Gaining Root Access On Linux-Based Femtocells

← Back to Stories (view on slashdot.org)

Gaining Root Access On Linux-Based Femtocells

Posted by Soulskill on Tuesday February 2, 2010 @05:31AM from the feel-free-to-listen-in dept.

viralMeme writes "According to the Register, 'Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope.' One of the researchers said, 'After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts, we had obtained root access on these Linux-based cellular-based devices, which piqued our curiosity [about] the security implications.' Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or, as some pen-pusher would put it in a report: an unantipicated security excursion.

102 comments

Min score:

Reason:

Sort:

Goatse by Anonymous Coward · 2010-02-02 05:34 · Score: -1, Troll

Time to goatse then.
Trouble by Anonymous Coward · 2010-02-02 05:34 · Score: 0, Funny

That's trouble o' some kind, George.
1. Re:Trouble by Anonymous Coward · 2010-02-02 05:38 · Score: -1, Offtopic
  
  I hate it when my anon posts get modded up.
2. Re:Trouble by Anonymous Coward · 2010-02-02 05:45 · Score: -1, Offtopic
  
  If that shit becomes a running /. meme, I'm out of here.
but it should be open by Anonymous Coward · 2010-02-02 05:36 · Score: -1, Offtopic

but the iphone should be open for tinkeri... oh wait.
Jedi Mind Trick, actually by Monkeedude1212 · 2010-02-02 05:37 · Score: 4, Funny

An authentication device that can be bypassed is a contradiction in terms.
You don't need to see his identification.
1. Re:Jedi Mind Trick, actually by davester666 · 2010-02-02 06:37 · Score: 5, Insightful
  
  The very concept of Femtocell's is bass-ackwards. You pay a carrier for wireless access, then pay again for a device to actually provide you with the wireless access, along with monthly fee's for the device and also pay for internet access so the device can connect to the carrier over the internet.
  It's like "we couldn't be bothered to actually provide you with coverage at your home/office, so would you mind building out our network for us, and pay us extra for the privilege of doing so".
  
  --
  Sleep your way to a whiter smile...date a dentist!
2. Re:Jedi Mind Trick, actually by jeffmeden · 2010-02-02 06:50 · Score: 4, Informative
  
  You pay for the hardware, and the 'minutes' at the normal rate, but no carrier I have seen charges you per month for owning the cell. It isn't nearly as sinister as you describe, since their network still has to haul the call where it's going, even if you do in fact bring it to them via the Internet.
  You are right that it's 'their job' to provide you with coverage, but no carrier asserts that they will go to any length necessary to cover 100% of the earth with 100% usable signal. Verizon's ad campaign featuring an army of tower workers following customers around was hyperbolic. Sorry if you got confused.
3. Re:Jedi Mind Trick, actually by Anonymous Coward · 2010-02-02 06:53 · Score: 1, Insightful
  
  The very concept of Femtocell's is bass-ackwards.
  The technical concept is fine. Its implementation at the billing level by American companies is not. The same can be said for SMS.
4. Re:Jedi Mind Trick, actually by ScentCone · 2010-02-02 07:04 · Score: 5, Informative
  
  so would you mind building out our network for us, and pay us extra for the privilege of doing so
  
  Nonsense. I bought a unit to extend Verizon's coverage into the areas of my house that the local tower just can't handle. Like, down in the basement - a level of service that no carrier is going to say they'll promise. Verizon doesn't charge me anything for using it, other than the cost of the hardware - a one-time purchase that I gladly, gladly made. And I can sell the unit any time I want, and any other Verizon customer can use it - and there's no account-related paperwork involved. The devices just work. They look for a DHCP server on your LAN, and off you go. You do need to fire them up near a window until they get their GPS bearings, though. But they don't have to stay there.
  
  You know what else is nice? The household mobile phones now only have to talk to a transciever that's a stone's throw away, instead of a quarter of a mile or more away. That means much better battery life when they're not tethered to a charger.
  
  --
  Don't disappoint your bird dog. Go to the range.
5. Re:Jedi Mind Trick, actually by Anonymous Coward · 2010-02-02 07:24 · Score: 0
  
  isn't that "ass-backwards"?
6. Re:Jedi Mind Trick, actually by Foolicious · 2010-02-02 07:27 · Score: 1
  
  Not sure why that was modded interesting. Interesting? Probably not. Insightful. Definitely.
  
  --
  Please don't use "umm" or "err" or "erm".
7. Re:Jedi Mind Trick, actually by Foolicious · 2010-02-02 07:30 · Score: 3, Insightful
  
  Sorry if you got confused.
  Yeah. I was thinking that by me living in an area that is shown as having coverage on their coverage maps meant that I would...wait for it, wait for it...actually have coverage. How silly of me.
  
  --
  Please don't use "umm" or "err" or "erm".
8. Re:Jedi Mind Trick, actually by 140Mandak262Jamuna · 2010-02-02 07:47 · Score: 5, Funny
  
  Verizon's ad campaign featuring an army of tower workers following customers around was hyperbolic. Sorry if you got confused.
  The joke's on you pal. All those cell towers use Yagi dipole antennae. They are neither parabolic not hyperbolic.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
9. Re:Jedi Mind Trick, actually by dgatwood · 2010-02-02 08:54 · Score: 3, Insightful
  
  You also pay for the power needed to operate the cell, which presumably their other customers benefit from. If they put a full cell site on your property, they'd typically pay you between $10-25,000 per year to lease the right to do so (even if it is just putting it on top of an existing structure). Why should they get to place a femtocell at your house for free merely because it runs at a lower power? At a minimum, they should give you a discount on your monthly charge and free service on that cell. Anything less is outright taking advantage of you.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
10. Re:Jedi Mind Trick, actually by AaronW · 2010-02-02 10:20 · Score: 1
  
