With a simple device called “Sure Signal” which is available currently at 50 GBP, you can listen to any cell phone call, impersonate any handset, make phone calls on the victim’s cost and even access his / her voice mail.
This is not in the movies; this is what exactly happened to one of the world’s largest carrier Vodafone. A security group called The Hacker’s Choice (THC) hacked Vodafone 3G/UMTS/WCDMA network and gained the root key to spy on any cell phone call made by Vodafone customers.
The vulnerability lies within Vodafone’s Sure Signal / Femtocell equipment which are used to improve the signal strength in areas where it’s poor. The device was used to be sold at 160 GBP to any customer (prepaid or contract), which is connected to Vodafone core network HLR /AuC which stores the secret subscriber information via customer internet connection. After receiving the device, the user has to register it together with his /her cell phone number. Although Vodafone said only the buyer can use this base station, but it said up to 30 cell phone numbers can use the device.
THC gained the root access to Femtocell which contains a “mini RNC” to request and receive the secret key of a Vodafone user from the core network, which enables a hacker to listen to the victim’s phone calls.
Basically, after gaining access to Femtocell, an attacker can do the following:
-Intercept and listen to calls.
-Commit fraud by placing calls or SMS using somebody else’s SIM information.
-Tunnel back to the UK, using he Femtocell anywhere in the world.
-Attract other mobile devices to the Femtocell.
The whole process is done very quickly as Vodafone made a design mistake by assigning ‘newsys’ as the root password for all its Femtocell which made the attack easier.
The full details can be found here.