Aktuelle Seite: Startseite / Archiv für Wireless

DEFCON 14 – A hacker’s paradise

August 20, 2006

I have just returned from a vacation, interluded by a couple of trips – one of them to DEFCON, the world’s largest hacker conference. This year, it ran at the Riviera hotel and casino in Las Vegas at the beginning of august.

There was plenty to see and do, from conferences as interesting as war-rocketing to an insight into the US-VISIT program, and it’s plans to implement RFID tags into the green visa waivers, or the 2D barcode receipts given out at airports.

I participated in the wardriving events, organised by Thorn, and which consisted of the Running Man and Fox Hunt competitions. Our team was led by Renderman, and we had some backup that put up some noise (fake APs, floods, etc.) to make the contest more interesting.

The Running Man started well, but unfortunately the other team tripped casino security by walking past their booth with a magmount omni antenna on each shoulder, a laptop, several WiFi cards dangling from their belts, a YellowJacket, and other gear – apparently, the IT guys freaked out, and they wanted the contest shut down. After the intervention of Ross and Priest, we were allowed to carry on, but limiting the search area to the venue, and not the whole casino. After the contest resumed, we found the Running Man in around 15 minutes, and won!

The second contest, Fox Hunt, consisted of a hidden WRT54G that was only on for 15 seconds every minute. One was supposed to locate the fox, connect to it, and change the SSID after brute-forcing admin account. 15 seconds to do all that is not a lot! So, our plan was to locate the fox….and make a run with it to a safe place, so we could kill the 15 second timer circuit, reduce the amount of RF leaking out and have a go at changing the SSID. The first part of the plan went well, but then the other team got slightly miffed, called Thorn, who in turn called us to go back to the contest table with the WRT so the other team could also have a go at it.

Interestingly, Thorn had taped the admin password to the bottom of the router, but neither team noticed it! In fact, the other team ended up brute-forcing the AP and changing the SSID. We contested that since when we removed and reapplied power to the AP, the SSID went back to its default, we had in fact won, but Thorn wasn’t having any of it. The contest was a tie, which was decided by the question “Who owns the OID 00:00:00?”, the answer to which is Xerox. We got it wrong, and so we lost. Next year we will be better prepared for sure.

Here are a few pictures from the event:

215968623_41bb4d0a52

Thorn and Renderman giving their presentation on the Church of Wifi, with CoWPatty, the WPA rainbow table generator, and the WRT54G mods, which included my WaRThog.

215972088_93d246f6a7

The war-rocketing guys, and their awsome rocket. I wonder how they got that thing past airport security.

219943777_5f1822fcfd

The WaRThog on the left, with two more of CoWF’s modified WRT54Gs.

219943269_35eee99859

If you used DEFCON’s wireless network to check your email, access your corporate network, etc., but didn’t use any form of security (VPN, SSH…), you are bound to be in the Wall of Sheep. It displays captured user names, passwords, domains and access methods – I actually had the two colleagues travelling with me show up here, even though I told them to not even open their laptops while at the con.

See you next year!

My last day as a Fonero – bye FON, hello future

August 1, 2006

Today is my last day as a Fonero, which is the way people registered in FON’s network are called (IMHO a rather ugly name). Why this decision? There are a number of reasons, and I have chosen to simply make a list.

