The Verizon vuln referenced above seems has nothing to do with SS7. Femtocell is rooted, and only cell phones in a close proximity are vulnerable. I thought the presentation in Hannover deals with a much broader issue. And yes, femtocell may be potentially a gateway to the remote hacking of MSC, HLR, etc. Unfortunately I have not seen the presentation, so I can't be sure what it's about.
I finally found the way to watch the presentation (BTW it's good), and the author mentions femtocell hacking as "if you hack femtocells you _may_ have a chance to have access to SS7", or something like that, i.e. very uncertain. He emphasizes a different method -- getting a "global title". That's what I meant in my original comment -- you have to join the telco club, and that is not trivial.