  I have the same device for Verizon. My house is basically a Faraday cage since I have a steel roof and chicken wire in the outside walls.
  My only issue is that the location based services on my Droid get all screwed up and think I'm a couple hundred miles from where I'm at. I just got a callback from Verizon on this about 30 minutes ago. Apparently this is due to the fact that the network extender only does 1x and not EVDO, but he also said they're looking into enhancing the firmware so that it will support EVDO as well (crosses fingers) which would be nice.
  A full nmap scan of my extender does not report any responding ports.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
11. Re:Jedi Mind Trick, actually by Anonymous Coward · 2010-02-02 10:24 · Score: 0
  
  >The household mobile phones
  Why use a mobile at home? Isn't the landline cheaper in your country?
12. Re:Jedi Mind Trick, actually by AaronW · 2010-02-02 10:39 · Score: 1
  
  If you already have a cell phone, why have a land line at all? It can be cheaper to add another cell phone to a plan rather than add a land line.
  In my case I like having a land line as well since the voice quality is much better.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
13. Re:Jedi Mind Trick, actually by mirix · 2010-02-02 10:48 · Score: 1
  
  Microwave should fly right through chicken wire, no problem.
  
  --
  Sent from my PDP-11
14. Re:Jedi Mind Trick, actually by AaronW · 2010-02-02 10:56 · Score: 1
  
  It should, but the signal in my house is almost useless with many dead spots. Outdoors I have no problems. Having a steel roof might be part of the problem.
  Anyway, the network extender solved that problem. It's also nice in that I can take it with me if I travel to places where I know I'll get poor to no cell coverage and have Internet access.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
15. Re:Jedi Mind Trick, actually by flatrock · 2010-02-02 11:12 · Score: 1
  
  Say the carrier provides 95% coverage. Getting that last 5% is prohibitively expensive, and only a small portion of possible customers will benefit. It just doesn't make sense carrier to saturate every place with cell towers to the point where they have 100% coverage.
  If you are a consumer living in a dead spot, you can rant and rave, but if the amount they can earn from you and others that want coverage there you doesn't cover the cost of an additional tower, it makes little sense for them to build one.
  So if you live in a dead spot you can ask yourself if whatever additional amount the femtocell costs you is worth it to you. If it is, pay for it, if not then I guess you can continue to complain.
  Femtocells provide some people an option they wouldn't otherwise have. They can decide if the cost is worth it to them.
16. Re:Jedi Mind Trick, actually by Anonymous Coward · 2010-02-02 11:41 · Score: 0
  
  Any idiot (or group of idiots), can 'do' Linux insecurely.
  Same as with WinCE, or other OS, or standalone embedded app-of-your-choice.
17. Re:Jedi Mind Trick, actually by __aasqbs9791 · 2010-02-02 14:49 · Score: 1
  
  I had a land line years ago, but as well as almost never using it since I got my cell, it was notorious for going out. I actually called from my cell to cancel the service and the person at the phone company tried to get me to keep it at a low level of service since cell phones are unreliable. I reminded her I was calling from my cell because I picked up the land line and had no dial tone, and averaged that level of outage about once per 6 months that I was aware of which, since as I said I didn't hardly ever use that phone since I got my cell, is rather unlikely to have been the only times it was out of service for hours at a time. She didn't have an answer for that.
18. Re:Jedi Mind Trick, actually by adolf · 2010-02-02 17:32 · Score: 1
  
  Perhaps you're barking up the wrong tree...
  My house also has a steel roof, and many (not all) walls are plaster with metal lath. My Droid usually locates me just fine indoors, usually within a hundred feet or so. Worst case I've seen is when it can't get GPS at all, and seems to fall back on the location of the current tower a few blocks away -- which is also "close enough" for most things that location data is useful for indoors (searching for local restaurants, for instance).
  However: I have, on one occasion, been shown to be about 300 miles northeast of where I was, when I was outside with a clear view of the sky. This persisted (with permutations like it showing me traveling northeast at a fast speed, even though I was stationary) until I rebooted the phone, and was consistent between different applications.
  So. Please allow me to submit that your problem might be your femptocell, or it might be something else entirely.
  
  --
  Kid-proof tablet..
19. Re:Jedi Mind Trick, actually by AaronW · 2010-02-02 17:57 · Score: 1
  
  According to Verizon this is a known problem of the femptocell and the cell phone. It shows my location to be almost 400 miles north. Verizon claims it is due to the fact that the femptocell does not handle EVDO and that my Droid is also picking up an EVDO signal. The engineer said that they are working on adding EVDO support to the femptocell, possibly with a firmware upgrade, which would solve that problem (and give the advantage of EVDO as well). Weatherbug, for example, will often show that I'm in Crescent City. Surprisingly when I used my femptocell 15 miles south of my home it still showed Crescent City. Again, at that location I could pick up EVDO as well.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
20. Re:Jedi Mind Trick, actually by Bad+Ad · 2010-02-02 21:23 · Score: 0
  
  Vodafone in the UK were charging £5 a month to use a femtocell plus price of the equipment. This only changed within the last couple of weeks.
So fix it by Anonymous Coward · 2010-02-02 05:39 · Score: -1, Flamebait

No details about the attack yet (not until ShmooCon, this weekend). But, if an attacker can get control, then so can the owner, which means the owner can fix the security hole. Unfortunately, there's no way to ensure that your phone is not connected to someone else malicious femtocell. I want a phone that shows the the hash of the public key of the femtocell I'm using.
1. Re:So fix it by Sir_Lewk · 2010-02-02 05:42 · Score: 2, Funny
  
