Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking the Free "La Fonera" Wireless Router

Posted by ryuzaki0 on from the wisdom-of-crowds dept.

wertarbyte writes, "FON is still giving away their wireless routers for free in Germany and Austria until Wednesday — under the premise that the devices will be connected and used as FON access points. The router, called 'La Fonera,' is a variant of OpenWRT, but locked down to prevent modification, including a signed firmware image to prevent the upload of new software. It is, however, possible to get shell access by connecting to a serial port present on the circuit board. And now two students from Germany have discovered vulnerabilities in the CGI scripts used to configure the device, and successfully activated an SSH daemon on the device by exploiting them, giving owners a root shell on their router. They also provide a detailed description of the procedure and 'ready-to-use' perl scripts to open up your router."

67 comments

  1. Whats so great about this? by gad_zuki! · · Score: 4, Insightful

    Its a violation of a pretty neat little system. These things are free (or about as close you can get to it) so its not like its some propriety item they bought and are trying to get more features out of. They are defrauding a company for free wireless routers.

    Maybe Im crazy but I think the FON system is very clever and if peope werent abusing it, it might take off interesting ways. Instead it "doodzz free wireless routers here!!!" Shame really.

    1. Re:Whats so great about this? by TommydCat · · Score: 1

      Well, it does seem to be based on "Open"WRT...

      But is the system just locked down per se or is there anything legally binding in the agreement against hacking it? The serial port headers are a well-known attack vector, almost as much as several cgi-bin scripts, if they are just using the standard ones... Makes me wonder if the default config allows access to those scripts only from a LAN wired port (as opposed to the WAN side), or if it potentially allows anyone to get in.

      --
      This comment does not necessarily represent the views and opinions of the author.
    2. Re:Whats so great about this? by jericho4.0 · · Score: 1

      I agree. You can buy a wrt54gl for under $70 USD, and install OpenWRT without installing a serial port. I believe in ones right to do whatever they want with what they've purchased, EULA be dammed, but this subverts a neat project/model for little gain. That said, there's eventually going to be a lot of these turning up at garage sales...

      --
      "A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
    3. Re:Whats so great about this? by FLEB · · Score: 1

      These things are free (or about as close you can get to it) so its not like its some propriety item they bought and are trying to get more features out of.

      I disagree. It is quite like an item they bought and are hacking to get more features out of-- the only difference is the price.

      If a provider is detrimentally underpricing an item on just the hope-- and no more certainty than that-- that people will use their other related more expensive items or methods to make up the cost, than that company is the one to blame if their business model crashes from the obvious flaw. I might agree that it's "a shame" (although I don't really have the background to say), but I don't really think one should blame the individuals for taking ownership of a device that was willingly given to them.

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
  2. Assorted thoughts on the Fonera by Life700MB · · Score: 3, Interesting


    First at all, it isn't called "La Fonera". "La" in Spanish is just the "The" article, making it the Fonera, a Fonera, or how you want to call it.

    It is free too here in Spain, but obtaining it's a really strange scheme that looks a lot like a scam to get private info from people. For example, it was offered for free for the readers of a well known digg-like web and they recommended to use the same user and password to request it as the people had in the web page?! WTF!? And a month later they bought part of the page!!!!

    Extremely strange.

    And what to say of the Fonera using hidden DNS servers property of the FON makers or scripts allowing free access for them with root privileges to your private network?

    --
    Superb hosting 200GB Storage, 2_TB_ bandwidth, php, mysql, ssh, $7.95

    1. Re:Assorted thoughts on the Fonera by wertarbyte · · Score: 1
      First at all, it isn't called "La Fonera". "La" in Spanish is just the "The" article, making it the Fonera, a Fonera, or how you want to call it.

      I am aware that "La" is an article in Spanish, but the device is called "La Fonera" on the german FON website ("Hol dir deine gratis La Fonera" == "Get your free La Fonera").

      --
      Life is just nature's way of keeping meat fresh.
    2. Re:Assorted thoughts on the Fonera by Durrok · · Score: 1

      Yes, this is a big deal because no one else has ever gotten a foreign language wrong.