  • The most important reason is that I have taken a position at a company that makes it unethical for me to continue participating in FON. I will no longer post on their forums; however, I will continue to post my thoughts about FON on my blog, and replying to Martin Varsavsky in his blog when I see it appropriate.
  • FON has been a downhill experience from day one. I ordered my “social” router, and got charged by PayPal, but no confirmation from the company, no tracking number, nothing. I emailed their support address, no reply. It eventually arrived, admitedly faster than the month or two some people were reporting on the forums. After a few futile attempts at configuring the router to work with my DSL line, and a couple of completely ignored emails to FON support, I simply gave up. The router is now waiting for a PCB to turn it into a WaRThog.
  • Every time I see a new crazy idea in Martin’s blog I feel more depressed about the FON project – does he really think WiFi is the way for homeless people to make a living, reselling VoIP services over Bluetooth? (don’t ask!). Where would he send them the money? Then there are the times when he takes a product and claims it was designed by FON, sometimes in secret collaboration with his backers Skype or Google. The latest is the Skype-compatible WiFi phone made by an Accton subsidiary – this is a design that Accton started way before FON even saw it, and way before Martin could have his logos photoshopped onto the mockups. As a matter of fact, out of the box this phone will not work at FON hostspots, as it lacks the browser required to perform user login – so they will have to work some magic.
  • The english and spanish forums are another source of disappointment, with daily posts from people complaining about the extremely poor support that FON is providing them. Some have even taken to posting comments on Martin’s blog to air their issues, something blogtiquette considers a no-no. I posted a few days ago about this particular issue.
  • They have followed an ill-conceived path to gaining publicity through bloggers, resulting in serious backslash from the spanish blogosphere (see here and here). Martin seems to think that by surrounding himself with top bloggers in exchange for dubious stock options or a seat in the board will get him a free ticket to stardom.
  • I believe that FON serves two purposes – one is to give a personal vehicle of shininess to Martin’s ego. See this post by Glenn Fleishman on FON’s crazy deal announcements, later called off as a lie by Speakeasy – typical example of how he manipulates a phone conversation into front-line news. Om Malik also reported on this particular issue. Martin is someone who cannot be seen as co-founding anything, but as a leader and innovator.
    Secondly, FON serves as an experiment for Skype and Google, who somehow convinced Index and Sequoia to go along. I don’t believe the two VC firms are into experiments, but FON would certainly provide good feedback to S & G about socializing WiFi, hardware distribution, and the adoption of the Bill model as a viable way to extend a WiFi network. Other stuff such as amount of logins at each location/router, number of registered users, daily passes sold, etc. would make nice colored graphs in the resulting corporate presentation.
    But, the problem is that FON is a huge fiasco in terms of hardware distribution, firmware development, public relations, and costumer support. I thus question the validity of any figures that come out of this rather expensive experiment.
  • Their firmware development process seems to be a closely guarded secret – but not for the same reasons Apple safeguards its own developments. FON started working with Brainslayer, the creator of DD-WRT, a free Linux distribution for Linksys (and other) routers. Apparently, Brainslayer was not very well treated by FON, and he parted to work in the Sputnik project, amongst other developments.
  • Just as Mark Evans did, I have voiced my concerns about FON’s business model and strategy – now that they finally launched the Bills, it looks more ill-fated than ever.

I find it really amazing how FON, with the $21.7 million they got in funding, cannot manage to hire a competent team of support personnel, outsource their obviously ill router redistribution system, and get some muscle behind the community effort. Martin Varsavsky is known in Spain for starting companies, pumping them up, and selling at the best possible gain – then leaving them behind with serious problems. Just look at what people think of Jazztel, or what troubles the Ya.com portal went through.

For me, the FON adventure is over, and a new, better adventure is starting. We will start disclosing things around the end of August, so if you want to stay updated, you are welcome to subscribe to the RSS feed.

How can FON expect to win?

Juli 12, 2006

Today I decided to attempt a second round at configuring the router FON sent me a few days ago, since my first out-of-the-box experience hadn’t been that good. Emails to tech support unanswered, which seems to be an endemic problem, as can be seen on FON’s forums, I finally gave up.

After plugging in the WRT54GS router as briefly described in the brief manual supplied with it (a third of one side of an A4 sheet of paper), I connect to the FON_HotSpot SSID detected by the MacBook. Fire up Firefox, and I’m promptly greeted with a welcome page that states the router could not configure itself, and thus has no connection to the Internet. It shows a few scenarios that one can check for problems, also suggesting one should consult again the third-of-a-page-handbook, and, failing all this, to try manual configuration of the router.

After about an hour of changing IP addresses of the WAN and LAN interfaces (and where is the WiFi interface? or is it linked to the LAN or WAN?), I have finally given up again. I’m not a networking überguru, but I know a bit about routing and setting up IP interfaces, and this thing just managed to get on my nerves. You cannot find a clear manual with diagrams of network connectivity, setups and scenarios, a description of the theory of operation of the hotspot, and as it has been shown, sending emails to FON support is usually futile. The forums are more helpful, but not because there is a healthy bunch of FON staff there, but because a number of talented and skilled individuals have taken upon themselves the task of helping others through the ordeal.

