Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaining Root Access On Linux-Based Femtocells

Posted by Soulskill on from the feel-free-to-listen-in dept.

viralMeme writes "According to the Register, 'Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope.' One of the researchers said, 'After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts, we had obtained root access on these Linux-based cellular-based devices, which piqued our curiosity [about] the security implications.' Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or, as some pen-pusher would put it in a report: an unantipicated security excursion.

17 of 102 comments (clear)

  1. Jedi Mind Trick, actually by Monkeedude1212 · · Score: 4, Funny

    An authentication device that can be bypassed is a contradiction in terms.

    You don't need to see his identification.

    1. Re:Jedi Mind Trick, actually by davester666 · · Score: 5, Insightful

      The very concept of Femtocell's is bass-ackwards. You pay a carrier for wireless access, then pay again for a device to actually provide you with the wireless access, along with monthly fee's for the device and also pay for internet access so the device can connect to the carrier over the internet.

      It's like "we couldn't be bothered to actually provide you with coverage at your home/office, so would you mind building out our network for us, and pay us extra for the privilege of doing so".

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:Jedi Mind Trick, actually by jeffmeden · · Score: 4, Informative

      You pay for the hardware, and the 'minutes' at the normal rate, but no carrier I have seen charges you per month for owning the cell. It isn't nearly as sinister as you describe, since their network still has to haul the call where it's going, even if you do in fact bring it to them via the Internet.

      You are right that it's 'their job' to provide you with coverage, but no carrier asserts that they will go to any length necessary to cover 100% of the earth with 100% usable signal. Verizon's ad campaign featuring an army of tower workers following customers around was hyperbolic. Sorry if you got confused.

    3. Re:Jedi Mind Trick, actually by ScentCone · · Score: 5, Informative

      so would you mind building out our network for us, and pay us extra for the privilege of doing so

      Nonsense. I bought a unit to extend Verizon's coverage into the areas of my house that the local tower just can't handle. Like, down in the basement - a level of service that no carrier is going to say they'll promise. Verizon doesn't charge me anything for using it, other than the cost of the hardware - a one-time purchase that I gladly, gladly made. And I can sell the unit any time I want, and any other Verizon customer can use it - and there's no account-related paperwork involved. The devices just work. They look for a DHCP server on your LAN, and off you go. You do need to fire them up near a window until they get their GPS bearings, though. But they don't have to stay there.

      You know what else is nice? The household mobile phones now only have to talk to a transciever that's a stone's throw away, instead of a quarter of a mile or more away. That means much better battery life when they're not tethered to a charger.

      --
      Don't disappoint your bird dog. Go to the range.
    4. Re:Jedi Mind Trick, actually by Foolicious · · Score: 3, Insightful

      Sorry if you got confused.

      Yeah. I was thinking that by me living in an area that is shown as having coverage on their coverage maps meant that I would...wait for it, wait for it...actually have coverage. How silly of me.

      --
      Please don't use "umm" or "err" or "erm".
    5. Re:Jedi Mind Trick, actually by 140Mandak262Jamuna · · Score: 5, Funny

      Verizon's ad campaign featuring an army of tower workers following customers around was hyperbolic. Sorry if you got confused.

      The joke's on you pal. All those cell towers use Yagi dipole antennae. They are neither parabolic not hyperbolic.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    6. Re:Jedi Mind Trick, actually by dgatwood · · Score: 3, Insightful

      You also pay for the power needed to operate the cell, which presumably their other customers benefit from. If they put a full cell site on your property, they'd typically pay you between $10-25,000 per year to lease the right to do so (even if it is just putting it on top of an existing structure). Why should they get to place a femtocell at your house for free merely because it runs at a lower power? At a minimum, they should give you a discount on your monthly charge and free service on that cell. Anything less is outright taking advantage of you.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. it still comes down to one thing by prgrmr · · Score: 3, Insightful

    changing IP address ranges, guessing passwords

    Better passwords would have made all the difference in the world. 16 character, mixed case and symbol types would have been enough of a roadblock to prevent them from gaining access. Too many companies are still shipping products that have no intended user access to the command shell with passwords like "Admin", "12345", and the ever-popular "password". It's not like it costs more to have a longer, more complex password.

    1. Re:it still comes down to one thing by Nos. · · Score: 3, Insightful

      The problem is not what the default password is. It could be blank and still not significantly affect the security of the device. Its the admins that don't change the default password that are to blame. Lets face it, even if they ship the next device with a 16 char mixed case, special character, number containing, sufficiently random password, it will still be the default password. A simple google search of "Device model default password" will get you the default password pretty much as soon as its released.

