Hacking the Free "La Fonera" Wireless Router

wertarbyte writes, "FON is still giving away their wireless routers for free in Germany and Austria until Wednesday — under the premise that the devices will be connected and used as FON access points. The router, called 'La Fonera,' is a variant of OpenWRT, but locked down to prevent modification, including a signed firmware image to prevent the upload of new software. It is, however, possible to get shell access by connecting to a serial port present on the circuit board. And now two students from Germany have discovered vulnerabilities in the CGI scripts used to configure the device, and successfully activated an SSH daemon on the device by exploiting them, giving owners a root shell on their router. They also provide a detailed description of the procedure and 'ready-to-use' perl scripts to open up your router."

Whats so great about this?

[gad_zuki!]

Its a violation of a pretty neat little system. These things are free (or about as close you can get to it) so its not like its some propriety item they bought and are trying to get more features out of. They are defrauding a company for free wireless routers.

Maybe Im crazy but I think the FON system is very clever and if peope werent abusing it, it might take off interesting ways. Instead it "doodzz free wireless routers here!!!" Shame really.

Reminds me of something...

[Anomolous Cowturd]

Anyone remember the CueCat [wikipedia.org]?

You can't give geeks a free gift then cry when they use it for something other than you intended. That business model has been proven unworkable.

Re:

[buswolley]

Such loose usage of the word, "PROOF."

Re:

[1u3hr]

Anyone remember the CueCat? You can't give geeks a free gift then cry when they use it for something other than you intended.

Morally, there is a difference. Cuecat was a lame method of delivering ads; fair game. This, I gather, is service to share wifi access: unless I misunderstand, it's providing a real service. Hacking this is like hacking a P2P client so you can leech without uploading; or even more, like those assholes [slashdot.org] who "hacked" (in this case, meaning stealing) rental bicycles to get free rides.

Re:

[vonsneerderhooten]

The flipside of the coin you present represents the curious, perhaps paranoid side of things. Is this a router or simply an AP? Can it do port forwarding? What is the DHCP(or subnet) range? or(paranoid) what (if any)information about me is this sending to the mother ship?

Hacking is an important and necessary part of the geek approval process. Once the hackers give the rest of us geeks the thumbs up, we(the rest of us - non-network device hackers) know it's ok to pick one up and check out and at our own dis

Re:

[1u3hr]

Once the hackers give the rest of us geeks the thumbs up...

Okay, point taken, investigatory hacking isn't evil. I've read one of the articles which was about mostly monitoring what it did. But obviously some will use this to make it a private server, breaking the implied contract (talking morally, not legally). But this will be beyond most users, so it's probbaly not going to make much impact on the scheme if it is on the up-and-up.

Re:

[dichro]

Not as much of a difference to CueCat as you might think. The firmware on the box is signed and locked, preventing you from customizing it. Their business model doesn't have any allowance for pricing that reflects the costs of providing a Fon service (which is an issue in those parts of the world that still have volume-based pricing or volume limits on services) and also doesn't guarantee that you'll see any money out of it anyway.

obDisclaimer: I wrote Charon [wiki.rcpt.to] with a mind to specifically dealing with thes

Re:

[TommydCat]

Well, it does seem to be based on "Open"WRT...

But is the system just locked down per se or is there anything legally binding in the agreement against hacking it? The serial port headers are a well-known attack vector, almost as much as several cgi-bin scripts, if they are just using the standard ones... Makes me wonder if the default config allows access to those scripts only from a LAN wired port (as opposed to the WAN side), or if it potentially allows anyone to get in.

if it is free, take two

[flyingfsck]

An ancient Jewish proverb.

Re:

[TheLink]

Two?

Haven't you heard the joke on how the Jews got the _Ten_ Commandments?

Re:

[jericho4.0]

I agree. You can buy a wrt54gl for under $70 USD, and install OpenWRT without installing a serial port. I believe in ones right to do whatever they want with what they've purchased, EULA be dammed, but this subverts a neat project/model for little gain. That said, there's eventually going to be a lot of these turning up at garage sales...

