So I received the FON wireless access point in the mail today (surprisingly quick) and wanted to test it out to see how it would work. I wanted to know what administrative interface it had, how the public and private SSIDs worked and overall what the security of the device is.

The results were rather good so I wanted to give you some details here. The way the FON device works is that, once you plug it in, it broadcasts two SSIDs (by default these are FON_AP and MyPlace). The FON_AP is the public SSID that allows others to connect to. This is what makes your FON device an pseudo-public access point. I saw pseudo-public because of the Linus vs. Bill description listed above. The MyPlace is the private SSID that uses WPA2 with a pre-shared key (PSK) out of the box. The PSK is the serial number on the bottom of the device. The PSK can be changed as we will show later but most people will not making brute force cracking that much easier.

The first thing you do once you plug it in it to connect to either the FON_AP or MyPlace SSIDs and, as the manual states, browse to http://wifi.fon.com/ What I noticed is that before registering your device it allows you to visit http://www.google.com (and probably other URLs as well.) If you try to hit other sites it will redirect you to wifi.fon.com until you actually register the device, which is rather easy. You simply login using the same username and password you used to obtain your FON device and answer a few questions. The questions ask for the address you are located at; assumingly so FON can put you on their map but also a minor personal privacy risk. Of course there’s nothing that forces you to enter the real address, other than personal morals, because there is no way for FON to determine if you are telling the truth or not.

Once the device is registered it is now open for business. I wanted to see if someone connecting to the public (FON_AP) side could access other devices on my home network and vice versa. I first connected to the FON_AP side, which required I login because I registered as a Linus. I received an IP address of 192.168.182.2 with a gateway address of 192.168.182.1. DNS servers were obtained from DHCP so they did show the internal IP addresses of my home network. (Remember I plugged this device into the home network which includes many more computers and is not limited to the cable modem as the manual suggests.)

I tried to port scan 192.168.182.1 the device itself and could not although the DNS servers for the FON device were internal devices I could not ping or port scan them from the 192.168.182.x network. This meant that all DNS queries were sent from my client to the access point (AP) and then routed to the proper server. I tried pinging and port scanning other devices within my home network but received to replies. I tried to traceroute to the Internet and received an ICMP reply from the gateway (192.168.182.1) then a blank hop (Request timed out) and then a reply from my ISPs router. This meant that the FON device must have a static route set within it to only allow public traffic out to the Internet and not internally.

I was impressed at the security here thus making it almost impossible (outside of malformed DNS requests or exploitation of TCP) to compromise my internal devices or the FON box itself.

I then connected to the MyPlace (private) side of the network to see what could be done. I was given an IP address of 192.168.10.223 and a gateway address of 192.168.10.1. In this situation I could ping devices in the public (FON_AP) side of the network but not vice versa. When I tracerouted to the Internet I had the same results as when connected to the public side of the AP, and could ping other devices on the home network. It appears that once on the private side of the AP there are no access list rules.

I port scanned the gateway address (192.168.10.1) and found the following services open: 25/tcp, 21/tcp, 53/tcp, 110/tcp, 4444/tcp, 5190/tcp, 8080/tcp. This is interesting because when you put 192.168.10.1 into your web browser it shows the AP Management Console. I netcat to port 80/tcp which is shown as open has a META HTTP-EQUIV redirect to “/cgi-bin/status.sh”. Connecting to other open services on the AP results in an open port but a dropped service. (I’m curious if you need to connect from a specific IP address to access these services or if there is some other trick.)

You have five management options before you: STATUS, Public WiFi, Private WiFi, Change Password, and Advanced. In order to administer the AP you need to login (you are prompted for and “openwrt” password), but the manual does not provide you a password for doing this. Remember that the FON device is running the Linksys or Buffalo firmware (currently Linksys WRT54G (pre-v5), WRT54GL, WRT54GS and WRT54GSv4, or Buffalo WZR-RS-G54, WHR-HP-54, and WHR-G54S). If you remember, the default login and password for the Linksys AP is “admin/admin”. It worked!

Now you can change the public and private SSID of your AP and the WPA PSK for the MyPlace (unless you have already renamed it) side of the network. The private network supports: WEP, WPA, WPA2, or WPA/WPA2 Mixed (default). The public AP SSID will always start with “FON_” but you can change the suffix (default of “AP” to anything).

Update: Serge Mankovski noted the following:

FON suggests connect FON router to the local network of your Internet router. It makes any user connected to the FON WiFi access point a member of local network. To my surprise, Advanced Firmware from FON.net allowed users connected through FON access mechanism were able to connect to my internal network! It opens up Fonero internal network to attacks from users connected to their access points.

Advertisements