      As an alternative, they could force a password change on first login.

    2. Re:it still comes down to one thing by blair1q · · Score: 3, Insightful

      On the other hand, a 20-digit randomized Product Key for registering your purchase is no big deal.

      Print the password on the box and make it mandatory to enter it before use. Users will get the clue and online h4xx0rs won't have a backdoor into 99% of links.

    3. Re:it still comes down to one thing by mcrbids · · Score: 4, Insightful

      Too many companies are still shipping products that have no intended user access to the command shell with passwords like "Admin", "12345", and the ever-popular "password". It's not like it costs more to have a longer, more complex password.

      You think longer, complex setup doesn't cost the company money? I gather that you haven't considered support costs?

      The best solution I've seen so far is to have a strong password printed on a sticker on the outside of the box. That's a pretty good compromise because if the attacker has physical access to the box, he/she could hit the "Reset" button on the device anyway. Thus, putting the password on the bottom of the device on a sticker really isn't any less secure than other solutions, and this can be done fairly cheaply.

      But it still costs - each router has to be given its own unique password, and a process has to be set up to match up the passwords given with the stickers, and there are still more support costs from the clueless dolts who have to be told to look on the bottom of the device for the default password.

      If you assume any intelligence on the part of the end user, your support costs will quickly challenge that assumption!

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  3. I noticed that the Register article... by idontgno · · Score: 3, Interesting

    (Yes, I read TFAs)

    The Reg article kinda brushed off the risks of a cell-tower MITM attack, relegating it to a mere "loss of privacy" because the 3G cryptosystem is strong.

    I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future. Depending on the use case, there may be a lot of value in that.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  4. A couple of points ... by PPH · · Score: 4, Interesting

    The summary mentions "investigating hardware pinouts". This makes me think that the attack is, in part, on the hardware. If one has access to hardware, they've pwned the system. Period. So this is a non-issue.

    Second; cell phones trusting the base station has always been a security issue. And "exploits" based upon this weakness are already in use by law enforcement as well as criminals. The whole inmates sneaking cell phones into prisons has been made a non-issue based upon this very approach. Prisons are beginning to cover their facilities with femtocells which give them the ability to monitor all illicit cell traffic on their property. Any truly secure system will assume that the network carrying its traffic is insecure.

    --
    Have gnu, will travel.
    1. Re:A couple of points ... by pr0nbot · · Score: 3, Insightful

      I'd presume (without having RTFA of course) that what is meant is that they bought a femtocell, looked at its hardware pinouts, and this helped them devise an attack that would work on any instance of that model of femtocell (without physical access).

  5. Re:So fix it by FrangoAssado · · Score: 3, Informative

    If you're encrypting stuff with X's public key, then only whoever has X's private key can decrypt it. So, in essence, you're certain you're talking to X and not someone pretending to be X.

    So, by displaying the hash of the public key of the device you're talking to, you're effectively showing the true identity of who you're talking to.

    I think the OP's idea is that you can use this information to be sure you're connecting to your own femtocell (on which you have fixed the vulnerability) and not you neighbor's (possibly hacked) femtocell.

  6. Oh my... so that's what's going on. by Petersko · · Score: 4, Funny

    I had no idea linux proponents were all Jedi. That explains everything.

    "You don't NEED the extra features in Photoshop."

    "You don't NEED integrated audio processing software."

    "You don't NEED anything OpenOffice doesn't have."

    "You don't NEED..."

    Now those Jedi need to start using their powers for good.

    "You NEED to write documentation for non-technical users..."

  7. Been there, done that. by marcansoft · · Score: 3, Informative

    I've been working on hacking the Vodafone femtocells for fun. They have an internal serial port and the bootloader has no security, not to mention the Linux image uses short default passwords that are easy to crack given the shadow file. So far we don't know of a way to get root given only network control, but it might be possible depending on how their IPSEC tunnel is set up. Our goal would be to use these for our own network, via OpenBSC.

    It's worth noting that it's early and we're not entirely sure about the security implications and just how much you can do with these things (e.g. I don't know yet if voice traffic is decrypted inside the femtocell or if it is passed on encrypted to the servers). Chances are there will be some interesting exploits and chances are they will be presented at this year's Chaos Community Congress if they're interesting enough. Unless we get bored and work on something else, which happens sometimes.