Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaining Root Access On Linux-Based Femtocells

Posted by Soulskill on from the feel-free-to-listen-in dept.

viralMeme writes "According to the Register, 'Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope.' One of the researchers said, 'After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts, we had obtained root access on these Linux-based cellular-based devices, which piqued our curiosity [about] the security implications.' Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or, as some pen-pusher would put it in a report: an unantipicated security excursion.

35 of 102 comments (clear)

  1. Jedi Mind Trick, actually by Monkeedude1212 · · Score: 4, Funny

    An authentication device that can be bypassed is a contradiction in terms.

    You don't need to see his identification.

    1. Re:Jedi Mind Trick, actually by davester666 · · Score: 5, Insightful

      The very concept of Femtocell's is bass-ackwards. You pay a carrier for wireless access, then pay again for a device to actually provide you with the wireless access, along with monthly fee's for the device and also pay for internet access so the device can connect to the carrier over the internet.

      It's like "we couldn't be bothered to actually provide you with coverage at your home/office, so would you mind building out our network for us, and pay us extra for the privilege of doing so".

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:Jedi Mind Trick, actually by jeffmeden · · Score: 4, Informative

      You pay for the hardware, and the 'minutes' at the normal rate, but no carrier I have seen charges you per month for owning the cell. It isn't nearly as sinister as you describe, since their network still has to haul the call where it's going, even if you do in fact bring it to them via the Internet.

      You are right that it's 'their job' to provide you with coverage, but no carrier asserts that they will go to any length necessary to cover 100% of the earth with 100% usable signal. Verizon's ad campaign featuring an army of tower workers following customers around was hyperbolic. Sorry if you got confused.

    3. Re:Jedi Mind Trick, actually by ScentCone · · Score: 5, Informative

      so would you mind building out our network for us, and pay us extra for the privilege of doing so

      Nonsense. I bought a unit to extend Verizon's coverage into the areas of my house that the local tower just can't handle. Like, down in the basement - a level of service that no carrier is going to say they'll promise. Verizon doesn't charge me anything for using it, other than the cost of the hardware - a one-time purchase that I gladly, gladly made. And I can sell the unit any time I want, and any other Verizon customer can use it - and there's no account-related paperwork involved. The devices just work. They look for a DHCP server on your LAN, and off you go. You do need to fire them up near a window until they get their GPS bearings, though. But they don't have to stay there.

      You know what else is nice? The household mobile phones now only have to talk to a transciever that's a stone's throw away, instead of a quarter of a mile or more away. That means much better battery life when they're not tethered to a charger.

      --
      Don't disappoint your bird dog. Go to the range.
    4. Re:Jedi Mind Trick, actually by Foolicious · · Score: 3, Insightful

      Sorry if you got confused.

      Yeah. I was thinking that by me living in an area that is shown as having coverage on their coverage maps meant that I would...wait for it, wait for it...actually have coverage. How silly of me.

      --
      Please don't use "umm" or "err" or "erm".
    5. Re:Jedi Mind Trick, actually by 140Mandak262Jamuna · · Score: 5, Funny

      Verizon's ad campaign featuring an army of tower workers following customers around was hyperbolic. Sorry if you got confused.

      The joke's on you pal. All those cell towers use Yagi dipole antennae. They are neither parabolic not hyperbolic.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    6. Re:Jedi Mind Trick, actually by dgatwood · · Score: 3, Insightful

      You also pay for the power needed to operate the cell, which presumably their other customers benefit from. If they put a full cell site on your property, they'd typically pay you between $10-25,000 per year to lease the right to do so (even if it is just putting it on top of an existing structure). Why should they get to place a femtocell at your house for free merely because it runs at a lower power? At a minimum, they should give you a discount on your monthly charge and free service on that cell. Anything less is outright taking advantage of you.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Re:So fix it by Sir_Lewk · · Score: 2, Funny

    Huh? Public keys are just that... public. A hash of a public key demonstrates nothing. ...wait a second. You were on the dev team of these femtocell things weren't you?

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  3. Re:So fix it by amicusNYCL · · Score: 2, Interesting

    But, if an attacker can get control, then so can the owner, which means the owner can fix the security hole.

    Not really.. you're assuming the flaw exists in software. Regardless though, I'm interested to see a "fix" for a vulnerability get published which requires people to hack their phone and gives them a list of memory addresses and values that need to be changed. That would go over well.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  4. it still comes down to one thing by prgrmr · · Score: 3, Insightful

    changing IP address ranges, guessing passwords

    Better passwords would have made all the difference in the world. 16 character, mixed case and symbol types would have been enough of a roadblock to prevent them from gaining access. Too many companies are still shipping products that have no intended user access to the command shell with passwords like "Admin", "12345", and the ever-popular "password". It's not like it costs more to have a longer, more complex password.

