PHONE HACKED INDIVIDUALS MIGHT have to take some responsibility for having their voicemail accessed. After all, if you don't change the PIN from 1234, or whatever your operator's default is, then you aren't really being careful enough, are you? But it seems that Vodafone has an even less impressive grasp of security.
The Hacker's Choice reports that using one of Vodafone's own femtocells it was able to reverse engineer the hardware to achieve some impressive, if potentially illegal results. First, it was able to remove the restriction on who can use the device, switching it from a personal cell tower to a normal, albeit small, cell tower. Doing this allows you to gather data from Vodafone handsets and opens the way for some even more alarming hacks.
In the second part of the exploit, the femotocell is used to get access to Vodafone's core network. As a result, it's possible to access other customers' information. Some code tweaks and updates to the femtocell's Linux OS allows you listen in on phone calls and make calls at another subscriber's cost.
You'd also be given unrestricted access to call an exploited user's voicemail and bypass the security. Nice work Vodafone, fail to pay £6bn in taxes, then let any hacker in the land listen to our calls and voicemails.
The technical document, now available for all to read, explains that it's also possible to remove the hardware that Vodafone uses to determine your location. Additionally, you can boost the transmission power of the femtocell and allow anyone to use the device, rather than just those that are registered with Vodafone. This will allow you to listen in to people's phone calls, which is possibly the most severe security concern.
To really stick it to Vodafone, you can also create an OpenVPN tunnel back to the UK while you're abroad. This allows you to use the hacked femtocell to provide a Vodafone cell tower in a foreign land. That in turn means no roaming charges, and all you'll need is a laptop and some local internet access.
Hilariously, the root password on the femtocell turns out to be "newsys". Brilliant. There are toddlers on this planet who have a better grasp of security than one of the world's biggest mobile mobile phone companies. Hell, Betsy at our local Tesco has a more secure password for her Myspace account. If Vodafone had just managed to switch the 'e' for a '3', we could have given it a little more credit. µ
Plus, it's goodbye to Device Assist
Vulnerabilities in the iOS sandbox thankfully found by the good guys
Data watchdog will make sure firm is being fully transparent about the controversial move
Chinese firm reportedly forces staff to do 82 hours of overtime a month