[cellular news] A hacking group has posted details of how to rewrite the software in Vodafone supplied Femtocells in order to turn them into an IMSI catcher and use them to record any voice call made by mobile phones in its vicinity.
Due to a decision to ship all the Femtocells with the same root password, the hackers were able to access the core software of the device and rewrite it, while still retaining the key components that enable it to decode the 3G air interface necessary for them to record phone calls.
They do note there is are a number of safeguards in the device, including one which needed modifications to the hardware to prevent Vodafone accessing the device and remotely disabling it. But they were in turn able to disable that functionality with the careful application of a soldering iron.
In addition to being able to record other people's voice calls, the modified Femtocell can be used to place calls or send SMS on somebody's else SIM card after you have encouraged their phone to register with the hacked Femtocell.
As noted, the core vulnerability is not that the device can be broken into - that was bound to happen - but that the Femto cell contains a Mini-RNC/Node-B which can request real encryption keys and authentication vectors for any Vodafone UK customer from the core network.
The Vodafone core network still authenticates every single phone (like a Node-B). However, having a consumer device that can - if modified - gain that degree of access to the core network for any customer account is the main security risk.
Hacking Group Uses Vodafone Femtocells to Record Other Peoples Phone Calls