    1. Re:it still comes down to one thing by Nos. · · Score: 3, Insightful

      The problem is not what the default password is. It could be blank and still not significantly affect the security of the device. Its the admins that don't change the default password that are to blame. Lets face it, even if they ship the next device with a 16 char mixed case, special character, number containing, sufficiently random password, it will still be the default password. A simple google search of "Device model default password" will get you the default password pretty much as soon as its released.

      As an alternative, they could force a password change on first login.

    2. Re:it still comes down to one thing by Leolo · · Score: 2, Interesting

      Yes there is a cost; a company installs a plug-n-play device A. It works for a while (months, years). Then it stops working or they want something changed or it doesn't work with some new device B. So then they call me to figure out the integration. Now, I need to log in and find out as much as I can about the device in as short a time as possible. I'm over 100 km from the device, have never used one before. The person who originaly installed device A has retired and is now snorkeling in the Solomon islands. So, what is root password? Either "123456" or I Google up a list of default passwords for the device. If I can't, that's a support call to the company that made the device (cost to maker) or the company that deployed it has to ditch the device and find something else (large cost to user).

      So yes, complex passwords have a cost.

    3. Re:it still comes down to one thing by blair1q · · Score: 3, Insightful

      On the other hand, a 20-digit randomized Product Key for registering your purchase is no big deal.

      Print the password on the box and make it mandatory to enter it before use. Users will get the clue and online h4xx0rs won't have a backdoor into 99% of links.

    4. Re:it still comes down to one thing by CastrTroy · · Score: 2, Interesting

      Maybe they could give a custom password to each device, and then have their assembly line print out the default password on the bottom of the device. They already print a serial number. Why not print a password? Each device would have a different default password. You may want to keep a highly guarded list of passwords/serial numbers for customer support issues, but if it's printed on the bottom of the device, I would say even that is unnecessary.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    5. Re:it still comes down to one thing by jeffmeden · · Score: 2, Insightful

      Oh, for the love of documentation!

      I think what you meant to say is there is an inherent cost to being forgetful (forgetting the password before writing it down in a safe place) or lazy (not writing it down in an safe/perpetual place.) Yes, if the alternative is leaving a password susceptible to casual attack, feel free to write the password down and lock it in your desk drawer with the IP of the device on it, and leave that post-it around for the next guy.

      Not that there aren't a ton of secure, effective tools to manage passwords out there.

    6. Re:it still comes down to one thing by mcrbids · · Score: 4, Insightful

      Too many companies are still shipping products that have no intended user access to the command shell with passwords like "Admin", "12345", and the ever-popular "password". It's not like it costs more to have a longer, more complex password.

      You think longer, complex setup doesn't cost the company money? I gather that you haven't considered support costs?

      The best solution I've seen so far is to have a strong password printed on a sticker on the outside of the box. That's a pretty good compromise because if the attacker has physical access to the box, he/she could hit the "Reset" button on the device anyway. Thus, putting the password on the bottom of the device on a sticker really isn't any less secure than other solutions, and this can be done fairly cheaply.

      But it still costs - each router has to be given its own unique password, and a process has to be set up to match up the passwords given with the stickers, and there are still more support costs from the clueless dolts who have to be told to look on the bottom of the device for the default password.

      If you assume any intelligence on the part of the end user, your support costs will quickly challenge that assumption!

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    7. Re:it still comes down to one thing by jeffmeden · · Score: 2, Informative

      Simple, some devices require no log-in to make use of them (such as the femtocell, or almost every other firewall-router) since the default settings are sufficient for 99% of users. In this case, you don't want to burden the user with setting (and then forgetting) the password to the device just to make use of it. Set it to something strong and unique, and give it to the user in a form that is secure (a sticker on the box which can be clipped and saved, or a sticker on the unit). The final effect is that if the user doesn't change it and loses track of it, they can call support and instead of a lengthy password reset and reconfiguration process, the support line can simply look up the serial number and derive the password.

    8. Re:it still comes down to one thing by lukas84 · · Score: 2, Interesting

      A good concept that i've seen in use on an embedded device.

      The device ships with it's user interface completely locked. There's no possibility to login. Press a button on the device, and you can logon using default credentials - doing this will prompt you to change user and password. After doing this, the button can be used to perform a full reset of the device.