  Huh? Public keys are just that... public. A hash of a public key demonstrates nothing. ...wait a second. You were on the dev team of these femtocell things weren't you?
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
2. Re:So fix it by amicusNYCL · 2010-02-02 05:47 · Score: 2, Interesting
  
  But, if an attacker can get control, then so can the owner, which means the owner can fix the security hole.
  Not really.. you're assuming the flaw exists in software. Regardless though, I'm interested to see a "fix" for a vulnerability get published which requires people to hack their phone and gives them a list of memory addresses and values that need to be changed. That would go over well.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
3. Re:So fix it by Sir_Lewk · 2010-02-02 06:01 · Score: 2, Insightful
  
  He also seems to be assuming that the attacker and the owner are two seperate people.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
4. Re:So fix it by eleuthero · 2010-02-02 06:08 · Score: 2, Interesting
  
  I believe we usually call "fixes" requiring people to "hack" their phones "firmware upgrades" - The fact that many of us hack our phones with other firmware / software doesn't change what the company is going to call it. It would seem to me to be fairly easy to set up even cheap phones for such a firmware upgrade. Any old phone would need to be replaced at end of contract or it simply would stop functioning. While this won't immediately solve the privacy issues, it would provide for a workable solution. For those with smartphones, firmware upgrades can be pushed or dl'ed via itunes/whatever.
5. Re:So fix it by FrangoAssado · 2010-02-02 06:39 · Score: 3, Informative
  
  If you're encrypting stuff with X's public key, then only whoever has X's private key can decrypt it. So, in essence, you're certain you're talking to X and not someone pretending to be X.
  So, by displaying the hash of the public key of the device you're talking to, you're effectively showing the true identity of who you're talking to.
  I think the OP's idea is that you can use this information to be sure you're connecting to your own femtocell (on which you have fixed the vulnerability) and not you neighbor's (possibly hacked) femtocell.
6. Re:So fix it by characterZer0 · 2010-02-02 06:49 · Score: 1
  
  If the public key is public, I can stick it in another femtocell.
  If I have physical access to the femtocell, I can copy anything from it and stick it in another femtocell.
  You cannot trust a device that untrusted people have physical access to.
  
  --
  Go green: turn off your refrigerator.
7. Re:So fix it by Sir_Lewk · 2010-02-02 06:53 · Score: 1
  
  Well sure, but this would only be an exceptable solution to the most paranoid of technically minded people. Nobody wants to manually confirm a public key each time they make a phonecall. It's also quite worthless if you are not controlling the femtocell in question, which would be the vast majority of the time.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
8. Re:So fix it by FrangoAssado · 2010-02-02 07:08 · Score: 2, Informative
  
  If the public key is public, I can stick it in another femtocell.
  You surely can stick it into another femtocell, but that will do you no good. This new femtocell can't use this key to communicate, because it doesn't have the corresponding private key.
  To give another example: I can get the public key from any bank site and stick it into my own web server. This doesn't mean I can trick people into thinking my web server is the bank's -- I won't be able to decrypt anything they send me!
9. Re:So fix it by FrangoAssado · 2010-02-02 07:12 · Score: 1
  
  Agreed. I just mentioned that in some sense the OP's post was not completely bogus.
10. Re:So fix it by wolrahnaes · 2010-02-02 11:31 · Score: 1
  
  Hell, even the OP seems to;
  
  gaining root on the tiny mobile base stations isn't as hard as one might hope
  Wha? I bought the thing, I might hope I'd have root right off the bat. I know not to expect that, but I'd still hope.
  I want it to be hard for everyone else to gain root.
  
  --
  I used to get high on life, but I developed a tolerance. Now I need something stronger.
But...but... by Anonymous Coward · 2010-02-02 05:39 · Score: -1, Flamebait

I thought all one had to do was install Loonix on something and it was magically secure without any additional work. At least that's what freetards would have you believe.
Impossible by Anonymous Coward · 2010-02-02 05:46 · Score: -1, Troll

Lunix doesn't have exploits.
it still comes down to one thing by prgrmr · 2010-02-02 05:49 · Score: 3, Insightful

changing IP address ranges, guessing passwords

Better passwords would have made all the difference in the world. 16 character, mixed case and symbol types would have been enough of a roadblock to prevent them from gaining access. Too many companies are still shipping products that have no intended user access to the command shell with passwords like "Admin", "12345", and the ever-popular "password". It's not like it costs more to have a longer, more complex password.
1. Re:it still comes down to one thing by Nos. · 2010-02-02 05:58 · Score: 3, Insightful
  
  The problem is not what the default password is. It could be blank and still not significantly affect the security of the device. Its the admins that don't change the default password that are to blame. Lets face it, even if they ship the next device with a 16 char mixed case, special character, number containing, sufficiently random password, it will still be the default password. A simple google search of "Device model default password" will get you the default password pretty much as soon as its released.
  As an alternative, they could force a password change on first login.
2. Re:it still comes down to one thing by toastar · 2010-02-02 06:03 · Score: 1
  
  It's not like it costs more to have a longer, more complex password.
  What are you smoking?
  Simple Passwords have to be reset less often, Which means less cost on the Customer/Luser Support calls. Not By a lot but not entirely Negligible.
  Also having a complex password also means it usually has to be written down or requested often leaves room for Social engineering,
  So therefore Having a Stronger Password Unnecessarily can actually reduce overall security by increasing other attack vectors.
  Any system that lets a user bruteforce the password is inherently flawed, Hell even windows locks you out after a certain number of guesses.
3. Re:it still comes down to one thing by Leolo · 2010-02-02 06:10 · Score: 2, Interesting
  
