic between the core network and the MS.
4. On the femto send a request to the vodafone core network to place a call.
5. Vodafone will try to authenticate the phone again. Only forward the authentication request and authentication reponse between the target phone and the core network. Do not forward any call set or other packets between the phone.

The vulnerability:

1.

The Femto cell contains a Mini-RNC/Node-B which is not a real RNC nor a Node-B. It's something inbetween. The mini-RNC can request real encryption keys and authentication vectors for any vodafone UK customer from the vodafone core network (like a real RNC). The vodafone core network still authenticates every single phone (like a Node-B).

The umts_sniffer program can be adapted to demonstrate call fraud.

and want cheap international calls?


7.3. Tunnelling

Carrying your femtocell with you wherever you go and tunnelling it back to the UK can be very handy, and is simple to do.

We will create an OpenVPN tunnel and then route all traffic to/from the femtocell down it. The far end of the tunnel will take care of NATting out to the Internet.

The femtocell will be on it's own private Class C on 192.168.2.0, and the tunnel will use 192.168.1.0.

If your laptop only has one ethernet interface, using a USB to Ether converter such as the EdiMax EU-4206 for the femto 'just works'.

So we now know why Ben wont give up his Sure Signal :D

Haha! Oh hecatae :p

Interesting... and perhaps a little surprising that we didn't hear of such modifications earlier. By giving us devices that connect into Vodafone's core network, rather than providing us with the usual air interface, there was certainly potential for the Sure Signal boxes to be taken apart and extensively tinkered with. One would have thought, perhaps, that they'd have been operating in some kind of sandbox for security reasons, not connecting to the 'real' Vodafone core network, but that seems not to be the case. It sounds like the potential for mischief is limited, though you could potentially mod one and then take it out and about to intercept unsuspecting traffic, which is scary, but people with them 'in the home' don't have anything to fear so long as someone doesn't switch out their unit with a tainted one.

I wonder if we'll see any follow up on this. I certainly hope so, it's rather curious stuff!

8.2. IMSI Catcher

It is possible to attract other Mobile Phones to log onto the femto cell and use the femto cell. SIM card's that are not registered via the vodafone gateway webpage are able to place calls through the femto. All incoming calls are directed to voicemails. Outgoing SMS go through but incoming SMS are not delivered to the target phone. SMS from vodafone directly (like configurations and marketing SMS'es) are received by the target SIM.

Calls placed by the target phone are charged to the target SIM.

The only known way to get around this limitation (e.g. attracting a victim's phone and intercepting outgoing _and_ incoming traffic) is to register the victim's phone number with your femto by ringing vodafone. It is possible to register up to 32 phone numbers per femto.

The database of which IMSI is allowed on the femto is in /mnt/mainfs/oam_data/dynamic/backup/*.xml. This file is pushed from vodafone to the AP. The XML file is converted into a database in ../../01010100/Bulkcm.cdb.

To modify and load the new database do the following:

1.

Copy the new XML file to /opt/alu/fbsr/oam_data/dynamic/restore/Bulkcm.xml.
2. restart fpu1.vx process. It will restart and update the database. Warning: This will reset the firewall rules.

mkdir /opt/alu/fbsr/oam_data/dynamic/restore
cp /mnt/mainfs/oam_data/dynamic/backup/*.xml /opt/alu/fbsr/oam_data/dynamic/restore/Bulkcm.xml
vi /opt/alu/fbsr/oam_data/dynamic/restore/Bulkcm.xml
killall fpu1.vx

Any change you make is persistent and will survive reboots, so make sure you backup your XML file before you start!
8.2.1. Adding your own SIM card

1.

Set femtoACLenable from true to false. The femto will allow any IMSI onto the femto (careful, you are attracting other people's phone now! Vodafone will find out about it as the victim's phone will now use your femto to place and receive phone calls.).

this is the other one, duplicating imsi.

anyway, full details on link, may have to take a sure signal on holiday abroad for cheap calls

I would point out that both eavesdropping and man-in-the-middle attacks have been possible with GSM for a few years now with normal cell towers and equipment costing a few hundred dollars. The "encryption" standard used by GSM is laughably inept and broken to a similar degree that WEP is broken for wireless networks.

And yet while everyone (who has a clue) has switched away from WEP to WPA/WPA2, people continue to use GSM blissfully unaware that they're using the phone equivalent of WEP.

A GSM phone doesn't even attempt to validate the authenticity of the network it's connecting to - whilst the network validates the phone to make sure it's legit (by checking the crypto values on the SIM card match those in the HLR) the phone will happily connect to any network that claims to be its home network simply by broadcasting the correct MCC/MNC. (Mobile Country/Network Codes)

This makes it possible to easily create a "rouge base station" which will impersonate a given network, drawing nearby phones to connect to it like a moth to a flame. From this a man-in-the-middle attack can be launched which can include eavesdropping, or placing calls under the victims account, as mentioned in this article.

Because the encryption is so badly broken it's actually possible to eavesdrop on the audio of the call passively as well - but a man-in-the-middle attack allows a bit more control.

There is nothing that can be done to fix the security in GSM, it's fundamentally flawed and needs to be dumped, in much the same way as WEP.

Although it's far from perfect, 3G/UMTS is a lot better designed in this regard - authentication is 2 way, (so the phone verifies the authenticity of the network it's connecting to, as well as the network verifying the phone, preventing man-in-the-middle) the encryption is much stronger, and so far not cracked. (preventing passive eavesdropping)

So thus far, 3G is moderately secure. The only problem is there are still GSM networks around, and a call can switch from 3G to GSM mid-call, as soon as it does you're vulnerable again, and there are ways to provoke a nearby phone to drop to GSM. (Even just simply by generating interference on the 3G frequencies - forcing the phone to scan other frequencies looking for another base station to roam to)

There's a lot to be said for a truly 3G only network which has no 2G fall-back - it's the only way to avoid the insecurities of GSM.

http://forum.vodafone.co.uk/t5/About-the-Community-and-Latest/Sure-Signal-Security/td-p/825395

vodafone issued statement, and surprise surpise some Sure Signals are still able to do this