I’m sure that a lot, if not most, users that plug in the FON router can simply connect to it, register and start surfing, but in cases like mine, where I simply have a DSL router to which I plug in the FON router and it’s supposed to work – but doesn’t – a blank void is all there is left to stare at.

Maybe a last attempt will be to flash the new release of the firmware, once they have fixed the problems in v.0.6.6

Bottom line is that FON cannot expect to create a WiFi planet with people roaming for free on the 1 million routers they are going to distribute, once they get their logistics right, based on complex hardware that requires from either skilled operators, or very good tech support and clear setup and troubleshooting guides. A couple of days ago, someone posted on the forum that FON was a beta company. How can a company class itself in beta? It can have a service in beta, but the company must be running, if not totally smooth, at least with agility and responsiveness, fixing its problems quickly and providing first-class customer service.

No A2DP in OSX – maybe if Apple made a Bluetooth stereo headset…

Juli 2, 2006

Last night I was watching a DVD on my MacBook Pro, and remembered that I still kept a Motorola Bluetooth stereo headset from the time I was working at SouthWing and we designed such devices.

Bluetooth stereo headsets use a profile called Advanced Audio Distribution Profile (A2DP), which allows them to receive medium-quality audio at 16kHz from compatible devices. Most USB Bluetooth dongles sold recently have the profile in their drivers, and there are some mobile phones from Nokia, Samsung and Motorola that also feature this profile. The advantage is that you can listen to music wirelessly, and also control the player from the headset, as they feature the usual forward, back, play and pause controls.

Once I found the headset, I switched on Bluetooth on the Mac, and started the pairing process. The headset was recognised just fine, and pairing completed, but I noticed that it had been connected as a Handsfree device, with A2DP nowhere to be found. Since there doesn’t seem to be a method of connecting the headset permanently, so the audio is always routed from the Mac to it, the attempt was frustrated – I couldn’t even listen to the DVD in low-quality audio.

Why has Apple left out this profile, is it a blunder, or a calculated approach? As to this date, Apple doesn’t manufacture or resell any Bluetooth wireless headsets (only one can be found at their store, and it comes with a dongle for the iPod, so it doesn’t count). So, why would they have an interest in adding the A2DP profile, so that we could use any other headset? If they are in the process of designing their own, they might want to keep the profile away from Macs until they launch it.

Then again, if we give Apple a vote of confidence that they are not that insidious, it could be a blunder. And a big one. Windows has been able to work with A2DP headsets since late 2005, so they have had plenty of time to add the profile to their Bluetooth stack.

A few myths and facts about Bluetooth, versions and profiles for the curious:

1. Profiles are mostly independant of the Bluetooth version. It is perfectly possible to have A2DP in a V1.2 Bluetooth device, just the same as a V2.0 + EDR can have just two profiles and miss many of the usual ones – the mix is up to the manufacturer and driver supplier.

2. EDR stands for Enhanced Data Rate – this does not increase the range, just increases data throughput from around 700kbps to around 2.1kbps, by using a different modulation scheme. The Bluetooth protocol and profiles stay just the same – the advantage is that since data takes almost 1/3rd of the time to send compared to non-EDR devices, there is a considerable power consumption reduction.

3. “Device Y doesn’t support profile Z”. Again, this is up to the manufacturer, and it’s hard to add new profiles, specially in embedded devices. Some chipsets use masked ROM, which means that the Bluetooth stack, profiles and other settings are burned at the time the silicon is printed – so, no software updating on these. Masked ROM is considerably cheaper, although has an initial setup cost of $100.000, so it’s only good for high-volume production runs. The chips can drop $1 to $2 compared to the flash EEPROM counterparts.

As an example of a very poorly implemented Bluetooth solution we can find the Logitech MX5000 keyboard and mouse combo – it sucks. A lot. I am preparing a review that will try to investigate why it does the stupid things it does, such as repeating the first letter you type when it wakes up a dozen times, or why the mouse starts wondering around the screen as if it was possessed by a poltergeist.

The WARTHOG – a WiFi router on steroids

Juni 16, 2006

Since I first started tinkering with the Linksys WRT54G router a couple over a year ago, replacing the stock firmware with OpenWRT, I have been thinking about making something special with it.

The router itself is a great piece of hardware, having a WiFi adapter, and two wired LAN interfaces. OpenWRT allows hackers to do almost anything with the device – there are plenty of mods, such as the dual serial ports, SD card to add storage space, and more.

