Back to my La Fonera page
Did this site help you?
Average rating (La Fonera):
2.70/3 (1500 votes)

Hacking the La Fonera: Why we did it

Hacking the La Fonera has created a lot of speculations and different opinions about Michael's and my intentions behind that issue. I created this page to clarify out thoughts on FON, the La Fonera and the publication of the script we created.

Why we didn't do it

It was not our goal to turn our La Fonera into a plain free wireless router - Michael and I support the idea of sharing wireless internet access. It also wasn't our intention to harm users or FON in any way: we strongly disagree with people just grabbing free La Fonera devices and not using them the way FON intended them to do.

Why we did it

Taking - and keeping - control of our network

Our primary goal was to take control of a device that was processing all of our data being transferred over our network: Although FON had released the source code to the firmware, the open source community was unable to verify whether the programs present on the device really originated from the source code FON supplied, since there was no way of producing a working firmware image from the sources: To load a new firmware to the router, the file would have to be signed by FON. Therefore, you cannot simply compile a new image from the investigated code yourself and upload it to the router.

While investigating the sources, we found out that FON has complete root access to the device all the time, and can supply arbitrary program code to it: Therefore, a security breach on download.fon.com (where all La Foneras fetch their instructions from) would lead to a security breach on every active La Fonera device at once. Therefore, to keep the local network secure, one has to not only trust the device supplied by FON, but the security of the FON servers as well, especially download.fon.com.

Raising awareness of the danger of a single point of authority

As I pointed out, having all La Fonera devices listen to a single authority is probably a bad idea: As you can see, it was possible to inject shell code into your router just with your Fonero username and password, without even having to connect to your router. It could be done from anywhere around the globe, and as soon as your router fetches his new configuration, the code will be executed. Combined with the ability to sniff Fonero usernames and passwords, this could have led to a La Fonera worm: It would start on a single node, sniffing the authentication data of FON users logging on:

Pretending that the La Fonera will stay a blackbox forever is an illusion; An illusion we ended with our demonstration, at least we hope so. Otherwise, cracking the device for possible malicious reasons would just have been a question of time.

And of course:

Because it was possible.


Stefan Tomanek
Michael Kebe