Forgot your password?
typodupeerror
Security Cellphones Privacy Linux

Gaining Root Access On Linux-Based Femtocells 102

Posted by Soulskill
from the feel-free-to-listen-in dept.
viralMeme writes "According to the Register, 'Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope.' One of the researchers said, 'After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts, we had obtained root access on these Linux-based cellular-based devices, which piqued our curiosity [about] the security implications.' Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or, as some pen-pusher would put it in a report: an unantipicated security excursion.
This discussion has been archived. No new comments can be posted.

Gaining Root Access On Linux-Based Femtocells

Comments Filter:
  • Re:So fix it (Score:3, Interesting)

    by amicusNYCL (1538833) on Tuesday February 02, 2010 @01:47PM (#30998294)

    But, if an attacker can get control, then so can the owner, which means the owner can fix the security hole.

    Not really.. you're assuming the flaw exists in software. Regardless though, I'm interested to see a "fix" for a vulnerability get published which requires people to hack their phone and gives them a list of memory addresses and values that need to be changed. That would go over well.

  • by idontgno (624372) on Tuesday February 02, 2010 @02:02PM (#30998576) Journal

    (Yes, I read TFAs)

    The Reg article kinda brushed off the risks of a cell-tower MITM attack, relegating it to a mere "loss of privacy" because the 3G cryptosystem is strong.

    I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future. Depending on the use case, there may be a lot of value in that.

  • Re:So fix it (Score:3, Interesting)

    by eleuthero (812560) on Tuesday February 02, 2010 @02:08PM (#30998638)
    I believe we usually call "fixes" requiring people to "hack" their phones "firmware upgrades" - The fact that many of us hack our phones with other firmware / software doesn't change what the company is going to call it. It would seem to me to be fairly easy to set up even cheap phones for such a firmware upgrade. Any old phone would need to be replaced at end of contract or it simply would stop functioning. While this won't immediately solve the privacy issues, it would provide for a workable solution. For those with smartphones, firmware upgrades can be pushed or dl'ed via itunes/whatever.
  • by Leolo (568145) on Tuesday February 02, 2010 @02:10PM (#30998670) Homepage

    Yes there is a cost; a company installs a plug-n-play device A. It works for a while (months, years). Then it stops working or they want something changed or it doesn't work with some new device B. So then they call me to figure out the integration. Now, I need to log in and find out as much as I can about the device in as short a time as possible. I'm over 100 km from the device, have never used one before. The person who originaly installed device A has retired and is now snorkeling in the Solomon islands. So, what is root password? Either "123456" or I Google up a list of default passwords for the device. If I can't, that's a support call to the company that made the device (cost to maker) or the company that deployed it has to ditch the device and find something else (large cost to user).

    So yes, complex passwords have a cost.

  • by CastrTroy (595695) on Tuesday February 02, 2010 @02:21PM (#30998830) Homepage
    Maybe they could give a custom password to each device, and then have their assembly line print out the default password on the bottom of the device. They already print a serial number. Why not print a password? Each device would have a different default password. You may want to keep a highly guarded list of passwords/serial numbers for customer support issues, but if it's printed on the bottom of the device, I would say even that is unnecessary.
  • by PPH (736903) on Tuesday February 02, 2010 @02:33PM (#30999028)

    The summary mentions "investigating hardware pinouts". This makes me think that the attack is, in part, on the hardware. If one has access to hardware, they've pwned the system. Period. So this is a non-issue.

    Second; cell phones trusting the base station has always been a security issue. And "exploits" based upon this weakness are already in use by law enforcement as well as criminals. The whole inmates sneaking cell phones into prisons has been made a non-issue based upon this very approach. Prisons are beginning to cover their facilities with femtocells which give them the ability to monitor all illicit cell traffic on their property. Any truly secure system will assume that the network carrying its traffic is insecure.

  • Seriously? (Score:3, Interesting)

    by IceCreamGuy (904648) on Tuesday February 02, 2010 @02:42PM (#30999174) Homepage

    Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms.

    First of all, this is not an authentication device, it's a cell network extender, which obviously requires some kind of authentication for any measure of security. What "Authentication device" (I think they mean "authentication mechanism") has never had a vulnerability exposed? Are all devices with a privilege escalation vulnerability designed by people who "should be sent back to computer school?" ("computer school?" ...seriously?). How many privilege escalation vulnerabilities were found in the Linux kernel last year? I empathize with the fact that an escalation exploit this serious in a device that is designed to be used by the public is not a trivial matter, but the poster is being sensationalist here, and, honestly, comes across as undereducated in the subject matter. I wouldn't consider myself an expert, but this person doesn't seem to have a clear understanding of the issue. It's a security vulnerability in a device that runs Linux because the designers were lazy when picking a password.

    The real issue here is the fact that security is sometimes not taken as seriously with hardware and firmware design in commodity devices as it is with software.

  • by lukas84 (912874) on Tuesday February 02, 2010 @03:39PM (#30999974) Homepage

    A good concept that i've seen in use on an embedded device.

    The device ships with it's user interface completely locked. There's no possibility to login. Press a button on the device, and you can logon using default credentials - doing this will prompt you to change user and password. After doing this, the button can be used to perform a full reset of the device.

    Basically, the device is secure out of the box - when logging in for the first time, you need to provide physical authentication, and afterwards you have your own user and password.

    I haven't seen any downsides to this approach yet.

"It's curtains for you, Mighty Mouse! This gun is so futuristic that even *I* don't know how it works!" -- from Ralph Bakshi's Mighty Mouse

Working...