So I received the FON wireless access point in the mail today (surprisingly quick) and wanted to test it out to see how it would work. I wanted to know what administrative interface it had, how the public and private SSIDs worked and overall what the security of the device is.
The results were rather good so I wanted to give you some details here. The way the FON device works is that, once you plug it in, it broadcasts two SSIDs (by default these are FON_AP and MyPlace). The FON_AP is the public SSID that allows others to connect to. This is what makes your FON device an pseudo-public access point. I saw pseudo-public because of the Linus vs. Bill description listed above. The MyPlace is the private SSID that uses WPA2 with a pre-shared key (PSK) out of the box. The PSK is the serial number on the bottom of the device. The PSK can be changed as we will show later but most people will not making brute force cracking that much easier.
The first thing you do once you plug it in it to connect to either the FON_AP or MyPlace SSIDs and, as the manual states, browse to http://wifi.fon.com/ What I noticed is that before registering your device it allows you to visit http://www.google.com (and probably other URLs as well.) If you try to hit other sites it will redirect you to wifi.fon.com until you actually register the device, which is rather easy. You simply login using the same username and password you used to obtain your FON device and answer a few questions. The questions ask for the address you are located at; assumingly so FON can put you on their map but also a minor personal privacy risk. Of course there’s nothing that forces you to enter the real address, other than personal morals, because there is no way for FON to determine if you are telling the truth or not.
Once the device is registered it is now open for business. I wanted to see if someone connecting to the public (FON_AP) side could access other devices on my home network and vice versa. I first connected to the FON_AP side, which required I login because I registered as a Linus. I received an IP address of 192.168.182.2 with a gateway address of 192.168.182.1. DNS servers were obtained from DHCP so they did show the internal IP addresses of my home network. (Remember I plugged this device into the home network which includes many more computers and is not limited to the cable modem as the manual suggests.)
I tried to port scan 192.168.182.1 the device itself and could not although the DNS servers for the FON device were internal devices I could not ping or port scan them from the 192.168.182.x network. This meant that all DNS queries were sent from my client to the access point (AP) and then routed to the proper server. I tried pinging and port scanning other devices within my home network but received to replies. I tried to traceroute to the Internet and received an ICMP reply from the gateway (192.168.182.1) then a blank hop (Request timed out) and then a reply from my ISPs router. This meant that the FON device must have a static route set within it to only allow public traffic out to the Internet and not internally.
I was impressed at the security here thus making it almost impossible (outside of malformed DNS requests or exploitation of TCP) to compromise my internal devices or the FON box itself.
I then connected to the MyPlace (private) side of the network to see what could be done. I was given an IP address of 192.168.10.223 and a gateway address of 192.168.10.1. In this situation I could ping devices in the public (FON_AP) side of the network but not vice versa. When I tracerouted to the Internet I had the same results as when connected to the public side of the AP, and could ping other devices on the home network. It appears that once on the private side of the AP there are no access list rules.
I port scanned the gateway address (192.168.10.1) and found the following services open: 25/tcp, 21/tcp, 53/tcp, 110/tcp, 4444/tcp, 5190/tcp, 8080/tcp. This is interesting because when you put 192.168.10.1 into your web browser it shows the AP Management Console. I netcat to port 80/tcp which is shown as open has a META HTTP-EQUIV redirect to “/cgi-bin/status.sh”. Connecting to other open services on the AP results in an open port but a dropped service. (I’m curious if you need to connect from a specific IP address to access these services or if there is some other trick.)
You have five management options before you: STATUS, Public WiFi, Private WiFi, Change Password, and Advanced. In order to administer the AP you need to login (you are prompted for and “openwrt” password), but the manual does not provide you a password for doing this. Remember that the FON device is running the Linksys or Buffalo firmware (currently Linksys WRT54G (pre-v5), WRT54GL, WRT54GS and WRT54GSv4, or Buffalo WZR-RS-G54, WHR-HP-54, and WHR-G54S). If you remember, the default login and password for the Linksys AP is “admin/admin”. It worked!
Now you can change the public and private SSID of your AP and the WPA PSK for the MyPlace (unless you have already renamed it) side of the network. The private network supports: WEP, WPA, WPA2, or WPA/WPA2 Mixed (default). The public AP SSID will always start with “FON_” but you can change the suffix (default of “AP” to anything).
