Gaining Root Access On Linux-Based Femtocells 102
viralMeme writes "According to the Register, 'Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope.' One of the researchers said, 'After hours of sniffing traffic, changing IP address ranges, guessing passwords and investigating hardware pinouts, we had obtained root access on these Linux-based cellular-based devices, which piqued our curiosity [about] the security implications.' Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or, as some pen-pusher would put it in a report: an unantipicated security excursion.
Re:So fix it (Score:3, Interesting)
But, if an attacker can get control, then so can the owner, which means the owner can fix the security hole.
Not really.. you're assuming the flaw exists in software. Regardless though, I'm interested to see a "fix" for a vulnerability get published which requires people to hack their phone and gives them a list of memory addresses and values that need to be changed. That would go over well.
I noticed that the Register article... (Score:4, Interesting)
(Yes, I read TFAs)
The Reg article kinda brushed off the risks of a cell-tower MITM attack, relegating it to a mere "loss of privacy" because the 3G cryptosystem is strong.
I assume it means that the cryptosystem is too strong for a realtime attack. It's a damn rare cryptosystem that can't be broken using enough stored ciphertext, so if the modified femtocell is storing and forwarding all traffic, traffic analysis + theoretical weaknesses in the algo + massive compute power == recovered clear material at some point in the future. Depending on the use case, there may be a lot of value in that.
Re:So fix it (Score:3, Interesting)
Re:it still comes down to one thing (Score:2, Interesting)
Yes there is a cost; a company installs a plug-n-play device A. It works for a while (months, years). Then it stops working or they want something changed or it doesn't work with some new device B. So then they call me to figure out the integration. Now, I need to log in and find out as much as I can about the device in as short a time as possible. I'm over 100 km from the device, have never used one before. The person who originaly installed device A has retired and is now snorkeling in the Solomon islands. So, what is root password? Either "123456" or I Google up a list of default passwords for the device. If I can't, that's a support call to the company that made the device (cost to maker) or the company that deployed it has to ditch the device and find something else (large cost to user).
So yes, complex passwords have a cost.
Re:it still comes down to one thing (Score:3, Interesting)
A couple of points ... (Score:5, Interesting)
The summary mentions "investigating hardware pinouts". This makes me think that the attack is, in part, on the hardware. If one has access to hardware, they've pwned the system. Period. So this is a non-issue.
Second; cell phones trusting the base station has always been a security issue. And "exploits" based upon this weakness are already in use by law enforcement as well as criminals. The whole inmates sneaking cell phones into prisons has been made a non-issue based upon this very approach. Prisons are beginning to cover their facilities with femtocells which give them the ability to monitor all illicit cell traffic on their property. Any truly secure system will assume that the network carrying its traffic is insecure.
Seriously? (Score:3, Interesting)
First of all, this is not an authentication device, it's a cell network extender, which obviously requires some kind of authentication for any measure of security. What "Authentication device" (I think they mean "authentication mechanism") has never had a vulnerability exposed? Are all devices with a privilege escalation vulnerability designed by people who "should be sent back to computer school?" ("computer school?" ...seriously?). How many privilege escalation vulnerabilities were found in the Linux kernel last year? I empathize with the fact that an escalation exploit this serious in a device that is designed to be used by the public is not a trivial matter, but the poster is being sensationalist here, and, honestly, comes across as undereducated in the subject matter. I wouldn't consider myself an expert, but this person doesn't seem to have a clear understanding of the issue. It's a security vulnerability in a device that runs Linux because the designers were lazy when picking a password.
The real issue here is the fact that security is sometimes not taken as seriously with hardware and firmware design in commodity devices as it is with software.
Re:it still comes down to one thing (Score:2, Interesting)
A good concept that i've seen in use on an embedded device.
The device ships with it's user interface completely locked. There's no possibility to login. Press a button on the device, and you can logon using default credentials - doing this will prompt you to change user and password. After doing this, the button can be used to perform a full reset of the device.
Basically, the device is secure out of the box - when logging in for the first time, you need to provide physical authentication, and afterwards you have your own user and password.
I haven't seen any downsides to this approach yet.