Weekly Edition
Return to the Security page
| |||||||||||||
AT&T Microcell FAIL (FailOverflow)
The FailOverflow site has an amusing
look inside an AT&T microcell box which, naturally, runs Linux.
"The backdoor uses simple UDP packets to transmit requests and
receive responses. There are a number of operations supported, but the most
useful one is called ‘BackdoorPacketCmdLine’. Yes. It’s actually called
‘Backdoor’. This command lets you execute any linux command. Execution is
performed using the backticksh function." This port turns out to be
globally accessible. (Thanks to Paul Wise).
(Log in to post comments)
AT&T Microcell FAIL (FailOverflow) Posted Apr 5, 2012 20:22 UTC (Thu) by chant (subscriber, #20286) [Link]
Can this be used to sneak in past a NATing router?
I think the answer is no. It appears to me that the only implications of this is that if you're on the same network as the microcell you can mess with it, so be careful of who you allow to connect to the same LAN as the microcell.
AT&T Microcell FAIL (FailOverflow) Posted Apr 5, 2012 20:33 UTC (Thu) by chant (subscriber, #20286) [Link]
It appears in their documentation (http://www.truvista.net/wireless/microcell/PDF/usermanual...) that they encourage you to place this microcell between your internet connection and your NATing gateway, so this is potentially a big deal.
AT&T Microcell FAIL (FailOverflow) Posted Apr 6, 2012 4:02 UTC (Fri) by tobiasu (subscriber, #72521) [Link]
Punching holes into NAT routers via UDP is a well known technique. So there's a good chance that this could be abused over the internet.
AT&T Microcell FAIL (FailOverflow) Posted Apr 6, 2012 7:46 UTC (Fri) by Los__D (guest, #15263) [Link]
NAT hole punching is done from the inside, and is a legitimate way to facilitate communication when both hosts are behind NATs.
I cannot see how that relates to an attack from the outside.
AT&T Microcell FAIL (FailOverflow) Posted Apr 8, 2012 8:42 UTC (Sun) by oldtomas (guest, #72579) [Link] I cannot see how that relates to an attack from the outside.But then, that's what Javascript was made for (I know, I know. Sandboxing. Preventing scripts from opening random connections. All that. But an UPnP hole puncher in JS from the browser wouldn't be new).
AT&T Microcell FAIL (FailOverflow) Posted Apr 8, 2012 8:53 UTC (Sun) by Los__D (guest, #15263) [Link]
I don't see how you will open the correct port to the correct device using JavaScript. And if you are able to use JavaScript to make magic connections anyway, then why not use it to subvert the box directly?
AT&T Microcell FAIL (FailOverflow) Posted Apr 9, 2012 14:56 UTC (Mon) by oldtomas (guest, #72579) [Link] Here you go. Basically, it's always the same pattern. Edge devices trust the network inside (they shouldn't, but UPnP wouldn't be half as useful then). When you subvert something inside (browser, Flash, PDF viewer, printer, thermostat), you win. Granted, browsers try hard, but how convenient is it that they are endowed with an interpreter? Yes, there's this pesky "Same Origin Policy", but it can be subverted, time and again. And -- last time I looked, many in my $corp just had disabled it and didn't even know they had!. Some stupid, iframe-laden corporate Intranet app doesn't work, and *poof*. Reality is ugly.
AT&T Microcell FAIL (FailOverflow) Posted Apr 9, 2012 14:58 UTC (Mon) by Los__D (guest, #15263) [Link]
Oh, I agree. I just don't see what any of this have to do with NAT hole punching.
NAT hole Posted Apr 22, 2012 9:31 UTC (Sun) by oldtomas (guest, #72579) [Link]
Sorry, I wasn't aware that there's a canonical use of the term "NAT hole punching" [1]. Now I know.
I was using it rather loosely, as in "enticing the user's browser to coax the firewall device to open a window".
AT&T Microcell FAIL (FailOverflow) Posted Apr 5, 2012 21:40 UTC (Thu) by arjan (subscriber, #36785) [Link]
the range of these things is very limited (like 30 feet)
wonder if there's a setting you can change to increase the range to cover a whole house....
AT&T Microcell FAIL (FailOverflow) Posted Apr 5, 2012 23:03 UTC (Thu) by pabs (subscriber, #43278) [Link]
Given that it runs Busybox and Linux, I wonder if this thing has any GPL violations.
AT&T Microcell FAIL (FailOverflow) Posted Apr 6, 2012 2:51 UTC (Fri) by arjan (subscriber, #36785) [Link]
it comes with a written offer... that much they got right
AT&T Microcell FAIL (FailOverflow) Posted Apr 6, 2012 21:58 UTC (Fri) by laf0rge (subscriber, #6469) [Link]
I've inquired the source code a long time ago and got some response. It was only the code in the Realtek CPU, but not on the picochip, as far as I remember. As I'm not doing enforcement in the US (and the device is US-only), I didn't really follow up much.
Basically all 3G femtocells are running Linux, and they all are more or less easy to root. People have been doing this for years, mostly for being able to run their own experimental 3G network or for security research.
For anyone interested, I strongly recommend the excellent work by Ravishankar Borgaonkar, Nico Golde and Kevin Redon at TU-Berlin: http://www.tu-berlin.de/fileadmin/fg214/Papers/femto_ndss...
AT&T Microcell FAIL (FailOverflow) Posted Apr 6, 2012 0:58 UTC (Fri) by lewis (guest, #45263) [Link]
Amazing, and it says right on ATT's website here:
http://www.att.com/shop/wireless/devices/3gmicrocell.jsp
"Device is secure – cannot
makes you wonder who they consider to be authorized...
AT&T Microcell FAIL (FailOverflow) Posted Apr 25, 2012 17:04 UTC (Wed) by steffen780 (guest, #68142) [Link]
Makes you wonder what happened to the definition of the crime of fraud...
AT&T Microcell FAIL (FailOverflow) Posted Apr 13, 2012 10:03 UTC (Fri) by rwmj (subscriber, #5474) [Link]
A nice, small hackable femtocell sounds like a feature, not a "fail". In the UK, Vodaphone have been selling these for a while, and they are supposed to be rootable too.
|
|||||||||||||