  Yes there is a cost; a company installs a plug-n-play device A. It works for a while (months, years). Then it stops working or they want something changed or it doesn't work with some new device B. So then they call me to figure out the integration. Now, I need to log in and find out as much as I can about the device in as short a time as possible. I'm over 100 km from the device, have never used one before. The person who originaly installed device A has retired and is now snorkeling in the Solomon islands. So, what is root password? Either "123456" or I Google up a list of default passwords for the device. If I can't, that's a support call to the company that made the device (cost to maker) or the company that deployed it has to ditch the device and find something else (large cost to user).
  So yes, complex passwords have a cost.
4. Re:it still comes down to one thing by blair1q · 2010-02-02 06:17 · Score: 3, Insightful
  
  On the other hand, a 20-digit randomized Product Key for registering your purchase is no big deal.
  Print the password on the box and make it mandatory to enter it before use. Users will get the clue and online h4xx0rs won't have a backdoor into 99% of links.
5. Re:it still comes down to one thing by Archangel+Michael · 2010-02-02 06:19 · Score: 1
  
  Nope.
  First login should require two things, new user name / password combo, and disabling the default username / password combo.
  Seriously, the first half of an attack is trying to guess a username, which if in the open, cuts the amount of work needed to crack the device.
  Nothing says "insecure" like default user names ... IMHO
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
6. Re:it still comes down to one thing by CastrTroy · 2010-02-02 06:21 · Score: 2, Interesting
  
  Maybe they could give a custom password to each device, and then have their assembly line print out the default password on the bottom of the device. They already print a serial number. Why not print a password? Each device would have a different default password. You may want to keep a highly guarded list of passwords/serial numbers for customer support issues, but if it's printed on the bottom of the device, I would say even that is unnecessary.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
7. Re:it still comes down to one thing by jeffmeden · 2010-02-02 06:25 · Score: 2, Insightful
  
  Oh, for the love of documentation!
  I think what you meant to say is there is an inherent cost to being forgetful (forgetting the password before writing it down in a safe place) or lazy (not writing it down in an safe/perpetual place.) Yes, if the alternative is leaving a password susceptible to casual attack, feel free to write the password down and lock it in your desk drawer with the IP of the device on it, and leave that post-it around for the next guy.
  Not that there aren't a ton of secure, effective tools to manage passwords out there.
8. Re:it still comes down to one thing by emt377 · 2010-02-02 06:34 · Score: 1
  
  The problem is not what the default password is. It could be blank and still not significantly affect the security of the device. Its the admins that don't change the default password that are to blame. Lets face it, even if they ship the next device with a 16 char mixed case, special character, number containing, sufficiently random password, it will still be the default password.
  It could have a randomly generated password printed on the same sticker as the serial number and phy mac.
9. Re:it still comes down to one thing by mcrbids · 2010-02-02 06:39 · Score: 4, Insightful
  
  Too many companies are still shipping products that have no intended user access to the command shell with passwords like "Admin", "12345", and the ever-popular "password". It's not like it costs more to have a longer, more complex password.
  You think longer, complex setup doesn't cost the company money? I gather that you haven't considered support costs?
  The best solution I've seen so far is to have a strong password printed on a sticker on the outside of the box. That's a pretty good compromise because if the attacker has physical access to the box, he/she could hit the "Reset" button on the device anyway. Thus, putting the password on the bottom of the device on a sticker really isn't any less secure than other solutions, and this can be done fairly cheaply.
  But it still costs - each router has to be given its own unique password, and a process has to be set up to match up the passwords given with the stickers, and there are still more support costs from the clueless dolts who have to be told to look on the bottom of the device for the default password.
  If you assume any intelligence on the part of the end user, your support costs will quickly challenge that assumption!
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
10. Re:it still comes down to one thing by Jesus_666 · 2010-02-02 06:40 · Score: 1
  
  You can go one step further and just use the S/N. Not quite as secure but the attacker still needs to have at least brief physical access to the device.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
11. Re:it still comes down to one thing by ComputerGeek01 · 2010-02-02 06:47 · Score: 1
  
  Better passwords would have made all the difference in the world. 16 character, mixed case and symbol types would have been enough of a roadblock to prevent them from gaining access. Too many companies are still shipping products that have no intended user access to the command shell with passwords like "Admin", "12345", and the ever-popular "password". It's not like it costs more to have a longer, more complex password.
  Neither is it anymore secure. Having the same 16 char password on every unit of a product only makes it frustrating to use; not any more secure. What is needed is a individual password for every unit based on something unique like the serial number of the unit, and this WOULD cost more money for production AND support costs. Also you would alienate a portion of the market because this seemingly simple thing will be well beyond their ability. Stupid people will always exist, it is the burden of society to tolerate them and evidently to make exceptions for them. We cannot blast every manufactorer who wants to sell stuff to stupid people for brining things like security down to a level that the morons with money can use.
12. Re:it still comes down to one thing by jeffmeden · 2010-02-02 06:56 · Score: 1
  
  Using the SN severely limits the possible space unless the SN is itself highly unique from device to device. This is a good place to start but make sure it's a significant portion of the SN and the SN itself is very long and non sequential. Better yet, make it a hashed password only based on the SN; using a private key so it can't be reversed. Going from a trillion possibilities to a million may sound like a trivial problem but it really hurts the depth of security, all the attacker needs is a sufficiently fast way to test each password, if your tar pit fails for some reason you are going to be up the creek.
13. Re:it still comes down to one thing by SilverJets · 2010-02-02 07:02 · Score: 1
  
  Or, you could force the first login to change the username and password like another poster wrote further up. Why go at this backasswards at the manufacturing level?
14. Re:it still comes down to one thing by billcopc · 2010-02-02 07:08 · Score: 1
  
  That's real nice if everyone cooperates, but it is all too easy for a disgruntled admin to change either the password or the password database, and lock the next guy out. Wasn't there such a psycho last year, who was screwing with CA utilities or some ISP long after he'd been fired (for being a psycho) ?
  
