DSL Telefonie ist inzwischen eine probate Alternative zur herkömmlichen Festnetztelefonie geworden. Der Unterschied zwischen den beiden Technologien ist kaum bemerkbar – die Sprachqualität ist auch bei DSL Telefonie hervorragend. Und auch wer sein “altes” Telefon weiterhin verwenden möchte, kann dies problemlos tun. 
Die Grundlagen der IP-Telefonie finden Sie unter nachfolgenden Link.

Zudem hat DSL Telefonie über einen DSL Anschluss einen entscheidenden Vorteil gegenüber der alten Variante: In punkto Kosten kommen DSL Telefonie Kunden deutlich besser davon. Zum einen deshalb, weil die fixen Anschlusspreise geringer sind. Und zum anderen, weil eine DSL Telefon Flatrate hilft, die monatlichen Kosten für Telefongespräche auf ein Minimum zu reduzieren – zumindest, was die DSL Telefonie ins deutsche Festnetz angeht. Denn ähnlich wie eine DSL Flatrate die monatlichen Ausgaben für das Surfen im Internet pauschal abdeckt, hält man seine Telefonkosten Monat für Monat stabil.

Mittlerweile bekommt man DSL Telefonie bei vielen der zahlreichen DSL Anbieter. Grund: Immer mehr DSL Provider operieren nicht mehr über das Netz des Telekom, sondern haben eine eigene, rein auf DSL basierende Infrastruktur. Über diese laufen die DSL Angebote, zu denen immer auch DSL Telefonie beauftragt werden kann. Die Telefon Flat kann immer gleich mit hinzugebucht werden – sofern sie nicht schon als fixe Paketkomponente automatisch in einem gewünschten DSL Package mit dabei ist – und kostet selten mehr als 10 Euro im Monat. Bedeutet: Schon bei durchschnittlichem Telefonaufkommen lohnt sich die Inanspruchnahme einer DSL Telefon Flatrate.

Wird auf DSL Telefonie gesetzt, ist eine entsprechend ausgerüstete DSL Hardware vonnöten. Bei den meisten der DSL Telefonie Provider bekommt man sie zu einem günstigen Preis oder gar kostenlos in Verbindung mit einem DSL Paket gleich mitgeliefert. In der Regel ist dies ein WLAN Router, in dem ein DSL Modem bereits integriert ist.

Weirdness happens in the most strange places, and the Fon forums are an endless source of fun. Their moderator, known as moderfon, throws his wrath around like a dragon, censoring posts that are not convenient to Fon’s image. Those who complain or even link to external stories that deal with topics such as replacing the Fonera’s firmware, or problems and bugs such as the overheating routers, are ruthlessly censored, and the posters threatened with being banned.

I have moderated public forums for almost 10 years now, and there is a very delicate balance between keeping things on topic, abusive users, and the community. You simply cannot have a forum about a topic, and then arbitrarily decide when and how its members can or cannot talk about the topic. If the topic of Fon’s forums is Fon, then users should be allowed to say anything related to Fon, be it good, bad or even how to hack the routers. People should be allowed to complain about a company on the company’s own forum, else, it is basically a propaganda tool, or something one must have for public image. “Sure, we like our community, we have a blog and a forum!”. Keeping a company forum on topic does not mean keeping it on the topic the company would like to see, but making sure there is no spam, users don’t become abusive, flame wars are tamed, and people get a feeling that they are contributing to something. Censoring uncomfortable topics is not the way to go.

In this particular case, a UK ISP known as Fondoo.net, who define themselves as “the UK’s first FON Friendly ISP.”, has had its name censored from Fon’s forums. Any mention of the word ‘fondoo’ will be shown on posts as *xxxx*, as can be seen on this thread (scroll down a bit to the first post by euronerd). Seems like a very fast way to lose friends, and shows how to not build a community. As this thread will probably be censored (there was a thread about censorship that itself got censored!), I took a screenshot of the relevant bit:

Update: I found a link to this Wikipedia entry (I tend not to link to Wikipedia as a general rule, but I’ve reviewed this article and it seems just fine), which is a great introduction and explanation of what it means to moderate a forum (wink wink, moderfon). Thanks to Kyros for posting the link on AustinTX’s blog, it will come in handy more than once methinks!

