Why we didn't do it
It was not our goal to turn our La Fonera into a plain free wireless router - Michael and I support the idea of sharing wireless internet access. It also wasn't our intention to harm users or FON in any way: we strongly disagree with people just grabbing free La Fonera devices and not using them the way FON intended them to do.
Why we did it
Taking - and keeping - control of our network
Our primary goal was to take control of a device that was processing all of our data being transferred over our network: Although FON had released the source code to the firmware, the open source community was unable to verify whether the programs present on the device really originated from the source code FON supplied, since there was no way of producing a working firmware image from the sources: To load a new firmware to the router, the file would have to be signed by FON. Therefore, you cannot simply compile a new image from the investigated code yourself and upload it to the router.
While investigating the sources, we found out that FON has complete root access to the device all the time, and can supply arbitrary program code to it: Therefore, a security breach on download.fon.com (where all La Foneras fetch their instructions from) would lead to a security breach on every active La Fonera device at once. Therefore, to keep the local network secure, one has to not only trust the device supplied by FON, but the security of the FON servers as well, especially download.fon.com.
Raising awareness of the danger of a single point of authority
As I pointed out, having all La Fonera devices listen to a single authority is probably a bad idea: As you can see, it was possible to inject shell code into your router just with your Fonero username and password, without even having to connect to your router. It could be done from anywhere around the globe, and as soon as your router fetches his new configuration, the code will be executed. Combined with the ability to sniff Fonero usernames and passwords, this could have led to a La Fonera worm: It would start on a single node, sniffing the authentication data of FON users logging on:
- Alice logs into a FON router infected by the worm
- The worm intercepts her FON username and password
- Using this authentication data, the worm is able to manipulate the settings of Alice's router - without even having to know where it is
- After an hour or so, Alice's router contacts download.fon.com to check for configuration updates
- Now Alice's router is infected by the worm itself and starts sniffing for new password
- Bob logs onto Alice's La Fonera network
Pretending that the La Fonera will stay a blackbox forever is an illusion; An illusion we ended with our demonstration, at least we hope so. Otherwise, cracking the device for possible malicious reasons would just have been a question of time.
And of course:
Because it was possible.