Re:

[FLEB]

These things are free (or about as close you can get to it) so its not like its some propriety item they bought and are trying to get more features out of.

I disagree. It is quite like an item they bought and are hacking to get more features out of-- the only difference is the price.

If a provider is detrimentally underpricing an item on just the hope-- and no more certainty than that-- that people will use their other related more expensive items or methods to make up the cost, than that company is the one t

Assorted thoughts on the Fonera

[Life700MB]

First at all, it isn't called "La Fonera". "La" in Spanish is just the "The" article, making it the Fonera, a Fonera, or how you want to call it.

It is free too here in Spain, but obtaining it's a really strange scheme that looks a lot like a scam to get private info from people. For example, it was offered for free for the readers of a well known digg-like web and they recommended to use the same user and password to request it as the people had in the web page?! WTF!? And a month later they bought part of the page!!!!

Extremely strange.

And what to say of the Fonera using hidden DNS servers property of the FON makers or scripts allowing free access for them with root privileges to your private network?

--
Superb hosting [tinyurl.com] 200GB Storage, 2_TB_ bandwidth, php, mysql, ssh, $7.95

Re:

[wertarbyte]

First at all, it isn't called "La Fonera". "La" in Spanish is just the "The" article, making it the Fonera, a Fonera, or how you want to call it.

I am aware that "La" is an article in Spanish, but the device is called "La Fonera" on the german FON website [fon.com] ("Hol dir deine gratis La Fonera" == "Get your free La Fonera").

Re:

[Tastycat]

We do that in English as well, think of the names of things like the The Source by Circuit City in your malls and the The Cheat in Strong Bad Emails.

Re:

[1u3hr]

think of the names of things like the The Source by Circuit City in your malls and the The Cheat in Strong Bad Emails.

Ugh, I wouldn't take a flier from Circuit City as an authority to abuse the language like that.

Re:

[Durrok]

Yes, this is a big deal because no one else has ever gotten a foreign language wrong. [wikipedia.org]

Fon is a good idea, but sketchy implementation

[straponego]

I have a previous version of the Fon router, which allows SSH by default. Unfortunately, as another has mentioned, it also allows/requires Fon to have root access to your router by default, so as far as I'm concerned you can't trust the device.

Also, the only way to access your wired network from the wireless is to allow ALL wireless users to have that access. Well, okay, you could do things like SSH out to a machine on the Internet, SSH back in, and set up port forwarding that way, but nobody would ever do that :). And your own wireless access is treated the same as everybody else's-- you have to log in every time. Annoying in combination with Firefox2's ability to resume sessions-- it loads the Fon login redirection page for every tab you had open.

They've been promising a firmware fix which would allow two SSIDs with different configurations for a long time, but last I checked it still isn't out.

The upshot of this is that I thought I would be getting a nifty solution which would let me share my access while covering my own needs. Instead I really have to run two routers, one for me, and one for everybody else. And despite the fact that I live in a pretty densely populated area, in about six months the number of people who have signed on to the Fon router, besides me, is zero. Oh, correction: the buddy who told me about Fon came by and tried to sign in with his account, which he is supposed to be able to do as a "Linus" user. That didn't work either.

In summary... it's more work and their system is not transparent or secure (oh yeah, there's no encryption on the wifi connections). It's a nifty idea, but I can't really recommend it.

Re:

[Otto]

I hadn't heard of it before, so I checked it out. Appearantly, their latest device does just what you said. There's two SSID's, one of which uses an encrypted connection and is your "private" connection. The other is open to the public.

It's an interesting idea, but their site needs work. I tried to use the map to find access points and I couldn't make heads or tails out of it. It's a machup with Google Maps and seemingly works, but there's weird inconsistancies and it's hard to use in general.

Re:

[straponego]

Yeah, it took several months for a change of address to show up on their map. From what I read on their forums, that's standard. Needs work :)

Re:

[avdp]

The device in question does have two SSIDs, one is "private" and encrypted for the owner of the device (no login required, other than the encryption passphrase of course - which you can change). The other is the unencrypted public signal, which does require login and may have bandwidth limitation (as setup by the owner).

