[at-fates-hands]

Apparently the attack vector is pretty small considering:

http://www.digitaltrends.com/mobile/femtocell-verizon-hack/

Fortunately for Verizon customers, the company has since issued a patch to all affected femtocells. Sprint currently offers a femtocell that is similar to the vulnerable models from Verizon, but the company has said it plans to discontinue the device. And while AT&T also offers femtocells, it requires an extra level of authentication that makes much of the iSEC Partner’s findings irrelevant. Still, says Ritter, the femtocell vulnerability is a major problem.

And

Ritter suggests that all carriers that offer femtocells require owners to provide a list of approved devices that are allowed to connect to their femtocell. And also prevent customers’ cell phones from connecting to any unauthorized femtocell.

[moe]

Pretty small?

Verizon was just used as an example here, the same attack vector applies to every mobile carrier in the world.

[wirefloss]

The Verizon vuln referenced above seems has nothing to do with SS7. Femtocell is rooted, and only cell phones in a close proximity are vulnerable. I thought the presentation in Hannover deals with a much broader issue. And yes, femtocell may be potentially a gateway to the remote hacking of MSC, HLR, etc. Unfortunately I have not seen the presentation, so I can't be sure what it's about.

[wirefloss]

I finally found the way to watch the presentation (BTW it's good), and the author mentions femtocell hacking as "if you hack femtocells you _may_ have a chance to have access to SS7", or something like that, i.e. very uncertain. He emphasizes a different method -- getting a "global title". That's what I meant in my original comment -- you have to join the telco club, and that is not trivial.