Vodafone Femtocells Rooted, Secret Keys Exposed 77
AmiMoJo writes "Hackers have discovered the root password for Vodafone femtocells, devices that provide the user with a mobile phone signal piggybacked onto their home broadband. The root password was 'newsys.' Once root access is obtained, phones can be forced to connect to the cell and private keys captured, allowing the user to spoof the victim's phone and potentially make calls or send texts on their account, not to mention eavesdrop."
Re: (Score:2)
nope, not Streisand - afaik Vodafone isn't trying to suppress this information.
Re: (Score:1)
vodafone guys are on summer vacation, they're not trying to do anything. it's a MASSIVE cock up. you could in theory&practice buy one of those boxes, do a little work on it and go anywhere in the world to steal anyones (who's phone was willing to roam) imsi numbers and call with them as if they were roaming in uk. if they change the authentications they have to replace every friggin femto cell they've sold. and they must do that. and they're fucked as far as knowing who has done this or not.
Re: (Score:2)
if they change the authentications they have to replace every friggin femto cell they've sold.
Yes, or they could remotely patch the firmware. Which they've done.
You get full marks for logic and grammar.
Re: (Score:2)
This will help, but from the security POV, only the devices which have not been rooted; after that, incoming firmwares could be intercepted and applied either not at all or only partially.
I suppose they could have sign the firmware for the boot loader to check, but given the root password 'newsys', this doen't seem to go with their style..
Re: (Score:2)
Re: (Score:2)
newsys.
Ferchrissake! plaintext, all lowercase. Not even a long, machine generated key!
It looks like the credentials for the dev lab were never updated.
Re: (Score:2)
TFA didn't have any proof of this; is there another link that shows that they did indeed patch the firmware? Can it be remotely updated in a forced push? That would be unusual. Often they're user-driven push routines.
Re: (Score:2)
Yes, or they could remotely patch the firmware. Which they've done.
No, no, no...all you need to do is add a HOSTS file, and everything will be 100% secure until the end of the universe!!
hehehe.
Re: (Score:2)
_ I've seen enough APK posts to find that funny. :P
Re: (Score:2)
Wow! Watch the spittle fly!!!
Re: (Score:2)
Re: (Score:3)
according to this press release [vodafone.co.uk] they reacted. Last year. with an update.
even THC's wikipage claims that the project was enden mid-2010 because of "too much fun with other things". This hack is very interesting, but more for historical reasons and not because everyone is now vulnerable
Re: (Score:2)
nope, not Streisand - afaik Vodafone isn't trying to suppress this information.
That's what they want you to think. They're going for a reverse double anti-streisand. It's a smokescreen. A double-bluff. It's an XK-Red-27 technique.
Femtocells: the next big thing! (Score:2)
Re: (Score:2)
Wait, we're still explaining to people on Slashdot what the function of one is?
The function of a femtocell is to expand the cellular range of a provider, while providing revenue to the provider instead of being an expense. Additionally, the bandwidth consumed is not on their network (cellular network), but on the customers bandwidth.
In the US at least this is abhorrent because the people, through government, granted them so many easements and right of ways, financial incentives, tax breaks, etc.
Despite how much has been given to them they continue to raise prices, encourage "mystery
Re: (Score:2)
Ohhhh, and to add insult to injury in this case the dipshits who configured the femtocells setup a 6 character password.
Seriously?
So now every femtocell they charged a consumer for to get, so they could get better reception and download speeds of their own bandwidth is not only exposing themselves to danger, but the femtocell itself can be used to wreak havoc on the cellular customers in general.
I hate to admit this, but part of me wants to laugh hysterically. The only option is to no longer accept connect
old news (Score:5, Insightful)
Re:old news (Score:4, Informative)
Re: (Score:3, Funny)
So I guess the old root password was 'sys'
Re: (Score:2)
Re: (Score:3)
http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html [blogspot.com]
"What we have seen is that Vodafone fixed the way THC gained administrator access to the femto.