  --
  -Billco, Fnarg.com
15. Re:it still comes down to one thing by afidel · 2010-02-02 07:10 · Score: 1
  
  That's exactly what HP does for the iLo boards on their Proliant servers.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
16. Re:it still comes down to one thing by LaminatorX · 2010-02-02 07:14 · Score: 1
  
  It's not like it costs more to have a longer, more complex password.
  Only if you have an unlimited data plan. ;)
17. Re:it still comes down to one thing by Anonymous Coward · 2010-02-02 07:16 · Score: 0
  
  And what happens when the sticker comes off, becomes unreadable due to scratches, and/or otherwise lost?
  No, stickers are not an answer. Proper administration is.
18. Re:it still comes down to one thing by jeffmeden · 2010-02-02 07:17 · Score: 2, Informative
  
  Simple, some devices require no log-in to make use of them (such as the femtocell, or almost every other firewall-router) since the default settings are sufficient for 99% of users. In this case, you don't want to burden the user with setting (and then forgetting) the password to the device just to make use of it. Set it to something strong and unique, and give it to the user in a form that is secure (a sticker on the box which can be clipped and saved, or a sticker on the unit). The final effect is that if the user doesn't change it and loses track of it, they can call support and instead of a lengthy password reset and reconfiguration process, the support line can simply look up the serial number and derive the password.
19. Re:it still comes down to one thing by suomynonAyletamitlU · 2010-02-02 07:24 · Score: 1
  
  Better yet, make it a hashed password only based on the SN; using a private key so it can't be reversed.
  That would defeat the purpose of it being the SN. At that point you could just make the password entirely random, of the same length, because have to print the password separately.
  End users--especially noob users--are not going to read the SN, download a custom application to turn that into a password, and then use that.
20. Re:it still comes down to one thing by mlts · 2010-02-02 07:29 · Score: 1
  
  Easy way to relate serial numbers to passwords: Append a secret value to the S/N, hash the value (SHA-512 comes to mind), take the first x number of characters (preferably more than 20, 64 would be best). This way, the serial number doesn't really matter because without the nonce added, it won't give meaningful information.
  Of course, the machine that has the secret value (and I hope this is something that changes with each model), is going to be heavily locked down.
  Another good method is just to use a 1:1 hash mapping. The serial gets mapped to a random value, and that mapping is stored in a database. This way, there is absolutely no way to calculate one value from the other.
21. Re:it still comes down to one thing by Jesus_666 · 2010-02-02 07:31 · Score: 1
  
  I was thinking about the entire S/N, which should be 20-40 alphanumeric characters (and, of course, nonsequential; maybe an MD5 hash of the order the device was built in prefixed by model information). Provides a nice incentive for the user to change the password, as well. 36^20 is a nice, big search space and 36^40 should be enough to keep any naive attacker at bay until the device has been replaced.
  
  Maybe, if you want to be particularly user-friendly, you could use shorter S/Ns but I wouldn't go below 10 characters, which offers a mere three quadrillion possible passwords.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
22. Re:it still comes down to one thing by mlts · 2010-02-02 07:34 · Score: 1
  
  Even better might be having a cryptographic token, either something like a SecurID card except with a replacable battery, or a USB smart card that stores a private key on board. This way, an authorized user just needs to dig out the keyfob, jam it in a port or type in the 6-8 digit number plus the password as mentioned above, and access is granted. A remote attacker most likely would not have physical access to the cryptographic token, so that slams the door on a lot of attacks right there, forcing the blackhat to do a brute force attack, which can be mitigated by adding delays, or locking out the incoming IP for a period of time.
23. Re:it still comes down to one thing by lukas84 · 2010-02-02 07:39 · Score: 2, Interesting
  
  A good concept that i've seen in use on an embedded device.
  The device ships with it's user interface completely locked. There's no possibility to login. Press a button on the device, and you can logon using default credentials - doing this will prompt you to change user and password. After doing this, the button can be used to perform a full reset of the device.
  Basically, the device is secure out of the box - when logging in for the first time, you need to provide physical authentication, and afterwards you have your own user and password.
  I haven't seen any downsides to this approach yet.
24. Re:it still comes down to one thing by owlstead · 2010-02-02 07:47 · Score: 1
  
  That's not a good idea, since the serial number normally is - eh - serial in nature. You can easily scan the range. The other option is to use a random "serial" number but then you need to make changes to the organization. If you are going that way, just print a random number after the serial number (starting with "PW" to distinguish it from the serial number, svp, we've got enough "anonymous" numbers as it is).
25. Re:it still comes down to one thing by Rich0 · 2010-02-02 08:18 · Score: 1
  
  I can't say that I agree. Yes, having to guess both the username and the password does improve security, but no more than simply making the password that many characters longer. Essentially you're just making the username part of the password.
  The only reason that your approach would add value is if the password length were somehow artificially limited, and the username were protected like a password and assigned using strong password conventions.
  Otherwise it just adds inconvenience, and no real additional security.
26. Re:it still comes down to one thing by jedidiah · 2010-02-02 08:51 · Score: 1
  