(and yes, I have one - although I don't live in a place where I'd expect to get anybody to take advantage of it other than me)

Re:

[samj]

The version demonstrated to us at the Irish Linux Users Group (ILUG) AGM did support two networks; one with encryption. I've just ordered one in Ireland which I expect to receive in few days/weeks and I'm very much looking forward to it.

dude..

[MoOsEb0y]

for the amount of work you just put in to crack your "free" router, you could have just gone out and gotten a WRT54GL or a Buffalo Airstation and stuck dd-wrt on it.

geeks will be geeks

[daniel23]

I guess you have a valid point here. Then again, there may be some of us who feel a value calculation like yours is less impressive than the joy of finding a way.

usage metering?

[bhima]

I live in Austria and I use inode. They meter me during the day and I hit the limit every month.

So I'm wondering how people are going to use this thing.

Re:

[tojoe]

Usage will be the least of your problems.
German courts now ruled that if you're running an unsecured WLAN and somebody unknown does bad things via it (i.e. leech kiddie pron or infringe some copyrights by running p2p apps) you're fully responsible for that. I guess Austrian courts wont rule differently.
And somehow I doubt you'll be able to get any info on who used your AP from fon.

Re:

[wertarbyte]

It would be an interesting task not to let your Fonera route visitors directly towards the internet, but to pass them through a TOR [eff.org] proxy of some sort. That way, you could hide the connection between the IP address given to you by your ISP and the activites those Linuses, Bills and Aliens are doing with your connection.

Re:

[alienw]

Plausible deniability doesn't matter in court. Everyone has plausible deniability. Is Fon going to pay for a lawyer when you are indicted for kiddie porn or get sued by the RIAA? Are they going to find you a new job? Are they going to pay your bail? Yeah, sure, IF the router keeps complete logs, you might be able to convince the judge to look at them -- if the FBI gives you back your router with everything still intact. You might even be acquitted -- after a few years in pound-me-in-the-ass prison and

Re:

[imsabbel]

Here, in germany, (where this product is provided), metering of broadband isnt very common.
You can get a DSL capped at 2Gbyte per month, if you want, but why if you can get it totally unlimited for 2 or 3 more per month?

inode flat rate. (Re:usage metering?)

[globalmatador]

inode converted all accounts to 24 hour flat from this month on. seems you didnt get the info mail they sent out.

mod him up, pls

[daniel23]

(I have none left myself)

Re:

[advocate_one]

and what's to stop you from faking a network connection to Fon using another box and providing the correct string back? There's absolutely nothing to stop me from creating my own private sub internet with a DNS server and a webserver pretending to be the Fon service. A little listening to the real packets to and from the real Fon box and then set my dummy box up to provide the packets required.

secondly, I do believe the GPL trumps the "contractual" agreement as Fon would be found to be not in compliance by

Re:

[wertarbyte]

and what's to stop you from faking a network connection to Fon using another box and providing the correct string back?

The SSH key on the FON server. It prevents this kind of spoofing.

I got one of the older ones

[vadim_t]

Got an early version at a HispaLinux convention. It cost me some cash, but it was still cheaper than I could get it otherwise, so I bought it. Coincidentally, there was a WiFi security talk at the convention, and I used the chance to ask them what they thought about the whole FON thing. They were extremely unimpressed and thought it couldn't be made secure.

Based on a cursory examination, I determined the system was insecure. Suppose I enable the router, and somebody comes near and tries to connect. To connect, they try to connect to my wireless network, and the AP authenticates them against the FON RADIUS server.

Now, the problem is that I'm in control of the router, so I can easily fetch their username and password. SSL wouldn't help because at best you have User AP RADIUS, as my understanding is that the AP isn't acting as a router here. The user isn't talking to the RADIUS server directly, the AP does on his/her behalf. So there's no way of stopping me from sniffing people's passwords.

After I get passwords I can easily find some other FON AP, use somebody else's credentials, and have reasonable chances that the person getting in trouble for downloading/uploading something illegal won't be me.