I, and others, have our doubts about wether this video is a fake stunt, or a true story. It is true that the Fonera overheats, much more than would be expected from a consumer-electronics product, but to the point of causing physical damage to the plastic case?

The heat problem

Heat in electronics mostly comes from dropping voltage by converting current into it, in our case, the voltage regulator in the Fonera drops 5V to 3.3V at 500mA, resulting in the dissipation of 850mW. That’s right, we are dumping 850mW right into the atmosphere in the form of heat. This brings the operating conditions very close to the maximum ratings for this regulator, which has a maximum rated thermal resistance of 90ºC/W, my calculations put the operating conditions at 88ºC/W. Additionally, the wireless section of the Fonera is also converting a lot of energy into heat.

The measurements

After I finished my tests, I got a comment from Pobletewireless, regarding his own measurements of the heat problem, which are shown in very cool thermographs (no pun intended!) – much nicer than my rather rudimentary method.

I measured the temperature of the Fonera using a thermocouple connected to a Fluke 123 Scopemeter via an 80TK thermocouple module. The thermocouple was placed in between the heatsink and RF shield, the case closed, and the Fonera powered, as can be seen in this picture:

After 10 minutes operating normally, the temperature had risen to an average of 72ºC, with a peak of 80ºC.

The second batch of measurements were performed drilling four small holes to allow the thermocouple into the casing, the locations are shown in the following picture:

Maximum temperature at one corner was 43ºC. Next, an attempt was made to melt the white lid of the Fonera, by exposing it to a high temperature airflow from a paint-stripping gun, and at the same time, applying slight pressure from below. The thermocouple was used to measure at which point the plastic became maleable, and deformation started. At around 100ºC, the plastic was soft enough that a solid object could change its shape – this is in line with ABS plastic thermal properties, which state a deflection temperature around 100ºC, depending on specific material composition.

As the deflection point test resulted as expected, the lid was then exposed to an airflow at 280ºC for two minutes. The result of this exposure is shown in the pictures below:

It’s obvious that some deformation has taken place, with discoloration and charring on the point where heat was directly applied. However, the front side of the lid had mostly retained its shape.

Conclusions

The Fonera does indeed run very hot, much hotter than it should, if anything, for the good of the internal parts. Electronic components are sensitive to heat, with maximum ratings given by each manufacturer in terms of storage and operating conditions. The higher the temperature, the lower the service life of any given component. Some are affected more than others, most notably, electrolytic capacitors have a high sensitivity to heat, as it can evaporate the electrolyte quicker, causing it to fail. The capacitors in the Fonera are made by Taicon, a taiwanese manufacturer, and are max-rated for 105ºC. From the datasheet [PDF], at this temperature, the capacitor will fail after some 2000 hours, around 83 days. Following Arrhenius’ Law, and since the area around the capacitors was found to be at around 52ºC, their expected life would be 7800 hours, or about 325 days – what a coincidence, almost a full year, after which your warranty has expired. Comparing the Fonera to a Meraki Mini, one realises that there is a serious design flaw, as apart from the Mini having a switched-mode regulator, the wireless section shares exactly the same design as the Fonera. The temperature measured outside the casing of the wireless section indicates that the junction temperature of the components inside has to be ridiculously high. So, one conclusion is that the Foneras will eventually fail due to overheating, and it will probably happen sooner than later.

