Deprecated FON Boards !

Freddy, when I talk about SSL I know what I talk about. I have re-implemented parts of it more than once (not specified, not invented, just coded) I have used it on the client and the server side. I have given a speach covering it, several years ago at JavaOne. I know very well how it works.

If you receive a page from https://login.fon.com/... and send an html form response to https://login.fon.com/... you can be reasonably sure that nobody has intercepted it. This is an end-to-end server-authenticated and encrypted connection, no matter what software is running on the hotspot or network as long as you can trust your local machine (and your local machine only) you can trust that connection.

You may be able to trick the user by creating an identical looking page served up via http instead of https! I do check my urls for SSL and host name before typing in passwords but most users would probably not notice. That is exactly the reason why I started this thread.

I do not know how exactly FON realises the familly and friends but I expect, that they handle it on the login server and never send back FON logins or passwords to the hotspot. Unless they do send back the user+pass, you can set up whatever you want - you will never see the password of the user typed into a page from https://login.fon.com/.

Best regards,
Joachim

PS: definition of reasonably sure: (1) Some agencies may be able to break a 128-bit key. (2) A browser flaw could exist that downgrades your 128-bit random key and someone may know how to exploit it. (3) A browser flaw could exist that accepts faked SSL certificates and someone may know how to exploit it. Looking at the maturity of the browsers, (2) and (3) seem less likely in daily routine than a deadly car accident.

let me tell you a bit about chillispot (the auth software of fon)
how it works:
1. user tries to connect to a page, chilli sends back a redirect => user is redirected to fon login page (with some GET variables)
2. user logs in (sending user/pass and the GET variables to the fon server)
3. here's the basic code which the fon server executes now:


$_GET['chal'] is set by chillispot, it's a random 32 byte string, it's put together with the uamsecred "garrafon" (which you can compare with a en/de -cryption key) normally only the web server and chillispot should know it, it's used to generate the random md5 sting (the key).
you can forget about security at this point already, due to everybody knows the uamsecred and can get the key by sniffing the chal var from the wlan traffic. now they just need to sniff the following redirect (with the "encrypted" password...
That's the way how everybody who's able to sniff WLAN can get your password

and additionaly you can see where the fon page will redirect you to, your local chillispot server...

4. your AP's chillispot got the user name and the encoded password
5. chillispot decodes the password
6. chillispot will try to auth the user against the local users (aka friends & family users). Why do you think it takes up to an hour or a reboot of the router to get them working? Why F&F doesn't work with other firmwares? Yes, because they are stored locally and update via the heartbeat script (aka remote control script )
7. if local users didn't match the password is encoded again (with the shared key, "garrafon" too...) and sent to FON the radius servers
8. depending on the radius reply chillispot will redirect you to the auth successful/failed page


that's the way it works, a real nightmare for everybody who cares about security
and you see ssl just would prevent you form sending plain passwords. Hackers have to sniff two connections and not only one, additionally they have to run 5 more lines of code to decode your password!

Just have a look where fon auth page redirecty you to

The only way to increase security is to run your own radius server with an own uamsecret which will send auth requests to the fon servers with the public uamsecret via a secure line. but this is still far from secure...

Thank you.

Oh, but I *do* believe you. And now I find you even more believable.

We really deserve to recieve this news translated for us, because we're all craving signs of activity and progress from them. The English-speaking world is given the impression that fon is either dormant, or is disregarding them. More importantly, we early adopters desire a far greater degree of collaboration with fon. They should have the firmware and web portal developers in here exchanging ideas.

Haha. You realize we don't read those literally? I never noticed. In the USA, we sign *everything* "Sincerely," but it is meaningless.

Cheers!

Freddy, THIS is getting interesting.

I just looked at the page served up by FON and it contains this



The URL of the form is absolute. The destination is an SSL url. In https the SSL encryption is established before the url is transmitted, so I don't see how the CHAL can make it into the url. Could you explain please.

Best regards,
Joachim

The browser parses the https server name from the URL, establishes the SSL connection, then passes the whole URL in turn to the https server so it knows what page is being requested?

the redirect page which chillispot generates is not ssl protected
and the url which fon servers will redirect you to (the /logon one) isn't too

Freddy, I just snooped a complete connection and YES in fact there is a redirection to a local address containing inappropriate information.

Let me put it like this: I'm very surprised. Maybe I should be shocked...

I haven't verified all the details yet, but from the snoop I would say your description is basicly correct. For the time beeing I assume it is, and disconnected my outdoor antenna.

It is really ridiculous if they send the password back with this kind of kindergarden-cryptography. In fact it is ridiculous to even send the username back to the hotspot. It would seem that the concept of Chillispot doesn't really match what FON is trying to do (or should do) considering their distributed setup. They will have to do much better than that if they want me as a Fonero.

I'm really surprised.

