Security DJ

Update Jan 15 2007: Fon sent me a Fonera (Thank you) – it arrived last week. I can confirm that it still only takes minutes to get root access to the foneras via a tcp/ip network connection. Also, even after tampered with, they can still be registered in the fon network. Expect people roaming the city centers with “rouge fon_ap’s” – the little box, with batteries and no computer. Enough to let unsuspecting users surf onto the built in web server’s fake copy of the fon login site. I leave to the reader to extrapolate from this. What do you think the consequences of this are?

Note: This post is originally from January 2007. It has been read by over 4000 readers.

Intro

The globe is about to be covered with ”la foneras”, free or low-cost wireless hot-spots private persons install to share their broad-band internet connections to others. In exchange they get access to all other access points in the Fon network. As this is written, there are something in the range of 200.000 members, of which close to 100.000 may have a wireless access point from Fon installed.

After having read about the business idea and studied the technology used to create this global network, I feel that, as a security professional, I should give my personal view of the potential security implications of having a global network of WiFi-hotspots designed in this way. This short note does not intent to describe technical vulnerabilities of “la fonera” wireless access points in detail – it is only a scenario-based analysis given some basic premises.

The aim of this note is to take the security implications to the extreme – given what we know, what are the worse case scenarios?

Foneras are used for

• Surfing the web from another person’s wireless access point while not at home, for free.
• Selling internet access to persons who are not sharing their own access point for 3 euros per day. This may be a business user accessing data on their internal network.
• Connecting VoIP (voice over IP) telephone conversations be it a normal SIP or a Skype call.
• Sending emails, doing banking, chatting, dating, etc.

Facts

• Each access point is actually a small computer with a tailor-made Linux operating system installed.
• The idea behind the design of software and hardware is to keep users out of the fonera, since they should not be able to change the configuration of the fonera.
• The company behind the initiative have unlimited access possibilities to each access point. This is needed in order for them to be able to load new software and fix bugs remotely in the fonera.
• Security is already breached; many different methods are published on the web on how to gain unlimited access rights on your own fonera. Even though there will be security patches sent out from Fon to remedy these problems, it is not likely that the current design will be able to protect the foneras against users who have them in their homes.
• Physical access to any computer usually means full logical access is possible. And this is exactly the case for the fonera.

Taking these facts as a point of departure, let us examine the potential security implications of this.

Scenario 1: Spying on users

Any person having a fonera access point can spy on users accessing the internet through their fonera.

This could be done by hacking into the fonera via the web interface (which is a 5 minute project), or via a serial cable from the computer (need to open the box and connect a few cables), and then changing the configuration of the fonera. The new configuration could store traffic information of users, like who they e-mail, what the write, where they surf, the password of their banking site, dating site credentials, phone numbers called with VoIP phones, etc. This information could instantly be forwarded anywhere in the world.

Even if Fon, unlikely as it seems, would be able to end physical and logical access to foneras, this scenario is still possible. If I surfed through your broad-band connection, you could always use your own computer to eavesdrop on my communications using special software (available for free on the web).

Skype calls might be difficult to decrypt, but ordinary VoIP phone calls can be replayed easily. If I were surfing through your fonera, you could be listening to the sound of my conversation.

Scenario 2: Threats, violating intellectual property rights and computer intrusions in your name

Also, the Fon design already gives members a list of who have accessed their fonera at which time. This of course might come in handy if the legal authorities knocks on your door and want to prosecute you for file-sharing or computer intrusion conducted by one of the guests. This is problematic. You let someone you do not know use an internet connection you have bought under a certain agreement with your ISP. How can you know that the person visiting your connection does not violate this agreement by doing stupid things in your name (because for your ISP, it is in your name, using the IP you have been given from them for that moment).

With the Fon network available, do you think any hacker will ever use their own internet connection? Where can you, unidentified and anonymously, get unlimited access to the net to spam, hack, etc.? Through Fon. Yes, “all users are registered”, but with true information? In addition, a hacker could first eavesdrop on their own fonera for your fonera password and ID, and use this instead of their own. The list goes on.