This of course does not fix the core of the problem: The femto transfers key material from the core network right down to the femto."
Re: (Score:2)
This of course does not fix the core of the problem: The femto transfers key material from the core network right down to the femto."
I'd say the core of the problem is that authentication credentials ever leave the phone in the first place. Didn't they ever hear of RSA/etc?
I just don't get it - why doesn't ANYBODY use asymmetric crypto for authentication. And when they do something remotely clever, why don't they ever use a proven off-the-shelf cryptosystem to do it? DRM may be mathematically impossible to achieve, but authentication is something that is completely achievable with the right key infrastructure. And they obviously have
Re: (Score:3)
Because authentication is done on the SIM card. When GSM was created I doubt they were capable of public key cryptography.
Re: (Score:2)
Sure, but there was no reason that this couldn't have been upgraded ages ago. Support both protocols in parallel for a few years until tower software is updated.
Instead, we're going to hit a wall at some point when GSM is completely cracked, and suffer with a ton of issues as a result.
I would say the problem is the market, but even the NPV of a hit that big is large today. The real problem is that nobody holds managers accountable for the real consequences of failing to take action over the long term. Su
S.I. preffix's (Score:2)
Don't you think that the marketing guys are overdoing it with all these S.I. preffix's
You couldn't even see a femtocell (10 to the minus 15) in an electron microscope
Re: (Score:2)
The base unit is parsec, you insensitive clod!
Re: (Score:2)
This is the distance light travels in 1/9,192,631,770 second. Light travels at 299 792 458 m/s, so this is 299,792,458 / 9,192,631,770 = 0.0326122557174941 m (=1.28394708 inch).
That would be a distance that's based on the constants in physics.
However, if we can't convince the USA to switch to the metric system, how can we ever hope to force
Re: (Score:2)
However we should invent new SI prefixes, as the current (yotta = 10^24) isn't going to cut it (Planck length is around 1.616252x10^-35 m). To represent something in human scale we'd need a simple word for 10^11 yotta Planck lengths. Maybe terra-yotta Planck lengths? with 10^36 it should be close enough to fit.
Re: (Score:2)
However, if we can't convince the USA to switch to the metric system, how can we ever hope to force the complete world to switch?
The USA does use the metric system. Their military, scientists and medical practitioners do. (Hint: "Click = Kilometer")
It's only the general populous that is forced into using antiquated and difficult to convert between standards by the USA's school system, and thus parents as well (being that they were taught to use those units too).
FTWA [wikipedia.org]
Re: (Score:2)
I wouldn't term it as forced.
For the most part...the avg US citizen can't really see any major benefit to their day to day lives switching over vs the bit of upheaval and increased monetary costs it would encounter forcing us to change to metric for everything in our ever day lives.
I mean,
Re: (Score:1)
Vodafone = Bad (Score:4)
I can't say I am surprised.
Vodafone are a terrible company. They are one of the most expensive in the UK. They gouge me. I am changing as soon as I can. They claim to offer unlimited texts but if you send a text that is bigger than 160 characters, they charge you. They also don't pay taxes in the UK, they owe 4.8 billion in taxes but our government decided 'to let it go [guardian.co.uk]'.
Now in the UK we're facing cuts to public services, education, electricity rises. I'm not bitter. Vodafone is a bad business. You should change from them and warn people of the same. Didn't they have something to do with Egypt censorship too?
Their website is also littered with Java exceptions.
Vodafone = Incompetent
Re: (Score:1)
Lem is great! A good starting point are The Star Diaries [wikimedia.org], a collection of short stories - they give a good overview of the range of Lem's style(s).
Re: (Score:2)
How does that work?
My phone automatically chops messages up into 160 char parts, one SMS message per part. It's not a modern phone either.
Just curious.
I use Tesco, btw. I can't fault them.
Re: (Score:2)
Re: (Score:2)
Yeah Android had (maybe still has) a bug where texts longer than 3*160 are sent as an MMS.