      --
      I keep telling myself I'm not the desperate type.
    3. Re:Assorted thoughts on the Fonera by Tastycat · · Score: 1

      We do that in English as well, think of the names of things like the The Source by Circuit City in your malls and the The Cheat in Strong Bad Emails.

    4. Re:Assorted thoughts on the Fonera by 1u3hr · · Score: 1
      think of the names of things like the The Source by Circuit City in your malls and the The Cheat in Strong Bad Emails.

      Ugh, I wouldn't take a flier from Circuit City as an authority to abuse the language like that.

  3. Reminds me of something... by Anomolous+Cowturd · · Score: 1

    Anyone remember the CueCat?

    You can't give geeks a free gift then cry when they use it for something other than you intended. That business model has been proven unworkable.

    --
    Software patents delenda est.
    1. Re:Reminds me of something... by buswolley · · Score: 1

      Such loose usage of the word, "PROOF."

      --

      A Good Troll is better than a Bad Human.

    2. Re:Reminds me of something... by Anonymous Coward · · Score: 0
      Such loose usage of the word, "PROOF."

      Such loose use of the word "usage."

    3. Re:Reminds me of something... by 1u3hr · · Score: 1
      Anyone remember the CueCat? You can't give geeks a free gift then cry when they use it for something other than you intended.

      Morally, there is a difference. Cuecat was a lame method of delivering ads; fair game. This, I gather, is service to share wifi access: unless I misunderstand, it's providing a real service. Hacking this is like hacking a P2P client so you can leech without uploading; or even more, like those assholes who "hacked" (in this case, meaning stealing) rental bicycles to get free rides. It's parasitic and selfish behaviour.

    4. Re:Reminds me of something... by vonsneerderhooten · · Score: 1

      The flipside of the coin you present represents the curious, perhaps paranoid side of things. Is this a router or simply an AP? Can it do port forwarding? What is the DHCP(or subnet) range? or(paranoid) what (if any)information about me is this sending to the mother ship?

      Hacking is an important and necessary part of the geek approval process. Once the hackers give the rest of us geeks the thumbs up, we(the rest of us - non-network device hackers) know it's ok to pick one up and check out and at our own discretion recommend to others.

      you must be new here.
      sheesh

      /agree with everything you said about the cuecat
      //working at tha shack when they were giving em out
      ///man the thing was a nightmare
      ////is this fark?

    5. Re:Reminds me of something... by 1u3hr · · Score: 1
      Once the hackers give the rest of us geeks the thumbs up...

      Okay, point taken, investigatory hacking isn't evil. I've read one of the articles which was about mostly monitoring what it did. But obviously some will use this to make it a private server, breaking the implied contract (talking morally, not legally). But this will be beyond most users, so it's probbaly not going to make much impact on the scheme if it is on the up-and-up.

    6. Re:Reminds me of something... by dichro · · Score: 1

      Not as much of a difference to CueCat as you might think. The firmware on the box is signed and locked, preventing you from customizing it. Their business model doesn't have any allowance for pricing that reflects the costs of providing a Fon service (which is an issue in those parts of the world that still have volume-based pricing or volume limits on services) and also doesn't guarantee that you'll see any money out of it anyway.

      obDisclaimer: I wrote Charon with a mind to specifically dealing with these issues, so I may care about them more than anyone else does...

  4. Fon is a good idea, but sketchy implementation by straponego · · Score: 4, Informative
    I have a previous version of the Fon router, which allows SSH by default. Unfortunately, as another has mentioned, it also allows/requires Fon to have root access to your router by default, so as far as I'm concerned you can't trust the device.

    Also, the only way to access your wired network from the wireless is to allow ALL wireless users to have that access. Well, okay, you could do things like SSH out to a machine on the Internet, SSH back in, and set up port forwarding that way, but nobody would ever do that :). And your own wireless access is treated the same as everybody else's-- you have to log in every time. Annoying in combination with Firefox2's ability to resume sessions-- it loads the Fon login redirection page for every tab you had open.

    They've been promising a firmware fix which would allow two SSIDs with different configurations for a long time, but last I checked it still isn't out.