  Why hasn't anyone suggested that devices like these need to have something like
  fail2ban built in? Lock people out who are trying to brute force the internal
  ssh server. This exploit probably doesn't represent anything terribly interesting
  from a server or desktop perspective. It's likely that the device just isn't put
  together terribly well and no one ever considered someone trying to hack it like
  a server.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
27. Re:it still comes down to one thing by dgatwood · 2010-02-02 09:01 · Score: 1
  
  Or you could use the serial number as the initial password and require the administrator to change it at first login, thus making it impossible to configure the device without first setting a password. Include a convenient physical reset button to reset it to factory configuration (including password) if you screw up, but make sure that this forces you to reconfigure everything before the device is usable.
  Of course, this assumes that it is necessary to do at least some configuration in order to use the device. If that's not the case, then the right answer is to not use a password at all, and require that the telco connect to the device using a private key to update it.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
28. Re:it still comes down to one thing by Rich0 · 2010-02-02 10:30 · Score: 1
  
  That would allow for a DOS attack - unless the ban were only temporary. Just connect to a device and give it x wrong passwords, and now even the owner can't get into it.
  The solution is what I think is already employed for things like ssh - connection throttling. If the ssh server does not allow a given IP to attempt more than one login per second or two that won't impact legitimate users at all but it pretty-much eliminates brute force attacks against all but the weakest passwords.
  And if you set up fail2ban or whatever with a timeout that re-enables the account, that is just a really SLOW connection throttle under another name.
29. Re:it still comes down to one thing by mirix · 2010-02-02 11:00 · Score: 1
  
  Fail2ban only bans the attacking IP, not all traffic... how would that cause a DoS?
  
  You can change how many attempts, how long to ban, things like that.
  
  --
  Sent from my PDP-11
30. Re:it still comes down to one thing by Anonymous Coward · 2010-02-02 12:47 · Score: 0
  
  The person who originaly installed device A has retired and is now snorkeling in the Solomon islands. So, what is root password? Either "123456" or I Google up a list of default passwords for the device. If I can't, that's a support call to the company that made the device (cost to maker) or the company that deployed it has to ditch the device and find something else (large cost to user).
  So yes, complex passwords have a cost.
  Well, we all know that companies fail to document necessary account or password records for their techs and also that it's hard to "hide" information once it's out onto google. The problem is that they even get out to google in the first place. In other words, that we we made default passwords a customer standard without considering alternatives, allowing 1 router or special device to have a 'back door' that becomes a front door to anyone else for attack purposes. I mean, the adequate industry standard should have been hashing. Even rot13 'encryption' would keep the average nobody's attempts from trying to log into his neighbors router if he can't remember what "admin" and "password" read like once rot13'd.
  It's now too late, and we need something better, but cleaning up the mess will be optional. We are still weak security wise. We can't even force a firmware upgrade on all those insecure WEP access points out there to bring up to WAP or WAP2. It's too late because there's a whole industry depending on them, like older cellphones portable videogame consoles, laptops and USB wireless sticks. What to do, what to do...
inb4 by Anonymous Coward · 2010-02-02 05:58 · Score: 0

All your femtocell are belong to us!
Wow, by tomhudson · 2010-02-02 05:59 · Score: 1

an unantipicated (sic) security excursion (sic).

1. "unanticipated", not "unantipicated".
2. "privilege escalation" or "privilege elevation", not "security excursion."
Let me guess ... you went to Simon Fraser. University ...
1. Re:Wow, by idontgno · 2010-02-02 06:25 · Score: 2, Informative
  
  "Security Excursion" gets 50 Google hits, most of which seem to be talking about boondoggles and outings. ("Excursion" about "security".)
  One google hit supports GFP's use of the phrase, though:
  
  Security Vulnerability Threat Assessment Audit: The scope of Gulf Coast Project Services audit process goes beyond Public Safety. It encompasses Business Interruption and Corporate Survivability. The objective of this audit is to leverage existing work processes and standard guidelines in order to determine gaps in a particular Security Vulnerability threat analysis. GCPS's Security Vulnerability Threat Assessment audit is organized into three sections. The three sections are; Security Excursion Protection, Security Excursion Remediation and Security Excursion Mitigation.
  (emphasis mine)
  Sounds like someone's bureaucratese euphemism for "Security screwup". Other than being bafflegab and needlessly obscure, it's consistent with the usage.
  That qualifies as damning with faint praise, but there you go.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
2. Re:Wow, by Anonymous Coward · 2010-02-02 06:37 · Score: 0
  
  You do realize the part about the "security excursion" was a joke, right?
3. Re:Wow, by HTH+NE1 · 2010-02-03 05:41 · Score: 1
  
  Sounds like someone's bureaucratese euphemism for "Security screwup".
  To borrow terminology from another source, it sounds like a Foothold Situation to me.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Gases by Anonymous Coward · 2010-02-02 06:02 · Score: 0

They're using the wrong gasses, thats what the problem was last time, and is this time as well.
I noticed that the Register article... by idontgno · 2010-02-02 06:02 · Score: 3, Interesting

(Yes, I read TFAs)
The Reg article kinda brushed off the risks of a cell-tower MITM attack, relegating it to a mere "loss of privacy" because the 3G cryptosystem is strong.
I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future. Depending on the use case, there may be a lot of value in that.