      Basically, the device is secure out of the box - when logging in for the first time, you need to provide physical authentication, and afterwards you have your own user and password.

      I haven't seen any downsides to this approach yet.

  5. Re:So fix it by Sir_Lewk · · Score: 2, Insightful

    He also seems to be assuming that the attacker and the owner are two seperate people.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  6. I noticed that the Register article... by idontgno · · Score: 3, Interesting

    (Yes, I read TFAs)

    The Reg article kinda brushed off the risks of a cell-tower MITM attack, relegating it to a mere "loss of privacy" because the 3G cryptosystem is strong.

    I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future. Depending on the use case, there may be a lot of value in that.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
    1. Re:I noticed that the Register article... by owlstead · · Score: 2, Informative

      "I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future."

      It's not such a rare cryptosystem that can't be broken given enough stored ciphertext,. And it is definitely not hard to construct nowadays (especially with good counters, session key renewal through key agreement algorithms). The question is is if the aging, proprietary GSM crypto that is in use actually falls within that definition. What I've heard, that's quite a definite "NO".

  7. Encrypt everything by Anonymous Coward · · Score: 2, Insightful

    Don't use the regular 3G voicecalls, use only encrypted VoiP. Preferebly with a microSD card filled with one-time pad

      Of course its not actually a bad thign that these are hacked, people just need to realise that their communications are not secure. just like when I use my Nokia's SIP client now I know full well that it would be easy for the person who'se WiFi i'm using to intercept my calls but I take the chance anyway.

    Femtocells rely on 'security against the user' much like DRM does, in fact a large part of the 3G/GSM network relies on people not being able to fuck around with their own equipment too much, so I am actually surprised it took this long since that client-side security model is doomed anyway

    1. Re:Encrypt everything by Sir_Lewk · · Score: 2, Insightful

      use only encrypted VoiP. Preferebly with a microSD card filled with one-time pad

      Say what? Either you don't know what a one-time pad is and are just pulling cryto terms out your ass, or you have really weird telephone habits. OTPs never make sense, unless you are a spy deep in enemy territory and you need to transmit a handful of words with perfect security to a single receiver. The logistical issues with a system like the one you are proposing are absurd.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  8. Re:So fix it by eleuthero · · Score: 2, Interesting

    I believe we usually call "fixes" requiring people to "hack" their phones "firmware upgrades" - The fact that many of us hack our phones with other firmware / software doesn't change what the company is going to call it. It would seem to me to be fairly easy to set up even cheap phones for such a firmware upgrade. Any old phone would need to be replaced at end of contract or it simply would stop functioning. While this won't immediately solve the privacy issues, it would provide for a workable solution. For those with smartphones, firmware upgrades can be pushed or dl'ed via itunes/whatever.

  9. Be not afraid by blair1q · · Score: 2, Funny

    I for one welcome our easily-rooted overlords.

  10. Re:Wow, by idontgno · · Score: 2, Informative

    "Security Excursion" gets 50 Google hits, most of which seem to be talking about boondoggles and outings. ("Excursion" about "security".)

    One google hit supports GFP's use of the phrase, though:

    Security Vulnerability Threat Assessment Audit: The scope of Gulf Coast Project Services audit process goes beyond Public Safety. It encompasses Business Interruption and Corporate Survivability. The objective of this audit is to leverage existing work processes and standard guidelines in order to determine gaps in a particular Security Vulnerability threat analysis. GCPS's Security Vulnerability Threat Assessment audit is organized into three sections. The three sections are; Security Excursion Protection, Security Excursion Remediation and Security Excursion Mitigation.

    (emphasis mine)

    Sounds like someone's bureaucratese euphemism for "Security screwup". Other than being bafflegab and needlessly obscure, it's consistent with the usage.

    That qualifies as damning with faint praise, but there you go.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  11. It was the business school by kiehlster · · Score: 2, Insightful

    Their computer schooling isn't the problem, it's that they've probably also gone to business school. Rule #1, always cut corners to finish the product on time.

  12. A couple of points ... by PPH · · Score: 4, Interesting

    The summary mentions "investigating hardware pinouts". This makes me think that the attack is, in part, on the hardware. If one has access to hardware, they've pwned the system. Period. So this is a non-issue.

