Femtocell security flaw puts Vodafone customers at risk of phone tapping

Vodafone customers could be vulnerable to phone tapping, a hacker group claims, due to a security flaw with Vodafone's Sure Signal femotcell boxes.

Luke Westaway Senior editor
Luke Westaway is a senior editor at CNET and writer/ presenter of Adventures in Tech, a thrilling gadget show produced in our London office. Luke's focus is on keeping you in the loop with a mix of video, features, expert opinion and analysis.
Luke Westaway
2 min read

Vodafone customers are at risk of having their phones tapped, according to a warning from group The Hacker's Choice.

The problem apparently lies with Vodafone's Sure Signal femtocell boxes. These boxes sit in your house, plugged into your Internet connection, acting as a tiny phone tower and quietly boosting your home's 3G signal to eliminate annoying patches where there's no coverage.

The problem seems to be with how Vodafone has implemented its own femtocell system. Vodafone says that only a limited number of registered phones can access each femtocell box, but THC was able to modify one of the devices, so that any Vodafone customer's phone could access the 'cell.

When a phone connected, THC said it was able to "listen to other people's phone calls and to impersonate the victim's phone, to make phone calls on the victim's cost and access the victim's voice mail".

The good news is that a would-be attacker needs to be within 50 metres of you to tap your phone, so the likelihood of your conversations being spied upon is probably minimal. Still, Vodafone should be keeping an eye on any potential security holes.

For the full story, complete with complicated technical acronyms, check out the THC blog post. We've asked Vodafone for a comment on the story, and will update this article when we get a response.

Update: We've received a comment from Vodafone, saying that the problem was identified and fixed early last year. The full statement reads as follows:

"Overnight on July 12, a claim appeared that hackers had found security loopholes in Vodafone Sure Signal which could compromise the security of Vodafone's network. This is untrue: the Vodafone network has not been compromised.

"The claims regarding Vodafone Sure Signal, which is a signal booster used indoors, relate to a vulnerability that was detected at the start of 2010. A security patch was issued a few weeks later automatically to all Sure Signal boxes.

"As a result, Vodafone Sure Signal customers do not need to take any action to secure their device. We monitor the security of all of our products and services on an ongoing basis and will continue to do so."