Update: Serge Mankovski noted the following:
FON suggests connect FON router to the local network of your Internet router. It makes any user connected to the FON WiFi access point a member of local network. To my surprise, Advanced Firmware from FON.net allowed users connected through FON access mechanism were able to connect to my internal network! It opens up Fonero internal network to attacks from users connected to their access points.
Life on the road 
April 13, 2007 at 2:37 am
Are you dicussing the new La Fonera AP here or the older WRT54G?
April 13, 2007 at 7:01 am
The La Fonera AP!
July 13, 2007 at 5:11 pm
I connected up my La Fonera router today and tested it myself. It’s surprisingly secure, although since it’s built on OpenWRT, that’s not really that surprising, I suppose.
One thing I noticed is that you can actually configure a lot of the settings via the fon website, after you login to it. This even includes the router’s password. Clearly, FON has some sort of backdoor access to the thing once it connects back to them. This access even goes so far as for them being able to update the firmware remotely, so that’s a potential risk to consider.
Serge’s note about the users being able to access your network is true, but only partially. If you connect the Fonera directly to the cable modem, then you’re fine and secure. If, however, you connect it to the LAN side of another router, then anybody on the FON network will be on the LAN side of that router. The Fonera’s “quick install” documentation is slightly confusing, but they do specify that it should be connected directly to the cable modem or ADSL router, not to another router doing DHCP.
FON still offers firmware downloads for Linksys and Buffalo APs, so if you don’t want to pay the $20 to get the La Fonera, you can transform an old Linksys WRT54G or GS into a FON capable router as well.
They’ve also changed their definition of “Bill” now.. Bills now get free access anywhere, including at other Bills. The only people who pay are Aliens. This change means that there’s no longer any advantage to being a Linus, other than philosophical ones. So that’s something to keep in mind.
July 13, 2007 at 5:44 pm
Otto, interesting. I was pretty sure that even when connected to the FON access point I was unable to access, ping (ICMP), or netcat to any other IP address on my LAN. I could only access the gateway and IP addresses on the Internet. Did your testing yield different experiences?
December 14, 2007 at 5:18 am
University City: Left Of Center
University City: Left Of CenterEvening Bulletin,PA-Aug 28, 2007(100 Northwestern Avenue; 215 247-5777), set on 92 acres in Chestnut Hill and
January 26, 2010 at 4:11 pm
dam this is going on my twitter great info.
May 19, 2012 at 6:29 pm
how to get rid of bedbugshow to exterminate bed bugs…
[…]FON AP Security « Life on the road[…]…
April 30, 2013 at 3:28 pm
Superb post however , I was wanting to know if you could write a litte more on this subject?
I’d be very grateful if you could elaborate a little bit more. Thank you!
May 2, 2013 at 11:57 am
What a material of un-ambiguity and preserveness of valuable knowledge concerning unpredicted emotions.
May 6, 2013 at 9:36 pm
Yes! Finally something about security.
May 8, 2013 at 3:36 pm
Having read this I thought it was very enlightening.
I appreciate you finding the time and effort to put this article
together. I once again find myself spending way too much time both reading and posting comments.
But so what, it was still worth it!
May 9, 2013 at 2:43 am
Hi, i think that i saw you visited my blog thus i came to
“return the favor”.I am trying to find things to
improve my web site!I suppose its ok to use a few
of your ideas!!
May 17, 2013 at 12:54 am
I used to be recommended this website by my cousin. I’m now not positive whether or not this put up is written by means of him as no one else know such specific about my difficulty. You’re incredible!
Thanks!
May 17, 2013 at 6:12 pm
Wow, that’s what I was exploring for, what a stuff! existing here at this blog, thanks admin of this site.
May 20, 2013 at 2:59 am
Hey There. I found your weblog the usage of msn. That is a very
neatly written article. I will make sure to bookmark
it and come back to learn extra of your helpful info.
Thank you for the post. I will certainly return.
June 6, 2013 at 12:51 am
Thanks a lot for sharing this with all people you really
realize what you are talking about! Bookmarked. Please
also talk over with my site =). We will have a link alternate contract between us
June 20, 2013 at 12:10 am
Hello, I do believe your web site could be having internet browser compatibility issues.
Whenever I look at your web site in Safari, it looks fine however,
when opening in IE, it has some overlapping issues.
I merely wanted to give you a quick heads up! Other than that,
excellent website!
February 8, 2023 at 7:07 am
Terrific article! Quite instructive and very well prepared. You covered the topic in great depth and presented outstanding examples to back again up your details. This article will be a great useful resource for those hunting To find out more with regard to the subject. Thanks for The good operate!