Scenario 3: Others spying on you through your fonera?

Is it possible for others to spy on you through your fonera access point? Yes, of course. There are many ways this can be done:

• Fon have full access to the fonera, which is essentially a Linux computer on your network. They could potentially load a new configuration with dumps all the Internet traffic on your local network with free tools available on the web. But why would they?
• In fact, la fonera is the perfect spy hardware – small like a pack of cigarettes, wireless radio, network card. If you find one installed on your corporate network, you’d better check the software its running – it might very well be recording everything and relaying it to a competitor!

Given the current security vulnerabilities of the fonera, a hacker might not hack into their own box to spy on you. The hacker might just as well hack into your box to spy on you. How could the hacker find you? Fon Maps. With addresses and everything. So if you handle confidential information at all, or if you like your private life totally private, take care. But how can the hacker access my fonera? Radio, remember? It is a wireless access point. It is exactly as easy for me to change the configuration of my box as it is for me to change the configuration of your box. This might even be done by mistake given many access points with the same identity close to each other in cities. “Hacking” into your fonera can be done from outside your house with an ordinary laptop using only Internet Explorer. Then all traffic can be dumped and forwarded to the hacker who can potentially visually look at each email sent and received, listen in on the VoIP phone conversations, surf over your shoulder with you.

It is likely that this scenario will be made more difficult in the near future, since foneras can be patched for security problems from the Fon website. However, security vulnerabilities tend to be found regularly…..so it is the traditional race between hackers and security pros.

Scenario 4: “La Wormera” – the Fon worm

This is before Fon started to give away 15000 access points in Sweden for free. It is not unlikely that soon, access points will be able to reach each other via radio – they are wireless access points. Already, some looks like they could have radio contact with each other. So let’s consider this: Is it at all possible that a worm could spread through radio from one fonera to another? Yes. If a hacker hacks into his fonera, and adds the functionality that automates the web interface access hack (originally described by Kebe and Tomanek), or any other hack that enables full logical access through accessing the fonera via the wireless interface, the hacker could potentially automatically take command over all foneras within radio range. Then the neighbouring fonera could take over its next neighbour, and so on. After some time, all access point in the city centre could be controlled by one hacker. Let’s say the hacker would not do anything, except changing a few lines telling the fonera where to download new software. Instead of getting new updates from Fon, all foneras would one day fetch any software of the hacker’s choice from a server controlled by the hacker. In this way, the hacker could, months after the attack, and within a few minutes take command and direct thousands of devices!

What is the worse thing that could happen? A large scale denial of service attack against the Internet in Sweden or in other countries? Denial-of-service against any chosen target? Spamming en masse? Eavesdropping on any communication passing through the access points? Eavesdropping on any wireless traffic in the city centre? Creating a huge grid of massive computing power and the broadest broadband ever seen?

All of the above. All of these things are possible.

Conclusion

The fon initiative is a good one. The idea is great, and hopefully Fon will learn that security is imperative in this kind of project. It is possible that Fon will have to go back to the drawing board and really think through security. The next generation of boxes/software would have to be tamper-proof physically, and hacking “proof” logically. Security should, in an ideal world, not be something that one thinks about afterwards. Security should be an integral part of the business and systems development process. Also, security is a process that constantly needs attention.

Update: One of the main security issues, the web interface access hack mentioned above, is now solved with a new update from Fon, but users can still hack into their foneras by other means, e.g. through serial cable. In addition, foneras that are delivered now are still not patched, but they will try to patch themselves if connected to the Internet. Of course, the hacker could always hack into the box through the web interface before connecting the Ethernet cable of the fonera to the internet… So while security has been improved, some serious problems still remain.

Feedback: Fon security professionals are welcome to comment on this note here. Please send me an e-mail and I will publish your comments on the same page as this note. Feed-back welcome from any reader.