Best regards and thanks for the information Freddy,
Joachim

Just some details:
- I can't find the chalk/salt.
- The 302 page from 192.168.182.1.3990 redirects to an https page.

just use your own captive portal with your own uamsecret

ok, I've wrote a small wlan sniffing script which sniffs and decodes fon users/passes completely automated from any AP with *fon* in the SSID, works perfect...
I've an idea of how to make it secure from siffing and users which try to get the pass via a modified chillispot version without changing to much of the system (no new firmware needed).
I'll mail martin about this, let's see if I get a response. If I don't get one I probably will release the script...

Unfotunately that doesn't protect FON users logging into my hotspot from me - nor does it protect me when roaming on other hotspots...

FON should probably generate "one time keys with a very short validity" if they want to keep using Chillispot. But then I'm not sure how well their Radius servers will handle the insertion/deletion of keys in very short sequence.

Regards,
Joachim

Amazing!!!!
Nobody told you FON was Beta ? I thought you considered these kind of things quite normal for a company that is just starting up? Changed your mind or what?

I never consider security problems normal, you seem to be reading between lines that don't exist.

BTW: Your posting fits perfectly in the category troll-post.

Repeating your statements is a troll post. OK.

Haha, points for you, euronerd!

It has taken 2 weeks for things to begin to dawn on joachim... It took me almost 3 months.

Freddy: I have found the chal - I was looking in the wrong place.

Would you mind, posting your suggested solution here? I'm not a believer in security by obscurity - I got the impression you're neither, so I assume your suggested fix solves the problem in the process.

I have thought about this a bit and I think I have come up with an improvement that can be implemented with reasonable effort:

Current situation (based on Freddys description):

1) user requests page ie http://www.myspace.com
2) Chillispot redirects (302) to https://login.fon.com?challenge,mac,uam ... hotspotmac
3) User sends form to https://login.fon.com with username+password
4) login.fon.com redirects to http://uamip:uamport?username,challengedPW
5) router decodes the challengedPW and sends a verification request with username/password to the fon radius servers.
5) uamip:uamport redirects (302) to https://www.fon.com

Familly&Friends are checked on the router, this is one reason why they appear as unknown in the usage log.

From the above it's clear that the redirect 2) can be captured in cleartext and the request resulting from 4) can also be captured in cleartext.

The algorithm to create the challengedPW is known and based on the challenge transmitted in cleartext as well as a shared "secret" that is the same for all FON routers and can easily be extracted from the WIFI routers firmware.

Suggested immediate change (PHASE1):

EDIT: the solution suggested for PHASE1 makes no sense. I made the typical mistake of trying to find a quick fix without trying to break it. See below for the fix of the fix;-)

The shared secret should be individual for each router. To have the simplest possible implementation the shared secret could be a secure hash of the routers mac and a master secret (which is never transmitted to any router but known in the login script). Hence the (per router) individual shared secret would be ISS=SHA1(master_secret, MAC).

1) The FON configuration/heartbeat script retrieves the ISS (not the master secret) and stores it as "uamsecret" ie in place of "garrafon".

The login script at login.fon.com needs to be changed as followed:

$hex_mac= pack('H32', $_GET['router_mac']);
$iss= SHA1($master_secret.$hex_mac);
$hex_chal = pack('H32', $_GET['chal']);
$newchal = pack('H*', md5($hex_chal.$iss));

This can be implemented with minimal effort (I would say less than 1 hour). No additional database and no infrastructure change is required. It does not protect users against rogue hotspots, as the hotspot still obtains the username (email) and password in clear text. However it does provide protection against a snooping attack.

EDIT: As suggested this doesn't work. A snooping attacker can see the router_mac (ie WLAN MAC). It can then create a configuration/heartbeat request against the fon servers with the mac address of the hotpost beeing snooped to request the ISS.

remark1: Maybe an authentication process for the heartbeat script already exist in which case this edit is useless.

remark2: It does not help if the router chooses the ISS and transmits it to the servers without authentication.

Finding: The request used to exchange the ISS must be protected such that an attacker can not simulate it for a choosen router. Hence, the router needs to authenticate the request with credentials that an attacker can not obtain and which FON needs to store and check at each request. (It could still be the heartbeat/config request but it needs to be authenticated).

Some ideas: The ISS request could use the LAN (not WLAN) MAC of the router, the serial number of the router, the router password, etc. as credentials. Some of those are relatively week as they may be derived from the WLAN MAC and knowledge of production processes. Bootstrapping the new authenticating script version is relatively simple: the first request with the "router credentials" is used to store the credentials into the DB. Later requests check if the credentials match the DB entry and block access if not.


Suggested short-term change (PHASE2):

Lines in italic remain identical to current situation.

