Forgot your password?
typodupeerror
Security Cellphones Privacy Linux

Gaining Root Access On Linux-Based Femtocells 102

Posted by Soulskill
from the feel-free-to-listen-in dept.
viralMeme writes "According to the Register, 'Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope.' One of the researchers said, 'After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts, we had obtained root access on these Linux-based cellular-based devices, which piqued our curiosity [about] the security implications.' Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or, as some pen-pusher would put it in a report: an unantipicated security excursion.
This discussion has been archived. No new comments can be posted.

Gaining Root Access On Linux-Based Femtocells

Comments Filter:
  • Re:Wow, (Score:3, Informative)

    by idontgno (624372) on Tuesday February 02, 2010 @02:25PM (#30998896) Journal

    "Security Excursion" gets 50 Google hits, most of which seem to be talking about boondoggles and outings. ("Excursion" about "security".)

    One google hit [gcps-ocs.com] supports GFP's use of the phrase, though:

    Security Vulnerability Threat Assessment Audit: The scope of Gulf Coast Project Services audit process goes beyond Public Safety. It encompasses Business Interruption and Corporate Survivability. The objective of this audit is to leverage existing work processes and standard guidelines in order to determine gaps in a particular Security Vulnerability threat analysis. GCPS's Security Vulnerability Threat Assessment audit is organized into three sections. The three sections are; Security Excursion Protection, Security Excursion Remediation and Security Excursion Mitigation.

    (emphasis mine)

    Sounds like someone's bureaucratese euphemism for "Security screwup". Other than being bafflegab and needlessly obscure, it's consistent with the usage.

    That qualifies as damning with faint praise, but there you go.

  • Re:So fix it (Score:4, Informative)

    by FrangoAssado (561740) on Tuesday February 02, 2010 @02:39PM (#30999128)

    If you're encrypting stuff with X's public key, then only whoever has X's private key can decrypt it. So, in essence, you're certain you're talking to X and not someone pretending to be X.

    So, by displaying the hash of the public key of the device you're talking to, you're effectively showing the true identity of who you're talking to.

    I think the OP's idea is that you can use this information to be sure you're connecting to your own femtocell (on which you have fixed the vulnerability) and not you neighbor's (possibly hacked) femtocell.

  • by jeffmeden (135043) on Tuesday February 02, 2010 @02:50PM (#30999310) Homepage Journal

    You pay for the hardware, and the 'minutes' at the normal rate, but no carrier I have seen charges you per month for owning the cell. It isn't nearly as sinister as you describe, since their network still has to haul the call where it's going, even if you do in fact bring it to them via the Internet.

    You are right that it's 'their job' to provide you with coverage, but no carrier asserts that they will go to any length necessary to cover 100% of the earth with 100% usable signal. Verizon's ad campaign featuring an army of tower workers following customers around was hyperbolic. Sorry if you got confused.

  • by ScentCone (795499) on Tuesday February 02, 2010 @03:04PM (#30999504)
    so would you mind building out our network for us, and pay us extra for the privilege of doing so

    Nonsense. I bought a unit to extend Verizon's coverage into the areas of my house that the local tower just can't handle. Like, down in the basement - a level of service that no carrier is going to say they'll promise. Verizon doesn't charge me anything for using it, other than the cost of the hardware - a one-time purchase that I gladly, gladly made. And I can sell the unit any time I want, and any other Verizon customer can use it - and there's no account-related paperwork involved. The devices just work. They look for a DHCP server on your LAN, and off you go. You do need to fire them up near a window until they get their GPS bearings, though. But they don't have to stay there.

    You know what else is nice? The household mobile phones now only have to talk to a transciever that's a stone's throw away, instead of a quarter of a mile or more away. That means much better battery life when they're not tethered to a charger.
  • Re:So fix it (Score:3, Informative)

    by FrangoAssado (561740) on Tuesday February 02, 2010 @03:08PM (#30999562)

    If the public key is public, I can stick it in another femtocell.

    You surely can stick it into another femtocell, but that will do you no good. This new femtocell can't use this key to communicate, because it doesn't have the corresponding private key.

    To give another example: I can get the public key from any bank site and stick it into my own web server. This doesn't mean I can trick people into thinking my web server is the bank's -- I won't be able to decrypt anything they send me!

  • by jeffmeden (135043) on Tuesday February 02, 2010 @03:17PM (#30999692) Homepage Journal

    Simple, some devices require no log-in to make use of them (such as the femtocell, or almost every other firewall-router) since the default settings are sufficient for 99% of users. In this case, you don't want to burden the user with setting (and then forgetting) the password to the device just to make use of it. Set it to something strong and unique, and give it to the user in a form that is secure (a sticker on the box which can be clipped and saved, or a sticker on the unit). The final effect is that if the user doesn't change it and loses track of it, they can call support and instead of a lengthy password reset and reconfiguration process, the support line can simply look up the serial number and derive the password.

  • by marcansoft (727665) <hector @ m a r c a n s o f t.com> on Tuesday February 02, 2010 @03:21PM (#30999744) Homepage

    I've been working on hacking the Vodafone femtocells for fun. They have an internal serial port and the bootloader has no security, not to mention the Linux image uses short default passwords that are easy to crack given the shadow file. So far we don't know of a way to get root given only network control, but it might be possible depending on how their IPSEC tunnel is set up. Our goal would be to use these for our own network, via OpenBSC.

    It's worth noting that it's early and we're not entirely sure about the security implications and just how much you can do with these things (e.g. I don't know yet if voice traffic is decrypted inside the femtocell or if it is passed on encrypted to the servers). Chances are there will be some interesting exploits and chances are they will be presented at this year's Chaos Community Congress if they're interesting enough. Unless we get bored and work on something else, which happens sometimes.

  • by owlstead (636356) on Tuesday February 02, 2010 @03:51PM (#31000138)

    "I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future."

    It's not such a rare cryptosystem that can't be broken given enough stored ciphertext,. And it is definitely not hard to construct nowadays (especially with good counters, session key renewal through key agreement algorithms). The question is is if the aging, proprietary GSM crypto that is in use actually falls within that definition. What I've heard, that's quite a definite "NO".

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...