--
Welcome to the Panopticon. Used to be a prison, now it's your home.
1. Re:I noticed that the Register article... by owlstead · 2010-02-02 07:51 · Score: 2, Informative
  
  "I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future."
  It's not such a rare cryptosystem that can't be broken given enough stored ciphertext,. And it is definitely not hard to construct nowadays (especially with good counters, session key renewal through key agreement algorithms). The question is is if the aging, proprietary GSM crypto that is in use actually falls within that definition. What I've heard, that's quite a definite "NO".
Encrypt everything by Anonymous Coward · 2010-02-02 06:06 · Score: 2, Insightful

Don't use the regular 3G voicecalls, use only encrypted VoiP. Preferebly with a microSD card filled with one-time pad
Of course its not actually a bad thign that these are hacked, people just need to realise that their communications are not secure. just like when I use my Nokia's SIP client now I know full well that it would be easy for the person who'se WiFi i'm using to intercept my calls but I take the chance anyway.
Femtocells rely on 'security against the user' much like DRM does, in fact a large part of the 3G/GSM network relies on people not being able to fuck around with their own equipment too much, so I am actually surprised it took this long since that client-side security model is doomed anyway
1. Re:Encrypt everything by Sir_Lewk · 2010-02-02 06:22 · Score: 2, Insightful
  
  use only encrypted VoiP. Preferebly with a microSD card filled with one-time pad
  Say what? Either you don't know what a one-time pad is and are just pulling cryto terms out your ass, or you have really weird telephone habits. OTPs never make sense, unless you are a spy deep in enemy territory and you need to transmit a handful of words with perfect security to a single receiver. The logistical issues with a system like the one you are proposing are absurd.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
2. Re:Encrypt everything by mlts · 2010-02-02 07:47 · Score: 1
  
  One time pads are truly secure, but the hard part is getting a copy of the OTP from Alice to Bob via a secured route, as anyone who intercepts it has full and unfettered access. Also, depending on the amount of data transferred, the amount of bytes stored on the OTP might run out.
  Instead, if you are designing a cryptosystem where the two endpoints are "introduced" to each other, and essentially only talk to each other, so public key cryptography isn't needed, there is one method you can do:
  Each device "knows" about the other and has 1024 bits that only it and the other device has. (This can be copied manually via a USB flash drive, or the devices could be temporarily connected and they negotiate this info.)
  Then, the devices can do a basic Diffie-Hellman handshake, except encrypted with the first 256 bits, and another 256 bits used for the initialization vector (if needed). Once both sides negotiate a session key, before that key is used, it is encrypted using the last 512 bits as a key/IV. This way, even if someone is able to figure out the first key used to encrypt the D-H handshake, the session key is still unguessable without a major break in the cryptographic algorithm, or a compromise of one of the endpoints.
  The advantage of this setup is that it is quick -- public key cryptography is computationally intensive. The disadvantage is that this system only works with a small amount of devices before it becomes unwieldy, similar to hosts files.
Be not afraid by blair1q · 2010-02-02 06:13 · Score: 2, Funny

I for one welcome our easily-rooted overlords.
It was the business school by kiehlster · 2010-02-02 06:28 · Score: 2, Insightful

Their computer schooling isn't the problem, it's that they've probably also gone to business school. Rule #1, always cut corners to finish the product on time.
A couple of points ... by PPH · 2010-02-02 06:33 · Score: 4, Interesting

The summary mentions "investigating hardware pinouts". This makes me think that the attack is, in part, on the hardware. If one has access to hardware, they've pwned the system. Period. So this is a non-issue.
Second; cell phones trusting the base station has always been a security issue. And "exploits" based upon this weakness are already in use by law enforcement as well as criminals. The whole inmates sneaking cell phones into prisons has been made a non-issue based upon this very approach. Prisons are beginning to cover their facilities with femtocells which give them the ability to monitor all illicit cell traffic on their property. Any truly secure system will assume that the network carrying its traffic is insecure.

--
Have gnu, will travel.
1. Re:A couple of points ... by pr0nbot · 2010-02-02 06:45 · Score: 3, Insightful
  
  I'd presume (without having RTFA of course) that what is meant is that they bought a femtocell, looked at its hardware pinouts, and this helped them devise an attack that would work on any instance of that model of femtocell (without physical access).
Seriously? by IceCreamGuy · 2010-02-02 06:42 · Score: 2, Interesting

Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms.
First of all, this is not an authentication device, it's a cell network extender, which obviously requires some kind of authentication for any measure of security. What "Authentication device" (I think they mean "authentication mechanism") has never had a vulnerability exposed? Are all devices with a privilege escalation vulnerability designed by people who "should be sent back to computer school?" ("computer school?" ...seriously?). How many privilege escalation vulnerabilities were found in the Linux kernel last year? I empathize with the fact that an escalation exploit this serious in a device that is designed to be used by the public is not a trivial matter, but the poster is being sensationalist here, and, honestly, comes across as undereducated in the subject matter. I wouldn't consider myself an expert, but this person doesn't seem to have a clear understanding of the issue. It's a security vulnerability in a device that runs Linux because the designers were lazy when picking a password.

The real issue here is the fact that security is sometimes not taken as seriously with hardware and firmware design in commodity devices as it is with software.
1. Re:Seriously? by owlstead · 2010-02-02 08:04 · Score: 2, Insightful
  
  "The real issue here is the fact that security is sometimes not taken as seriously with hardware and firmware design in commodity devices as it is with software."
  I love that last statement. It's not only not taken seriously, it is rarely programmed by someone educated on the subject. And the users of these systems are also to "blame". Even I, when browsing for a new ADSL modem, don't look at the state of the security in a device. I'll look if a router has WPA2 but that's about the extend of it. This is not strange, since it is simply not the prime use of the device. For these kind of Femto cells, no manager will select on security, but rather at cost, signal strength and manageability.
  About 3 years ago I looked at the security of an Enterprise Service Bus and literally on the last page it was stated that the software used AES 168 bit encryption (including screen shot, no less). It's not just commodity devices, it is all products that are not primarily designed with security in mind.
investigating hardware pinouts by bl8n8r · 2010-02-02 06:45 · Score: 1

Just what is that supposed to mean exactly? Does this crack require physical access in order to be executed?
"We've sniffed for hours, and nothing."
"Try a different BOOTP request!"
"Damn orinoco firmware..."
"This sucks, how are we gonna get a publication out of this?"
"Fine, gimme the bolt cutters"
*snip* *clink* ...
"Hmm.. those are intersting pinouts.. they look like.."
"Yeah, dude that's SATA !!" ... *knoppix cd spins up*
"We got root! we got root!"