    The upshot of this is that I thought I would be getting a nifty solution which would let me share my access while covering my own needs. Instead I really have to run two routers, one for me, and one for everybody else. And despite the fact that I live in a pretty densely populated area, in about six months the number of people who have signed on to the Fon router, besides me, is zero. Oh, correction: the buddy who told me about Fon came by and tried to sign in with his account, which he is supposed to be able to do as a "Linus" user. That didn't work either.

    In summary... it's more work and their system is not transparent or secure (oh yeah, there's no encryption on the wifi connections). It's a nifty idea, but I can't really recommend it.

    1. Re:Fon is a good idea, but sketchy implementation by Otto · · Score: 1

      I hadn't heard of it before, so I checked it out. Appearantly, their latest device does just what you said. There's two SSID's, one of which uses an encrypted connection and is your "private" connection. The other is open to the public.

      It's an interesting idea, but their site needs work. I tried to use the map to find access points and I couldn't make heads or tails out of it. It's a machup with Google Maps and seemingly works, but there's weird inconsistancies and it's hard to use in general.

      --
      - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
    2. Re:Fon is a good idea, but sketchy implementation by straponego · · Score: 1

      Yeah, it took several months for a change of address to show up on their map. From what I read on their forums, that's standard. Needs work :)

    3. Re:Fon is a good idea, but sketchy implementation by avdp · · Score: 1

      The device in question does have two SSIDs, one is "private" and encrypted for the owner of the device (no login required, other than the encryption passphrase of course - which you can change). The other is the unencrypted public signal, which does require login and may have bandwidth limitation (as setup by the owner).

      (and yes, I have one - although I don't live in a place where I'd expect to get anybody to take advantage of it other than me)

    4. Re:Fon is a good idea, but sketchy implementation by samj · · Score: 1

      The version demonstrated to us at the Irish Linux Users Group (ILUG) AGM did support two networks; one with encryption. I've just ordered one in Ireland which I expect to receive in few days/weeks and I'm very much looking forward to it.

  5. dude.. by MoOsEb0y · · Score: 1

    for the amount of work you just put in to crack your "free" router, you could have just gone out and gotten a WRT54GL or a Buffalo Airstation and stuck dd-wrt on it.

    1. Re:dude.. by Anonymous Coward · · Score: 0

      Sir, you underestimate the power of cheapness.

  6. Good thing they used the inherently insecure Linux by Anonymous Coward · · Score: 0

    ...if they had used a secure OS like Windows CE, we would be left pounding sand.

  7. usage metering? by bhima · · Score: 1

    I live in Austria and I use inode. They meter me during the day and I hit the limit every month.

    So I'm wondering how people are going to use this thing.

    --
    Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
    1. Re:usage metering? by tojoe · · Score: 1

      Usage will be the least of your problems.
      German courts now ruled that if you're running an unsecured WLAN and somebody unknown does bad things via it (i.e. leech kiddie pron or infringe some copyrights by running p2p apps) you're fully responsible for that. I guess Austrian courts wont rule differently.
      And somehow I doubt you'll be able to get any info on who used your AP from fon.

    2. Re:usage metering? by wertarbyte · · Score: 1

      It would be an interesting task not to let your Fonera route visitors directly towards the internet, but to pass them through a TOR proxy of some sort. That way, you could hide the connection between the IP address given to you by your ISP and the activites those Linuses, Bills and Aliens are doing with your connection.

      --
      Life is just nature's way of keeping meat fresh.
    3. Re:usage metering? by imsabbel · · Score: 1

      Here, in germany, (where this product is provided), metering of broadband isnt very common.
      You can get a DSL capped at 2Gbyte per month, if you want, but why if you can get it totally unlimited for 2 or 3 more per month?

      --
      HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
    4. Re:usage metering? by Anonymous Coward · · Score: 0

      The network is still rather safe. There is no anonymous access. The only known vulnerability needs physical access to the router. For every user that logs in, there is either the location (or at least the IP) of his home network or his billing address known to the FON admins.

      You got full plausible deniability and, if the router keeps complete logs, there's someone you can shift the blame.

