Ask HN: Are US cellular networks this poorly secured?
They report:
> "It turns out that any Sprint device anywhere in the country can communicate with any other Sprint device anywhere in the country."
And no, they don't mean by placing calls. They used a femtocell (miniature cell tower) that had been exploited to allow console (command line) access. In particular, a Sprint Airave. Basically that gave them direct access to Sprint's WAN. So then, just as with Windows PCs in the early 00s:
> "To find vulnerable vehicles you just need to scan on port 6667 from a Sprint device on the IP addresses 21.0.0.0/8 and 25.0.0.0/8."
But this isn't limited to baseband radios of motor vehicles, right?
So using the same approach, adversaries could find open ports on Sprint smartphones and other devices with cellular connectivity. And perhaps exploit them, given that cellular baseband radios are reportedly not well secured. Also, the baseband is privileged over the GUI operating system. And given that baseband firmware is a closed-source blob, it's basically impossible to fully assess any of those risks.
Or am I being overly alarmist?
Has Sprint since reconfigured its cellular network to better isolate devices?
And are other US cellular networks as poorly secured?
0) https://news.ycombinator.com/item?id=22024501
1) http://illmatics.com/Remote%20Car%20Hacking.pdf
6 comments
[ 3.6 ms ] story [ 26.0 ms ] threadIIRC this is no longer true for current-gen chips and designs.
Isn't baseband firmware still closed-source?
Edit: OK, I see https://www.reddit.com/r/privacy/comments/e9ma76/upcoming_20...
However, the effectiveness of baseband isolation on separate chips vs through software is contentious. It seems to me that using a separate modem/router with a wired network link (not WiFi) is the safest option.
Cellular WANs aren't the Internet. And it seems that at least some devices on them are poorly secured.
So what I'm wondering is whether other cellular WANs are as iffy as Sprint's was. And whether they've been better secured.
Why do you say this?
> Looking at the network configuration of the Uconnect system we can see that it has several interfaces used for communications. It has an interface for the internal Wi-Fi communications, uap0, and another PPP interface, ppp0, presumably used to communicate with the outside world, via Sprint’s 3G services.
> The 192.168.5.1 address is the address of the Uconnect system to any hosts connected to the Wi-Fi access point. The IP address 68.28.89.85 is the one that anyone on the Internet would see if the Uconnect system connected to them. However, port 6667 is not open at that address. The 21.28.103.144 address is the actual address of the interface of the Uconnect facing the Internet, but is only available internally to the Sprint network.> After a little experimentation, it was observed that the PPP interface’s IP address would change each time the car was restarted, but the address space always fell within two class-A address blocks: 21.0.0.0/8 or 25.0.0.0/8, which are presumably the address space Sprint reserves for vehicle IP addresses.
So these are basically huge LANs that anyone with a suitably tweaked Sprint baseband modem can access.
0) http://illmatics.com/Remote%20Car%20Hacking.pdf