I tried to look for a GSM/GPRS mod, which would add a module to the router, allowing it to communicate with the outside world using data and SMS – but there was no such thing, at least integrated into the router’s casing. So, the challenge was born, to design a PCB that would hold an SD card reader, a GSM/GPRS engine, and a GPS receiver. What could you do with this device? Here is a short list:

  • An autonomous wireless IDS with logging and SMS alerts. This could warn you when a pirate is trying to break into your network via WiFi. It would be completely autonomous, only needing a power source to run.
  • Self-contained wardriving box, which can save logs to the SD card, and be controlled via SMS messages. It could also periodically send you a status report to your mobile phone.
  • Mobile hotspot – by bridging the GPRS data connection to the WiFi signal in AP mode. Not very fast, but wait until 3G modules come out…

Here is a first picture of the PCB mounted onto the WRT54G. It doesn’t show the mess of cables that covers it, but gives an idea of what it will look like.

My Fon router has arrived!

Juni 8, 2006

I ordered a Fon router when they dropped the price to 19$ from the usual 25$, to try the service and see how it performs. My feelings right now are mixed, as had I waited one day, I could have purchased it for 4$.

This ‘rubbery price’ approach was explained a few days ago in Martin Varsavsky’s blog, as a demand elasticity test. Basically, you drop the price, and see if hordes of people jump on the offer. Yesterday, after having been back at 25$ for a few days, they changed the price to 1$, but only for a few hours.

Fon: maybe a not-so-social router

Juni 7, 2006

I have recently been following Fon, a movement that aims at creating a worldwide WiFi network, with Bills, Linuses and Aliens sharing their broadband with others, some for free, others for profit – split with Fon. The basis of Fon is that you connect a Linksys WRT54Gx WiFi router running special firmware to your broadband internet connection. This firmware turns the router into a captive portal, which then allows you to control access to the internet.

During the last couple of weeks, there has been some noise at Fon about having finally achieved production of their own WiFi router – they call it La Fonera. The move may seem obvious, as right now, they are buying the Linksys routers at full reseller price, in turn reselling them heavily subsidized at $25 a piece $1, as I’ve just read a minute ago. What I still don’t get is the title of the recent post in Martin Varsavsky’s blog, ‘Fon, the Social Router’.

A few days ago, Fon announced the purchase of 1.000.000 (literally!) of these new routers from the taiwanese manufacturer Accton. This company already manufactures WiFi routers, amongst other devices, and so it’s perfectly plausible that they can manufacture a customized router for Fon.

The main reason for manufacturing anything in China or Taiwan is the labour costs are extremely low. The electronics aren’t cheaper over there, and as a matter of fact, most of the core components are sold by western companies, such as Broadcom, Intel and Atmel. Labor conditions in chinese plants vary, from outright slavery to pretty good, but even then, one thing is a fact: they work all year round, including all weekends, only having ten days off for the Chinese New Year.

Reading Accton’s site, it appears that they treat their workers very well, and I applaud that. But this also means that they cannot produce as cheaply as the sweatshop-style manufacturers. A WiFi router with the horsepower required to run Fon’s platform is not cheap – let’s estimate roughly $22 per unit, for a purchase of 1 million units. If this estimate is correct, Fon would have blown on these routers a tad more than the entire funding they got from Skype, Sequoia, Index and Google.

If they were to give away the routers, to recoup this investment Fon would have to sell approximately 11 million 24-hour access packages, at $2 each. That is assuming Fon takes 100% of the money – with the Bill model, they would only get 50% of the income, as it is shared with the person providing the broadband and maintaining the hotspot. If they were to sell the routers at cost, they’d still have a huge logistics nightmare in their hands. Failure rates in mass-produced electronics range between 1% and 3%, meaning they could have up to 30.000 returns, costing them $1.32 million in hardware, plus logistics and other costs. One thing is to be a promoter of social WiFi – another is to turn into a hardware manufacturer – be it by ODM contracts, or by making the devices yourself.

So, I leave some open questions: has Fon chosen a company that respects human rights, treats its workers with dignity, but won’t give them a good deal as they could have gotten somewhere else, thus affecting their ROI expectations? Does investing in 1 million routers make economic sense with their current business model?

« Ältere Beiträge
Neuere Beiträge »