    5. Re:usage metering? by alienw · · Score: 1

      Plausible deniability doesn't matter in court. Everyone has plausible deniability. Is Fon going to pay for a lawyer when you are indicted for kiddie porn or get sued by the RIAA? Are they going to find you a new job? Are they going to pay your bail? Yeah, sure, IF the router keeps complete logs, you might be able to convince the judge to look at them -- if the FBI gives you back your router with everything still intact. You might even be acquitted -- after a few years in pound-me-in-the-ass prison and having your mugshot in the newspaper with the caption "accused child pornographer".

  8. Other way to access the SSH on FON box. by Anonymous Coward · · Score: 0

    The Muhblog has instructions how to gain SSH access to the box:
    http://mrmuh.blogspot.com/

  9. if it is free, take two by flyingfsck · · Score: 3, Funny

    An ancient Jewish proverb.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
    1. Re:if it is free, take two by TheLink · · Score: 1

      Two?

      Haven't you heard the joke on how the Jews got the _Ten_ Commandments?

      --
  10. Pointing out the obvious by Anonymous Coward · · Score: 0

    The way they inject the code requires that you send a tell-tale string to Fon. The SSID is changed remotely by FON after it has been entered into the web interface and the router has been rebooted. The SSID is what contains the injected code, so FON will see that you're hacking your router. Since you have a contractual obligation to use the router as supplied by FON, that will certainly get you into hot water.

    1. Re:Pointing out the obvious by advocate_one · · Score: 1

      and what's to stop you from faking a network connection to Fon using another box and providing the correct string back? There's absolutely nothing to stop me from creating my own private sub internet with a DNS server and a webserver pretending to be the Fon service. A little listening to the real packets to and from the real Fon box and then set my dummy box up to provide the packets required.

      secondly, I do believe the GPL trumps the "contractual" agreement as Fon would be found to be not in compliance by preventing me from doing whatever the heck I want to do with it.

      --
      Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
    2. Re:Pointing out the obvious by wertarbyte · · Score: 1
      and what's to stop you from faking a network connection to Fon using another box and providing the correct string back?

      The SSH key on the FON server. It prevents this kind of spoofing.

      --
      Life is just nature's way of keeping meat fresh.
    3. Re:Pointing out the obvious by Anonymous Coward · · Score: 0

      As wertarbyte already pointed out: The router connects to the FON server on startup and once every hour. That is a SSH connection in which both sides authenticate eachother via public key cryptography. The router has the public key of the FON server, so it will reject the connection if the server doesn't have the private FON server. The FON server has the public key of the router (it's the same for all routers) and requires the client to have the corresponding private key. The latter is no problem, because the private router key is on the router (has to be) and, as the router uses GPL software, the key is freely available. But the private server key does not have to be in any GPL source, and isn't, so you can't pretend to be the FON server.

      The GPL does not trump the contractual agreement. You can get the source and use it on your hardware as you please. That's all the GPL guarantees. There is nothing in the source which locks the software to the router. However, the router (hardware) isn't yours to do with whatever you want. You agreed to use it with the FON software and keep it online.

    4. Re:Pointing out the obvious by Anonymous Coward · · Score: 0

      Wohoo! We should learn to read before writing...

      "SSH is an excellent choice from FON's point of view, since it is relatively easy to deploy in a noninteractive context, and provides an elegant way of avoiding spoofing: For the key of download.fon.com is stored on the router, we cannot simply proclaim to be that host it tries to contact and supply our router with our own shell commands."

  11. I got one of the older ones by vadim_t · · Score: 2, Interesting

    Got an early version at a HispaLinux convention. It cost me some cash, but it was still cheaper than I could get it otherwise, so I bought it. Coincidentally, there was a WiFi security talk at the convention, and I used the chance to ask them what they thought about the whole FON thing. They were extremely unimpressed and thought it couldn't be made secure.

    Based on a cursory examination, I determined the system was insecure. Suppose I enable the router, and somebody comes near and tries to connect. To connect, they try to connect to my wireless network, and the AP authenticates them against the FON RADIUS server.