--
boycott slashdot February 10th - 17th check out: altSlashdot.org
Oh my... so that's what's going on. by Petersko · 2010-02-02 07:17 · Score: 4, Funny

I had no idea linux proponents were all Jedi. That explains everything.
"You don't NEED the extra features in Photoshop."
"You don't NEED integrated audio processing software."
"You don't NEED anything OpenOffice doesn't have."
"You don't NEED..."
Now those Jedi need to start using their powers for good.
"You NEED to write documentation for non-technical users..."
1. Re:Oh my... so that's what's going on. by Anonymous Coward · 2010-02-02 08:34 · Score: 0
  
  When have you ever seen a non-technical user read documentation? Might as well write it into /dev/null
2. Re:Oh my... so that's what's going on. by Anonymous Coward · 2010-02-02 08:37 · Score: 0
  
  Ouch. Modded as "funny", but probably the most apt thing I've read on /. in months.
3. Re:Oh my... so that's what's going on. by jedidiah · 2010-02-02 08:48 · Score: 1
  
  You think you're funny but all of the Apple fanboys are holding up the iPad and saying the same thing times 10.
  Most people either don't need the features of $300+ software or are simply unwilling to pay for it.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
4. Re:Oh my... so that's what's going on. by Anonymous Coward · 2010-02-02 14:22 · Score: 0
  
  You NEED to write documentation for non-technical users...
  no, non technical users need to become literate.
5. Re:Oh my... so that's what's going on. by Anonymous Coward · 2010-02-03 19:37 · Score: 0
  
  I had no idea linux proponents were all Jedi. That explains everything.
  Now those Jedi need to start using their powers for good.
  "You NEED to write documentation for non-technical users..."
  "You don't NEED "Linux Jedi" OS for non-technical users..."
6. Re:Oh my... so that's what's going on. by Anonymous Coward · 2010-02-03 21:34 · Score: 0
  
  I had no idea linux proponents were all Jedi.
  We're Sith, actually.
Been there, done that. by marcansoft · 2010-02-02 07:21 · Score: 3, Informative

I've been working on hacking the Vodafone femtocells for fun. They have an internal serial port and the bootloader has no security, not to mention the Linux image uses short default passwords that are easy to crack given the shadow file. So far we don't know of a way to get root given only network control, but it might be possible depending on how their IPSEC tunnel is set up. Our goal would be to use these for our own network, via OpenBSC.
It's worth noting that it's early and we're not entirely sure about the security implications and just how much you can do with these things (e.g. I don't know yet if voice traffic is decrypted inside the femtocell or if it is passed on encrypted to the servers). Chances are there will be some interesting exploits and chances are they will be presented at this year's Chaos Community Congress if they're interesting enough. Unless we get bored and work on something else, which happens sometimes.
Computer School by kuzb · 2010-02-02 08:45 · Score: 1

Whoever used the term "computer school" should be sent back to university.

--
BeauHD. Worst editor since kdawson.
1. Re:Computer School by haderytn · 2010-02-02 11:32 · Score: 1
  
  You just did.
embedded != security by Anonymous Coward · 2010-02-02 09:06 · Score: 0

Embedded devices and security don't mix. The people who design the devices and software have very different goals. Most embedded guys are just trying to hack some abortion of a CPU+board to work at all for their needs. No one gives security a second thought, beyond setting a password (or not).
The guys who care about security are usually working on bank software etc, where nothing is embedded, mostly working on VM languages on VM OSes, and the simplest feature is thousands of lines of triple-checked code with hundreds of tests against it.
Not surprising at all.
Sprint's Airave gets it precisely backwards by gelfling · 2010-02-02 09:22 · Score: 1

There are two modes: 'anyone' or 'from a list'. Now 'anyone' means that any Sprint customer in range can use the device up to the preprogrammed maximum of 3 simultaneous calls. 'From a list' means that only the phone numbers from a pre selected list are allowed to access the box. The problem is that is if you are a Sprint customer and your # is not on the list you can't have ANY service at all. You are in a 'private network' and therefore excluded from BOTH the Airave and connections to a local tower.
Which is stupid.
At a minimum you should be required to log onto the Airave using a PIN code which expires after "X" hours. And anyone else, who happens to be a Sprint customer is simply ignored by the Airave and ignores it so that they can access a tower.
Nothing new, not the first to do this by kju · 2010-02-02 12:47 · Score: 1

I spoke with Harald Welte (of OpenBSC etc. fame) on ELC Europe back in October. He told me that he successfully gained root access to one of those Femtocells sold in the UK. As far as i remember he said that it was not very difficult to get access, also that he found some of the builtin features (e.g. check if operated in the correct location) nonworking.
On the other hand: This was bound to happen. Most embedded linux systems which have at least some remote hack-value tend to get opened up some day.
1. Re:Nothing new, not the first to do this by marcansoft · 2010-02-02 13:38 · Score: 1
  
  We tested one of those at 26C3 using a simple VPN to the UK, so we had a Vodafone UK network in Germany (and successfully placed a call). This is Not Supposed To Work (and at this point we hadn't made any changes to the software yet). It seems beyond nonexistent physical security, the location determination features and other measures in place to prevent use in the wrong place/country aren't working very well or at all.