1) user requests page ie http://www.myspace.com
2) Chillispot redirects (302) to https://login.fon.com?challenge,mac,uam ... hotspotmac
3) User sends form to https://login.fon.com with username+password
4.1) login.fon.com creates a session key with short validity and stores the tuple (useralias,sessionkey) in a radius repository. useralias is NOT the username but the alias also displayed in the connection logs.
4.2) login.fon.com redirects to http://uamip:uamport?useralias,challengedSessionKey
5) router decodes the challengedSessionKey and sends a verification request with useralias/sessionkey to the fon radius servers.
5.1) FON Radius server checks useralias/sessionkey.
5) uamip:uamport redirects (302) to https://www.fon.com

- Family&Friends are checked by login.fon.com.
- The sessionkey(s) must contain a good random, the hotspotmac, and time(out)stamp with validity of <1s.

Solved:
- Username (email) and password are not visible to an outside attacker or a rogue hotspot. The fon.com session can not be taken over by an attacker.
Remaining problems:
- Valid session keys can still be captured. The WIFI session can be taken over by an attacker. (see comments below)
Advantages:
- The suggested solution can be implemented without changing the firmware.
- A hotpot owner could capture the useraliases to implement a verification of the FON logging.


Comments on session keys in the suggested improvement:

Capturing attacker: The sessionkey can still be captured, however its short validity together with the "one session only" feature that already exists make it barely usable for the attacker. The mechanism can be strengthened by changing the firmware: The firmware should check if the hotspotmac provided in the sessionkey matches the current hotspot.

Rogue hotspot: An attacker could set up a rogue hotspot to capture "choosen mac" session keys. This rogue hotspot can use the mac of another existing hotspot to obtain valid session keys for the other hotspot. However the obtained session keys would have to be used in realtime. This allows unauthorized access to FON hotspots, however the user credentials remain confidential.

Final conclusion:

The suggested improvement does not fully resolve the problems with Chillispot. It does however protect usernames (email) and passwords. It is questionable if a user friendly solution can be found that completely outrules the potential to gain temporary unauthorized access to a hotspot. A rogue client positioned near an authentic hotspot together with a rogue hotspot simulating the authentic hotspot can always be used to tunnel a users connection attempt from the rogue hotspot to the authentic hotspot. The session created on this authentic hotspot can then be taken over after successfull login. This would also apply with WEP encryption enabled. In it's core it's a more involved variant of MAC spoofing.

A potential solution would be to block all traffic except traffic targeted at a fon.com vpn server. However this would require downloading and installing client software.
Another potential solution could be based on a localproxy implemented as a signed applet. The DHCP response from the hotspot may contain a proxy (ie localhost:1080) + non-proxied domain (fon.com). The localproxy could be implemented by a signed java applet served from https://login.fon.com. However I think that the majority of installed systems will not recognize proxies provided via dhcp.

my solution is based on unique uamsecrets, a simple 32 byte random string which is generated by FON servers on every boot of the router should solve the sniffing problem. And of course one time random user passwords which are invalid immediately after the login or if there's no login within 11 seconds (chillispots radius timeout is set to 10 secs).

I though about different solutions for the session hijacking problem, couldn't find one so far that would really work
but basically there's no use for the hotspot owner if he has a one time 10sec timeout login

I'm not so sure, you could still set up a rogue hotspot close to an existing one to get a "free ticket" as soon as someone logs in.


I wonder how Windows/Linux/MacOS reacts if the WLAN driver sees packets with it's own MAC that were not generated by the driver. If this leads to a connection interruption it could be used against hijacked sessions.

Here's the idea:

Assumption: If somebody fakes my MAC address on the same hotspot (session hijack), my WLAN driver will interrupt the connection.

The login procedure creates a Logged-In/FON-logout browser window that reads "dont close me, Click here to log out of FON" which refreshes from an https://sessionmaster.fon.com/ url every 10/30 seconds. This would be used as an end-to-end heartbeat or session keep-alive.

The sessionmaster script on the server can be very simple, it only creates an auto-reload OK page with the above message and an encrypted 20/60s timeout stamped session-cookie, or a (longer) FAILED page if the session cookie provided is incorrect or has timed out.

The hotspot would monitor the (SSL encrypted) connection. This can be done on the SSL message level by only looking at message lengths. The hotspot only cares about server results which come from a defined server and hence have specific characteristics. If the message length of a result message exceeds the OK-result length the WIFI session is terminated.

Sounds quite doable to me... may be a bit itchy to use with PDAs etc.

Best regards,
Joachim

Our developers are looking into the concerns raised here. Thanks for the information.

This is an excellent contribution. I highly respect a person who puts this much effort into a project. I'm looking forward to seeing what discussions blossom from this.

"Your Developer(s)"?

What about us? Back to sitting obediently until something else is served to us?

That's a serious question. This is a perfect opportunity to begin collaboration. The developer should join us here.