    Now, the problem is that I'm in control of the router, so I can easily fetch their username and password. SSL wouldn't help because at best you have User AP RADIUS, as my understanding is that the AP isn't acting as a router here. The user isn't talking to the RADIUS server directly, the AP does on his/her behalf. So there's no way of stopping me from sniffing people's passwords.

    After I get passwords I can easily find some other FON AP, use somebody else's credentials, and have reasonable chances that the person getting in trouble for downloading/uploading something illegal won't be me.

    I voiced my concerns on the forum, but the replies weren't satisfying, so now I reflashed it with new firmware and there's no FON-related stuff left on it.

    1. Re:I got one of the older ones by ozamosi · · Score: 1

      Don't worry about transmitting your info through someones router - the Scary part is that you transmit the router in clear text! Well, the webpage claims it is Finaly fixed now after many months. However, I suspect that the Linksys is still vunerable, since I don't believe that they've updated their firmware for those. I might be able to tell for sure, if they didn't update their firmware without bumping the version numbers, and they didn't require my email to let me get it (I just want to see the version information!)

  12. geeks will be geeks by daniel23 · · Score: 1


    I guess you have a valid point here. Then again, there may be some of us who feel a value calculation like yours is less impressive than the joy of finding a way.

    --
    605413? Yes, it's a prime.
  13. Been there, done that by Temporalwar · · Score: 1

    I posted a little WIKI after the limited price FON Linksys routers came out the first time here: http://truthcankill.pbwiki.com/fonrouter Yes they prob changed hardware and have better coding, but this is not new, somthing for cheap or free is going to get hacked!

  14. Not regional by fm6 · · Score: 3, Informative

    The poster is incorrect in saying this offer is only available in Germany and Austria. I noticed that the web site he pointed to was de.fon.com. I changed the "de" to an "en" and got the English version of the site — which will ship a router to a U.S. for 5 bucks.

    1. Re:Not regional by wertarbyte · · Score: 1

      And "5 bucks" is equal to "free"? Of course "La Fonera" is available in other countries, but it seems that the free offer is limited to germany and austria.

      --
      Life is just nature's way of keeping meat fresh.
    2. Re:Not regional by Anonymous Coward · · Score: 0

      No, $5 is the cost to ship a wireless router 2,000+ miles. Are you really that cheap that you won't even take that?

    3. Re:Not regional by torklugnutz · · Score: 1

      Actually, the device is $5. Shipping to Las Vegas was another $8, and tax was $1.10.

      Free = $14.10 in America

      --
      Often in Error, Never in Doubt.
    4. Re:Not regional by rekrutacja · · Score: 1

      Free = 17,40 Euro in the rest of Europe (5E device, 10E shipping, 2,40E tax)

      --
      This Is Not a Sig
  15. OT perhaps, by solevita · · Score: 1

    But here's some findings that go well with this article:

    The reality behind FON's hype

    and much more at:

    tech.am

    (I am in no way connected with this site, apart from the fact that I occasionally enjoy reading it)

  16. mod him up, pls by daniel23 · · Score: 1

    (I have none left myself)

    --
    605413? Yes, it's a prime.
  17. Well at least we can now fix annoying bugs by OlivierB · · Score: 2, Informative

    in the current FONERA firmware,

    things such as opening up the POP SSL ports (993 and 995).

    FONERA only allows access to ports 80 and 445 to the internet even on the *private SSID*, making it useless for me as the sole router.

    Also, even is the router gives the public and private clients different IP addresses to theoretically prevent the public from browsing on my private LAN, well they are on the same subnet and I can type my private LAN ips from the public network and get access!
    This thing then NATs my NAT, making it even more difficult for me to sandbox it properly.

    Hopefully, open-wrt will make it more useful as a mini mail server or something like a mini Asterisk server.

    --
    Artificial intelligence is no match for natural stupidity
    1. Re:Well at least we can now fix annoying bugs by JayAEU · · Score: 1
      FONERA only allows access to ports 80 and 445 to the internet even on the *private SSID*, making it useless for me as the sole router.

      Wow, no wonder people consider it to be insecure...
    2. Re:Well at least we can now fix annoying bugs by Anonymous Coward · · Score: 0

      HUH???

