Fortunately for Verizon customers, the company has since issued a patch to all affected femtocells. Sprint currently offers a femtocell that is similar to the vulnerable models from Verizon, but the company has said it plans to discontinue the device. And while AT&T also offers femtocells, it requires an extra level of authentication that makes much of the iSEC Partner’s findings irrelevant. Still, says Ritter, the femtocell vulnerability is a major problem.
And
Ritter suggests that all carriers that offer femtocells require owners to provide a list of approved devices that are allowed to connect to their femtocell. And also prevent customers’ cell phones from connecting to any unauthorized femtocell.
The Verizon vuln referenced above seems has nothing to do with SS7. Femtocell is rooted, and only cell phones in a close proximity are vulnerable. I thought the presentation in Hannover deals with a much broader issue. And yes, femtocell may be potentially a gateway to the remote hacking of MSC, HLR, etc. Unfortunately I have not seen the presentation, so I can't be sure what it's about.
I finally found the way to watch the presentation (BTW it's good), and the author mentions femtocell hacking as "if you hack femtocells you _may_ have a chance to have access to SS7", or something like that, i.e. very uncertain. He emphasizes a different method -- getting a "global title". That's what I meant in my original comment -- you have to join the telco club, and that is not trivial.
Tobias claims the opposite in the video. He says you can easily rent access from a Carrier (e.g. Verizon) or buy a Femtocell[1][2].
Both approaches seem rather affordable ("hundreds of dollars").
[1] http://en.wikipedia.org/wiki/Femtocell
[2] http://www.thinksmallcell.com/Examples/where-can-i-buy-a-fem...