Ask HN: Are US cellular networks this poorly secured?

1 points by mirimir ↗ HN
I've been thinking about xfitm3's recent comment[0] about work by Charlie Miller and Chris Valasek on remote exploitation of motor vehicles.[1]

They report:

> "It turns out that any Sprint device anywhere in the country can communicate with any other Sprint device anywhere in the country."

And no, they don't mean by placing calls. They used a femtocell (miniature cell tower) that had been exploited to allow console (command line) access. In particular, a Sprint Airave. Basically that gave them direct access to Sprint's WAN. So then, just as with Windows PCs in the early 00s:

> "To find vulnerable vehicles you just need to scan on port 6667 from a Sprint device on the IP addresses 21.0.0.0/8 and 25.0.0.0/8."

But this isn't limited to baseband radios of motor vehicles, right?

So using the same approach, adversaries could find open ports on Sprint smartphones and other devices with cellular connectivity. And perhaps exploit them, given that cellular baseband radios are reportedly not well secured. Also, the baseband is privileged over the GUI operating system. And given that baseband firmware is a closed-source blob, it's basically impossible to fully assess any of those risks.

Or am I being overly alarmist?

Has Sprint since reconfigured its cellular network to better isolate devices?

And are other US cellular networks as poorly secured?

0) https://news.ycombinator.com/item?id=22024501

1) http://illmatics.com/Remote%20Car%20Hacking.pdf

6 comments

[ 3.6 ms ] story [ 26.0 ms ] thread
> Also, the baseband is privileged over the GUI operating system.

IIRC this is no longer true for current-gen chips and designs.

I'd appreciate cites for that.

Isn't baseband firmware still closed-source?

Edit: OK, I see https://www.reddit.com/r/privacy/comments/e9ma76/upcoming_20...

However, the effectiveness of baseband isolation on separate chips vs through software is contentious. It seems to me that using a separate modem/router with a wired network link (not WiFi) is the safest option.

The Internet is not and never was a secure network. Devices connected to the Internet need to secure themselves.
Initially, it was by default trusted. And once it expanded beyond academic and military, it became clear how foolish that assumption was.

Cellular WANs aren't the Internet. And it seems that at least some devices on them are poorly secured.

So what I'm wondering is whether other cellular WANs are as iffy as Sprint's was. And whether they've been better secured.

Cellular WANs aren't the Internet.

Why do you say this?

They're private subnets, right? From the paper:[0]

> Looking at the network configuration of the Uconnect system we can see that it has several interfaces used for communications. It has an interface for the internal Wi-Fi communications, uap0, and another PPP interface, ppp0, presumably used to communicate with the outside world, via Sprint’s 3G services.

   # ifconfig
   lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
           inet 127.0.0.1 netmask 0xff000000
   pflog0: flags=100<PROMISC> mtu 33192
   uap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
           address: 30:14:4a:ee:a6:f8
           media: <unknown type> autoselect
           inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255
   ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1472
           inet 21.28.103.144 -> 68.28.89.85 netmask 0xff000000
> The 192.168.5.1 address is the address of the Uconnect system to any hosts connected to the Wi-Fi access point. The IP address 68.28.89.85 is the one that anyone on the Internet would see if the Uconnect system connected to them. However, port 6667 is not open at that address. The 21.28.103.144 address is the actual address of the interface of the Uconnect facing the Internet, but is only available internally to the Sprint network.

> After a little experimentation, it was observed that the PPP interface’s IP address would change each time the car was restarted, but the address space always fell within two class-A address blocks: 21.0.0.0/8 or 25.0.0.0/8, which are presumably the address space Sprint reserves for vehicle IP addresses.

So these are basically huge LANs that anyone with a suitably tweaked Sprint baseband modem can access.

0) http://illmatics.com/Remote%20Car%20Hacking.pdf