On the deformation / melting video – in my opinion, it’s not real. At least, it couldn’t have happened without the Fonera reaching temperatures around the whole casing that would have caused some components to blow up (for example, the capacitors). The Fonera could not have undergone such an extreme temperature, and still function as shown on the video. The temperature gradient between the heatsink and one corner of the case is almost 2:1, thus, to reach a deformation temperature of say 200ºC at the corner, the heatsink must have been running at 400ºC! A final bit of evidence – the sticker. If you look closely at the video, the sticker on the bottom of the Fonera looks almost unscathed. Here is a picture of what it looks like after applying a 250ºC airflow for 30 seconds, which causes the plastic to deform:

Obviously, a more prolongued exposure would have damaged it even more. In all honesty, I would love to get more details from the guy who made the video, as it stands right now, I’d call it a hoax.

With the current Fonera, you cannot access devices on the wired side of the network (such as a SAN drive or printer) from the wireless side, be it using the public or private SSID, you are effectively NATted from your own network. A LAN port would solve this the same way as it is done in higher quality devices such as the Linksys WRT54 series.

What really surprised me was to see that these routers have already been shown by Accton, the OEM that manufactures the Fonera on their website for a few weeks. Check out these links, datasheets in PDF available, for a white-label Fonera, a Fonera with LAN passthrough, and what looks to be the Fon Liberator, having a USB port and BitTorrent client built-in! Martin Varsavsky recently put the release date of the Liberator back a few months, originally scheduled for Christmas 2006, citing technical difficulties.

Now, either Accton wants to score a goal taking advantage of the publicity offered by Fon, or Fon didn’t pay an exclusivity fee for the design of these routers, or both. One million routers by 2010 is nothing by asian manufacturer standards, but they do allow buyers to secure exclusive designs. Copies could still be found, but not as prominently and by the same manufacturer making their own.

I wasn’t sure that Accton was the designer behind the Fonera, and gave Fon the benefit of the doubt of actually having developed something themselves in the electronics field, but now it seems clear that Accton is the designer of the hardware platfom, so there wasn’t that much development by Fon after all (the firmware was created by the hackers behind DD-WRT and OpenWRT).

The hack is not for the faint-hearted, and so you risk bricking your router if the flashing fails – there is still a way to de-brick using the serial port, but in any case, don’t try this at home unless you know what you are doing. We are on the cutting edge of the development, which eventually trickles down into easier-to-follow HOWTOs and step-by-step guides.

Spotted the problem yet? Radio antennas are affected by any element that is present around them, even non-metallic elements, such as the ground. In this particular case, kanijo, a Fonero, has attempted to provide more “range” to his FON hotspot, which is in itself commendable, however, the means may not result in the desired end – original FON forum thread here.

You can see that the vertical omni antenna, a carefully tuned radiating element, has been strapped to a metallic pole, which also runs a coaxial cable into a TV antenna right on top. The router is inside a sealed plastic box, with power and Ethernet going into it from below. There is no way that this antenna is radiating correctly, as the pole that supports it is probably grounded (if it has been installed according to regulations), and even if it is not, it is inducing an imbalance into the tuned element, causing a large amount of RF to be attenuated. The user reports good results with it, which are most likely due to good luck.

The second problem with this type of setup is that vertical antennas don’t emit downwards, and thus will provide very limited coverage to users below the antenna. There is some downwards bleed of course, but it will only reach lower users that are some distance away from the antenna.

Recommendations for these sort of setups: install the antenna right at the top of its own pole, and ground the pole. If you have no choice but to use an existing pole, get a T arm fitting and mount the antenna at least 1 meter (3 feet) away from the pole. A perfect example of such as setup, in this case with two supports as the antenna is rather large and care for wind load is needed, is this (credit to Roger Halstead):

Check out Roger’s page, it is a very good read if you are interested in radio installations.

The hack gives access to the console, with which you can do all sorts of nice and interesting things.

During my investigations that led to the statistics post, I also discovered a serious flaw in the maps management system, which would allow anyone to re-position any FON hotspot and change its address without first logging into the user area.

All that was required was the node’s ID and the hotspot owner’s user ID, both easily obtainable from the public queries that maps.fon.com launches against the database where hotspot data is held, and which I used to gather the statistics. For a determined attacker, it would have been very easy to place every single FON hotspot right in the middle of 1600 Pennsylvania Avenue, Washington DC.