      DD-WRT on a cheap wireless router, put the fon box on a different lan segment and poof.. it CANT get into your stuff. this is not rocket science... if you want even more control then use a linux firewall that allows even more goodness.

      what are you a networking newbie?

  18. Sign me up by torklugnutz · · Score: 1

    I'm in the US, so I checked out the http://en.fon.com/ page like someone else suggested. I signed right up. The router is $5 plus tax and shipping ($14.10 total) until Nov 8, then it's going to $30, supposedly. It's got Linksys guts in it, so I expect it to be a fairly decent consumer-level piece.

    I'm not interested in hacking the device or anything, but I am interested in using it and promoting the service. The more of these there are in the wild, the more opportunities there are for me, as a registered user, to get online with them for free. Alternatively, I could just get the 50% of the $3 day fee, if I actually lived somewhere urban. Throwing one of these onto a separate subnet in an urban office would probably generate at least a little revenue, plus provide a limited source of advertising through the customizable log-in page.

    In general, hacking direct access to the serial port takes a pretty high level of user to accomplish, and in the end it saves an outlay of what? $30-$50? Even with the CGI backdoor, how many people outside of the geek community even know what to do when presented with a shell interface? I think it's very cool to reverse engineer things, but I don't think it's a threat to the business model at all. I'd compare it to the amount of WRT54G's in place globally vs. the ones that actually run DD-WRT. And that's an easy/useful hack. The bonus of hacking is that it gets press. If not for this article, I'd have never heard of Fon.com.

    They also provide a firmware for your existing WRT54G/GS so you can start up with them for free. Buffalo routers are supported too. https://en.fon.com/downloads/

    What's FON?: http://en.fon.com/info/whats_fon.php

    --
    Often in Error, Never in Doubt.
  19. The bug by quakehead3 · · Score: 2, Informative
    # Now we inject our shell code by using the public ESSID
    # Those guys better should have read "man bash", you cannot quote
    # single quotes by a backslash :-)
    # We now fill in our manipulated ESSID
    # FON prepends every ' with a backslash, which is useless since
    # this kind of escape sequence does not workin with single quoted
    # strings.
    # By closing the ESSID string with our injected \' and sending a
    # newline we can now simply append aritrary shell commands that
    # will be executed on our box during the next update. The
    # comment mark # simply tells the shell to ignore the now
    # useless final '.
    1. Re:The bug by Anonymous Coward · · Score: 0

      bash ? you mean ash. bash is _way_ too big for embedded.

  20. Fon's service is... questionable. by dozer · · Score: 1

    Most people in the U.S. can't use Fon's service anyway. Between this and handing out stock options to blogging pundits in return for a kind word, they seem to be a pretty shady company.

  21. Sony guts! by Anonymous Coward · · Score: 0

    The router is $5 plus tax and shipping ($14.10 total) until Nov 8, then it's going to $30, supposedly. It's got Linksys guts in it, so I expect it to be a fairly decent consumer-level piece.

    You told me it had Sony guts!
    http://snltranscripts.jt.org/91/91ssabra.phtml

  22. in the UK there is an ISP that allows Fon by Anonymous Coward · · Score: 0

    called http://www.fondoo.net/ it seems to have been set up on the premise of allowing users to share their connections with Fon. Pretty specialised focus for an ISP, most don't seem to let you share your connection, but they probably don't give a damn if you do. I guess if you care about doing the right thing (and want to get a FON router)then this is the ISP to go for.

  23. Legal implications by Anonymous Coward · · Score: 0

    An article on the BBC News website (http://news.bbc.co.uk/1/hi/technology/4721723.stm ) states that in the UK "the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography".

    This has always been a stumbling block for free access in the UK. I hope those using services/schemes such as Fonera in the UK know the risks..

  24. It's a bug on ther website by Kresh · · Score: 1

    So two students found a bug on their webserver.
    Should take FON a minute to fix it and then they can see which users are trying to hack into the router. Remember, they know the MAC-address of the router they sold you.
    This will be useless tomorrow.

  25. inode flat rate. (Re:usage metering?) by globalmatador · · Score: 1

    inode converted all accounts to 24 hour flat from this month on. seems you didnt get the info mail they sent out.