Slashdot Mirror
Hacking the Free "La Fonera" Wireless Router
wertarbyte writes, "FON is still giving away their wireless routers for free in Germany and Austria until Wednesday — under the premise that the devices will be connected and used as FON access points. The router, called 'La Fonera,' is a variant of OpenWRT, but locked down to prevent modification, including a signed firmware image to prevent the upload of new software. It is, however, possible to get shell access by connecting to a serial port present on the circuit board. And now two students from Germany have discovered vulnerabilities in the CGI scripts used to configure the device, and successfully activated an SSH daemon on the device by exploiting them, giving owners a root shell on their router. They also provide a detailed description of the procedure and 'ready-to-use' perl scripts to open up your router."
Its a violation of a pretty neat little system. These things are free (or about as close you can get to it) so its not like its some propriety item they bought and are trying to get more features out of. They are defrauding a company for free wireless routers.
Maybe Im crazy but I think the FON system is very clever and if peope werent abusing it, it might take off interesting ways. Instead it "doodzz free wireless routers here!!!" Shame really.
First at all, it isn't called "La Fonera". "La" in Spanish is just the "The" article, making it the Fonera, a Fonera, or how you want to call it.
It is free too here in Spain, but obtaining it's a really strange scheme that looks a lot like a scam to get private info from people. For example, it was offered for free for the readers of a well known digg-like web and they recommended to use the same user and password to request it as the people had in the web page?! WTF!? And a month later they bought part of the page!!!!
Extremely strange.
And what to say of the Fonera using hidden DNS servers property of the FON makers or scripts allowing free access for them with root privileges to your private network?
--
Superb hosting 200GB Storage, 2_TB_ bandwidth, php, mysql, ssh, $7.95
Also, the only way to access your wired network from the wireless is to allow ALL wireless users to have that access. Well, okay, you could do things like SSH out to a machine on the Internet, SSH back in, and set up port forwarding that way, but nobody would ever do that :). And your own wireless access is treated the same as everybody else's-- you have to log in every time. Annoying in combination with Firefox2's ability to resume sessions-- it loads the Fon login redirection page for every tab you had open.
They've been promising a firmware fix which would allow two SSIDs with different configurations for a long time, but last I checked it still isn't out.
The upshot of this is that I thought I would be getting a nifty solution which would let me share my access while covering my own needs. Instead I really have to run two routers, one for me, and one for everybody else. And despite the fact that I live in a pretty densely populated area, in about six months the number of people who have signed on to the Fon router, besides me, is zero. Oh, correction: the buddy who told me about Fon came by and tried to sign in with his account, which he is supposed to be able to do as a "Linus" user. That didn't work either.
In summary... it's more work and their system is not transparent or secure (oh yeah, there's no encryption on the wifi connections). It's a nifty idea, but I can't really recommend it.
An ancient Jewish proverb.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Got an early version at a HispaLinux convention. It cost me some cash, but it was still cheaper than I could get it otherwise, so I bought it. Coincidentally, there was a WiFi security talk at the convention, and I used the chance to ask them what they thought about the whole FON thing. They were extremely unimpressed and thought it couldn't be made secure.
Based on a cursory examination, I determined the system was insecure. Suppose I enable the router, and somebody comes near and tries to connect. To connect, they try to connect to my wireless network, and the AP authenticates them against the FON RADIUS server.
Now, the problem is that I'm in control of the router, so I can easily fetch their username and password. SSL wouldn't help because at best you have User AP RADIUS, as my understanding is that the AP isn't acting as a router here. The user isn't talking to the RADIUS server directly, the AP does on his/her behalf. So there's no way of stopping me from sniffing people's passwords.
After I get passwords I can easily find some other FON AP, use somebody else's credentials, and have reasonable chances that the person getting in trouble for downloading/uploading something illegal won't be me.
I voiced my concerns on the forum, but the replies weren't satisfying, so now I reflashed it with new firmware and there's no FON-related stuff left on it.
The poster is incorrect in saying this offer is only available in Germany and Austria. I noticed that the web site he pointed to was de.fon.com. I changed the "de" to an "en" and got the English version of the site — which will ship a router to a U.S. for 5 bucks.
in the current FONERA firmware,
things such as opening up the POP SSL ports (993 and 995).
FONERA only allows access to ports 80 and 445 to the internet even on the *private SSID*, making it useless for me as the sole router.
Also, even is the router gives the public and private clients different IP addresses to theoretically prevent the public from browsing on my private LAN, well they are on the same subnet and I can type my private LAN ips from the public network and get access!
This thing then NATs my NAT, making it even more difficult for me to sandbox it properly.
Hopefully, open-wrt will make it more useful as a mini mail server or something like a mini Asterisk server.
Artificial intelligence is no match for natural stupidity