Re: (Score:2)
My Nokkia 1661 does not support MMS.
Vodafone treat multipart text messages as separate texts on the server side to rip people off. Especially when you consider that it does not charge if you break up a text manually by yourself.
Re: (Score:2)
That seems weird, the common way to do it is to have an ID imbedded in the message so that the receiving device can tell which messages are actually parts of the same longer message.
The biggest problem with this scheme is when a device receives only part of the message, all phones seem to handle this differently. Some show what they got after a while, others simply chuck it, others still will hang on to the data just in case a matching ID shows up later (which can lead to hilarity since the IDs are far from
Re: (Score:2)
My phone chops it up into small messages but the 'unlimited' only applies to the first message. I get charged a for additional texts if my message spans more than one. It's a money grab because if I break the text manually into two separate texts, I do not get charged.
This happens on my old W595 (supports MMS) and my current Nokia 1661 (no MMS, no 3G).
The root password is "newsys"? (Score:2)
Slap anyone that sets a root password (Score:1)
In embedded devices like these, there is no reason to use a root password. The devices should be locked down completely with a process to update them with signed firmware.
If they need some form of remote access, they should at the very least use SSH PKI.
Not a big thing... (Score:2)
End-to-end (Score:4, Funny)
Re: (Score:1)
Are you crazy? Vodafone is notorious for enabling easy and unquestioned access to law enforcement. Any form of encryption would make it harder for them to hand over your data.
Re: (Score:2)
It would not be legally trivial, for a number of reasons.
Re: (Score:2)
Cell networks have the same need for time-critical end-to-end delivery as fixed line networks, and thus have a very similar architecture. They don't look anything like IP networks.
Cell sites place calls on behalf of the mobile, and talk with other cell sites to handover calls in progress as the mobile passes through. They have to be trusted to do that.
GSM encryption works on the basis that the company who issued the SIM card also knows the secret keys inside the SIM card. That way, both ends can synchronise
Re: (Score:3)
As you say the cells need to be trusted with the routing and hand-off. Obviously the cell can always block/drop/throttle calls but that don't mean you should trust them with everything.
To place a call on behalf of a mobile should require a time-limited signed token from the mobile's SIM. Once the call is established it makes no difference if you are routing an unencrypted voice codec or some encrypted data.
Public-key encryption could simply be used for the initial A5/1 initialization key, the voice data its
Re: (Score:2)
Mod parent up - either symmetric or public-key encryption requires authentication with some trusted server (is the phone's account activated, etc), and if the central server can hold a copy of a symmetric key it can hold a copy of a public key.
There is also no need to escrow private keys - the network already needs access to the clear voice conversation and dialing info just to complete the call, and that is all the FBI needs. There is no need to be able to clone phones. Plus, if you wanted to clone a pho
Nice password (Score:2)
A 6 digit, all alpha, all lowercase password, made from real words.
While it's entirely possible the password would have been hacked if the password was 16 alpha-numeric-punc chars, it's hard to by sympathetic to Vodaphone when they're this sloppy.
Oblig (Score:2)
Thanks for the shitty blog link, slashdot! (Score:2)
Their blog archive goes all the way back to July 2011!
Asset # + Default password (Score:2)
I worked for a company that made a security device with a default password for updates. The password was changed, post build, using the asset (serial) number of the device, a label added to the bottom of the device after install, with the default password added to the end of the string. This ensured that every device had a semi-unique password that required physical access to the device for anyone to figure out the first part of the manufacturer password. Not being a dumb ass company, that was not suffic
Written Design Plan for Femtocell? (Score:2)
How could a major project at a major public company start without addressing security?
six-character passwords considered harmful (Score:2)
why does anyone ship anything with a six-character password? why does any website allow them? eight is barely sufficient given recent gpu-based attacks, and i seriously doubt people who have trouble remembering eight characters have any less trouble with six.