I could have very easily posted about this, but I refrained from doing so for a reason – while I do not work full-time in the IT security industry, I have done quite a bit of consultancy work in the past, related to IT security, particularly in the wireless field. This means that I am fully aware of the industry-approved vulnerability disclosure procedure, which can be explained simply as:

• Document the vulnerability, and inform the company about the fact that you have found it.
• Wait for an initial response, establish contact points, and work a schedule for fixing the issue.
• Work with the company to help them solve the issue.
• Once the issue has been fixed, make a public disclosure on both sides about the vulnerability, giving credit to the person or company that discovered it.

You can find more references to this policy at Microsoft’s Security Response Center, here and here. A PDF from oisafety.org also describes this process in detail. A perfect example on how not to do things is the recent disclosure of a code injection vulnerability, which allowed manipulation of FON’s routers without even having to open them – even though their points are valid, they should have given FON the chance to fix the problem before going public.

In this case, I contacted FON’s support email first September 27th, and received a response on the 29th. This was really generic, only wanting to know about the details, and not acknowledging the normal procedure as I have explained above. On October 2nd, I emailed them again, asking to confirm that they understood the procedure, and on the 3rd they replied that they agreed on following the procedure.

I started compiling the information I had into a working document, but after becoming so frustrated at the attacks received as a result on my post about the statistics, the decision was to simply let the issue go, forget about FON, and concentrate on my own project. A couple of days ago, browsing around for stuff to clean up on the laptop, I came across the half-written report, and decided to finish it and send it to FON support, with CC to Martin, just to close the case. I received a reply today that they have in fact fixed the vulnerability, with a short ‘thanks’ (actually, quoting his email in full: “thanks Mike, i understand its been fixed”) from Martin.

The public acknowledgement of the discovery posted by FON is found in this forum post. Only in the English forums, by a user created apparently for this particular purpose, as this is his first post ever, where it is not likely to draw much attention. This would be fine by me, had not there been the precedent of Martin’s fierce replies to my statistics post, followed by countless attacks by FON’s followers, including an unfortunate incident better left forgotten. What I really cannot understand is that, when I criticize FON, I get such a huge public lashing, whereas when I help them out, I get a three-line remark in a forum where it will go mostly unnoticed. The end result may well be that other vulnerabilities, and it is likely they exist, go unreported.

Whatever the case, this should show those who accused me of unfair, biased attacks on FON that I really just call the shots as I see them, when I smell bullshit, I will point to it, when I see a hole, I will help them fix it – again, IMHO, blogging is not about being or not biased, it is about being ethical and maintaining a set of standards. In my view, it should also prompt Martin to write an apology, but I am not holding my breath. Not that I care much either, what is most important is my work; this is my blog, where I spend part of my spare time, which is not actually that much.

A full review is coming, but first impressions:

• The plastic casing looks and feels very nice, the molds must have been expensive, as the different parts mate very well.
• Inside lives a single PCB, with components on both sides. The top holds the bulkier components, such as power regulator, RAM and WiFi section, inside an aluminium RF shield.
• The PCB looks professional and well laid out on first inspection.
• Components used (I haven’t opened the aluminium chassis yet) are older SOIC and TSSOP, thus cheaper to handle and solder. Balled components require from special handling, such as baking in hydrogen for 24 hours to dry them before soldering, etc.

Here are some pics (click each photo for bigger views on Flickr) I have taken with a Nokia N93 (really nice phone btw, mini-review coming):

The underside of the case, with screws off.

Perspective view of the top PCB.

Bottom side of the PCB.

Sticker on the flash IC showing the firmware version.

On a first look, the maps look really nice – they use Google Maps, by default in the mixed view, where you see a satellite image and an overlay of roads and placemarks. I will not bore you with the details, as it is better that you check them out yourself and make up your mind.