I voiced my concerns on the forum, but the replies weren't satisfying, so now I reflashed it with new firmware and there's no FON-related stuff left on it.

Re:

[ozamosi]

Don't worry about transmitting your info through someones router - the Scary part is that you transmit the router in clear text [eu.org]! Well, the webpage claims it is Finaly fixed now after many months. However, I suspect that the Linksys is still vunerable, since I don't believe that they've updated their firmware for those. I might be able to tell for sure, if they didn't update their firmware without bumping the version numbers, and they didn't require my email to let me get it (I just want to see the version i

Been there, done that

[Temporalwar]

I posted a little WIKI after the limited price FON Linksys routers came out the first time here: http://truthcankill.pbwiki.com/fonrouter [pbwiki.com] Yes they prob changed hardware and have better coding, but this is not new, somthing for cheap or free is going to get hacked!

Not regional

[fm6]

The poster is incorrect in saying this offer is only available in Germany and Austria. I noticed that the web site he pointed to was de.fon.com. I changed the "de" to an "en" and got the English version of the site — which will ship a router to a U.S. for 5 bucks.

Re:

[wertarbyte]

And "5 bucks" is equal to "free"? Of course "La Fonera" is available in other countries, but it seems that the free offer is limited to germany and austria.

Re:

[torklugnutz]

Actually, the device is $5. Shipping to Las Vegas was another $8, and tax was $1.10.

Free = $14.10 in America

Re:

[rekrutacja]

Free = 17,40 Euro in the rest of Europe (5E device, 10E shipping, 2,40E tax)
 

OT perhaps,

[solevita]

But here's some findings that go well with this article:

The reality behind FON's hype [tech.am]

and much more at:

tech.am [tech.am]

(I am in no way connected with this site, apart from the fact that I occasionally enjoy reading it)

Well at least we can now fix annoying bugs

[OlivierB]

in the current FONERA firmware,

things such as opening up the POP SSL ports (993 and 995).

FONERA only allows access to ports 80 and 445 to the internet even on the *private SSID*, making it useless for me as the sole router.

Also, even is the router gives the public and private clients different IP addresses to theoretically prevent the public from browsing on my private LAN, well they are on the same subnet and I can type my private LAN ips from the public network and get access!
This thing then NATs my NAT, making it even more difficult for me to sandbox it properly.

Hopefully, open-wrt will make it more useful as a mini mail server or something like a mini Asterisk server.

Re:

[JayAEU]

FONERA only allows access to ports 80 and 445 to the internet even on the *private SSID*, making it useless for me as the sole router.

Wow, no wonder people consider it to be insecure...

Sign me up

[torklugnutz]

I'm in the US, so I checked out the http://en.fon.com/ [fon.com] page like someone else suggested. I signed right up. The router is $5 plus tax and shipping ($14.10 total) until Nov 8, then it's going to $30, supposedly. It's got Linksys guts in it, so I expect it to be a fairly decent consumer-level piece.

I'm not interested in hacking the device or anything, but I am interested in using it and promoting the service. The more of these there are in the wild, the more opportunities there are for me, as a registered use

The bug

[quakehead3]

# Now we inject our shell code by using the public ESSID
# Those guys better should have read "man bash", you cannot quote
# single quotes by a backslash :-)
# We now fill in our manipulated ESSID
# FON prepends every ' with a backslash, which is useless since
# this kind of escape sequence does not workin with single quoted
# strings.
# By closing the ESSID string with our injected \' and sending a
# newline we can now simply append aritrary shell commands that
# will be executed on our box d

Fon's service is... questionable.

[dozer]

Most people in the U.S. can't use Fon's service [u32.net] anyway. Between this and handing out stock options to blogging pundits in return for [seltzer.org] a [ethanzuckerman.com] kind [bayosphere.com] word [blogs.com], they seem to be a pretty shady company.

It's a bug on ther website

[Kresh]

So two students found a bug on their webserver.
Should take FON a minute to fix it and then they can see which users are trying to hack into the router. Remember, they know the MAC-address of the router they sold you.
This will be useless tomorrow.