    Second; cell phones trusting the base station has always been a security issue. And "exploits" based upon this weakness are already in use by law enforcement as well as criminals. The whole inmates sneaking cell phones into prisons has been made a non-issue based upon this very approach. Prisons are beginning to cover their facilities with femtocells which give them the ability to monitor all illicit cell traffic on their property. Any truly secure system will assume that the network carrying its traffic is insecure.

    --
    Have gnu, will travel.
    1. Re:A couple of points ... by pr0nbot · · Score: 3, Insightful

      I'd presume (without having RTFA of course) that what is meant is that they bought a femtocell, looked at its hardware pinouts, and this helped them devise an attack that would work on any instance of that model of femtocell (without physical access).

  13. Re:So fix it by FrangoAssado · · Score: 3, Informative

    If you're encrypting stuff with X's public key, then only whoever has X's private key can decrypt it. So, in essence, you're certain you're talking to X and not someone pretending to be X.

    So, by displaying the hash of the public key of the device you're talking to, you're effectively showing the true identity of who you're talking to.

    I think the OP's idea is that you can use this information to be sure you're connecting to your own femtocell (on which you have fixed the vulnerability) and not you neighbor's (possibly hacked) femtocell.

  14. Seriously? by IceCreamGuy · · Score: 2, Interesting

    Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms.

    First of all, this is not an authentication device, it's a cell network extender, which obviously requires some kind of authentication for any measure of security. What "Authentication device" (I think they mean "authentication mechanism") has never had a vulnerability exposed? Are all devices with a privilege escalation vulnerability designed by people who "should be sent back to computer school?" ("computer school?" ...seriously?). How many privilege escalation vulnerabilities were found in the Linux kernel last year? I empathize with the fact that an escalation exploit this serious in a device that is designed to be used by the public is not a trivial matter, but the poster is being sensationalist here, and, honestly, comes across as undereducated in the subject matter. I wouldn't consider myself an expert, but this person doesn't seem to have a clear understanding of the issue. It's a security vulnerability in a device that runs Linux because the designers were lazy when picking a password.

    The real issue here is the fact that security is sometimes not taken as seriously with hardware and firmware design in commodity devices as it is with software.

    1. Re:Seriously? by owlstead · · Score: 2, Insightful

      "The real issue here is the fact that security is sometimes not taken as seriously with hardware and firmware design in commodity devices as it is with software."

      I love that last statement. It's not only not taken seriously, it is rarely programmed by someone educated on the subject. And the users of these systems are also to "blame". Even I, when browsing for a new ADSL modem, don't look at the state of the security in a device. I'll look if a router has WPA2 but that's about the extend of it. This is not strange, since it is simply not the prime use of the device. For these kind of Femto cells, no manager will select on security, but rather at cost, signal strength and manageability.

      About 3 years ago I looked at the security of an Enterprise Service Bus and literally on the last page it was stated that the software used AES 168 bit encryption (including screen shot, no less). It's not just commodity devices, it is all products that are not primarily designed with security in mind.

  15. Re:So fix it by FrangoAssado · · Score: 2, Informative

    If the public key is public, I can stick it in another femtocell.

    You surely can stick it into another femtocell, but that will do you no good. This new femtocell can't use this key to communicate, because it doesn't have the corresponding private key.

    To give another example: I can get the public key from any bank site and stick it into my own web server. This doesn't mean I can trick people into thinking my web server is the bank's -- I won't be able to decrypt anything they send me!

  16. Oh my... so that's what's going on. by Petersko · · Score: 4, Funny

    I had no idea linux proponents were all Jedi. That explains everything.

    "You don't NEED the extra features in Photoshop."

    "You don't NEED integrated audio processing software."

    "You don't NEED anything OpenOffice doesn't have."

    "You don't NEED..."

    Now those Jedi need to start using their powers for good.

    "You NEED to write documentation for non-technical users..."

  17. Been there, done that. by marcansoft · · Score: 3, Informative

    I've been working on hacking the Vodafone femtocells for fun. They have an internal serial port and the bootloader has no security, not to mention the Linux image uses short default passwords that are easy to crack given the shadow file. So far we don't know of a way to get root given only network control, but it might be possible depending on how their IPSEC tunnel is set up. Our goal would be to use these for our own network, via OpenBSC.

    It's worth noting that it's early and we're not entirely sure about the security implications and just how much you can do with these things (e.g. I don't know yet if voice traffic is decrypted inside the femtocell or if it is passed on encrypted to the servers). Chances are there will be some interesting exploits and chances are they will be presented at this year's Chaos Community Congress if they're interesting enough. Unless we get bored and work on something else, which happens sometimes.