This post is not intended as a review of the service itself, but rather, a revelation of the real figures behind FON’s network – peeking under the layer of PR and flamboyance. Martin Varsavsky is always boasting about FON being the largest WiFi community of the world – in my view, this is not accurate.
During months, FON has been claiming to be a “movement”, with a marked communist image behind (the marching workers, the spray-painted logos, etc.). This movement was supposed to kill mobile operators, who currently oppress people with their sky-high tariffs. We could go into a long debate just on this topic, but lets move on. During all this time, FON has suffered untold problems with staffing, PR mini-scandals, shipping broken routers or taking weeks and months to even send them out, not replying to repeated requests to support@fon.com, and blatantly ignoring the public forums, where the community behind the movement was expressing its increasing anger and frustration.

The blinding truth – less than 3.700 routers online worldwide

Digging a bit deeper into the workings behind the maps, I have found that there is a method to run a query to retrieve all the hotspots in FON’s database, not just two hundred, or those in a particular region. If you want to see an example, click here. This is a query that will return all hotspots on the planet that have been FONing home during the last hour. It can take a little while to load, so be patient. Until a couple of days ago, results were returned in XML format, which has been dropped in favor of the new plain, comma-delimited format.

I predict that FON will not like the above link, and thus will try to either change the format of the php call, or add artificial records to confuse the application I have written to process the data. First, I wrote a simple application using RealBasic (having been a long-time Visual Basic acolyte, it is a welcome change, allowing me to code under Mac and Windows transparently) – source code here. A screenshot of a full run is shown below.

Just from the details shown after the run, a few enlightening facts surface:

• The highest user ID found is 92.192, but the total amount of processed records is only 55.384. I have to investigate a bit further, but it appears that in some cases, a record is stored twice, once holding the user type (Linus, Alien or Bill), and again holding the router mode (online or unknown). This is the reason why some people see both the orange dot and the green halo on their locations at maps.fon.com, and also the reason why at this time I cannot confirm that the real number of Foneros is 43.896.
• There are only 3.674 routers online on the entire planet. So much for the largest WiFi community in the world. The other 7.814 are registered routers, from which nothing has been heard during the last hour. These figures have been checked a few times during the last few days, and they stay more or less constant.
• Out of the entire user base, only 1.317 have become Bills. So much for milking one’s WiFi.
• The highest router ID found in the results was 19.889, so if we add offline and online routers (best case scenario), then around 8.401 routers have never been registered, representing 42.2% of sold routers. Extrapolating this to the 1 million routers Martin wants to sell would results in a loss of $10.55 million!.

Looking at the per-country statistics (per-city could be made, given some extra time and coding), some curious details also stand out:

• There are two registered routers in Afghanistan – but neither is online. Not surprising, considering the amount of explosives that have been dropped on the place.
• China and Taiwan have 9 routers registered, but none online. Martin was blogging about his expansion into Asia, which looks rather bleak right now. 165 Foneros are registered however.
• Germany and Spain have around the same number of registered routers, although Germany almost doubles Spain in the number of online routers.
• The United States ranks third in number of registered and online routers, however, it holds the highest number of Bills (408). The next is Germany, with 237.

Finally, we can derive a few figures from these numbers. These are highly interpreted, and must be taken as theoretical extremes.

• If FON sold one $3 one-day pass every day of the year on each of the online routers, it would make a gross income of $4 million. This is before tax and the Bill’s share where applicable. You at the back, stop giggling!
• Making a wild assumption that each router’s signal reaches 100 people, FON would only cover 0.11% of Germany’s population of 82 million.
• Boingo gives you access to 45.000 hotspots. FON has about 8% of that figure, and with location quality debatable – it is a fact most FON hotspots will not be optimized for even street-level coverage.

I believe it is time for FON to stop boasting about having the largest WiFi community in the world, and start concentrating on its real problems. And if they still don’t know what these are, they have a nice summary at the online forums. Besides, for spending 500.000 Euros per month, this is a pretty poor show, in my humble opinion.