
Ask HN: Are US cellular networks this poorly secured? - mirimir
I&#x27;ve been thinking about xfitm3&#x27;s recent comment[0] about work by Charlie Miller and Chris Valasek on remote exploitation of motor vehicles.[1]<p>They report:<p>&gt; &quot;It turns out that any Sprint device anywhere in the country can communicate with any other Sprint device anywhere in the country.&quot;<p>And no, they don&#x27;t mean by placing calls. They used a femtocell (miniature cell tower) that had been exploited to allow console (command line) access. In particular, a Sprint Airave. Basically that gave them direct access to Sprint&#x27;s WAN. So then, just as with Windows PCs in the early 00s:<p>&gt; &quot;To find vulnerable vehicles you just need to scan on port 6667 from a Sprint device on the IP addresses 21.0.0.0&#x2F;8 and 25.0.0.0&#x2F;8.&quot;<p>But this isn&#x27;t limited to baseband radios of motor vehicles, right?<p>So using the same approach, adversaries could find open ports on Sprint smartphones and other devices with cellular connectivity. And perhaps exploit them, given that cellular baseband radios are reportedly not well secured. Also, the baseband is privileged over the GUI operating system. And given that baseband firmware is a closed-source blob, it&#x27;s basically impossible to fully assess any of those risks.<p>Or am I being overly alarmist?<p>Has Sprint since reconfigured its cellular network to better isolate devices?<p>And are other US cellular networks as poorly secured?<p>0) https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22024501<p>1) http:&#x2F;&#x2F;illmatics.com&#x2F;Remote%20Car%20Hacking.pdf
======
wmf
The Internet is not and never was a secure network. Devices connected to the
Internet need to secure themselves.

~~~
mirimir
Initially, it was by default trusted. And once it expanded beyond academic and
military, it became clear how foolish that assumption was.

Cellular WANs aren't the Internet. And it seems that at least some devices on
them are poorly secured.

So what I'm wondering is whether other cellular WANs are as iffy as Sprint's
was. And whether they've been better secured.

~~~
wmf
_Cellular WANs aren 't the Internet._

Why do you say this?

~~~
mirimir
They're private subnets, right? From the paper:[0]

> Looking at the network configuration of the Uconnect system we can see that
> it has several interfaces used for communications. It has an interface for
> the internal Wi-Fi communications, uap0, and another PPP interface, ppp0,
> presumably used to communicate with the outside world, via Sprint’s 3G
> services.
    
    
       # ifconfig
       lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
               inet 127.0.0.1 netmask 0xff000000
       pflog0: flags=100<PROMISC> mtu 33192
       uap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
               address: 30:14:4a:ee:a6:f8
               media: <unknown type> autoselect
               inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255
       ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1472
               inet 21.28.103.144 -> 68.28.89.85 netmask 0xff000000
    

> The 192.168.5.1 address is the address of the Uconnect system to any hosts
> connected to the Wi-Fi access point. The IP address 68.28.89.85 is the one
> that anyone on the Internet would see if the Uconnect system connected to
> them. However, port 6667 is not open at that address. The 21.28.103.144
> address is the actual address of the interface of the Uconnect facing the
> Internet, but is only available internally to the Sprint network.

> After a little experimentation, it was observed that the PPP interface’s IP
> address would change each time the car was restarted, but the address space
> always fell within two class-A address blocks: 21.0.0.0/8 or 25.0.0.0/8,
> which are presumably the address space Sprint reserves for vehicle IP
> addresses.

So these are basically huge LANs that anyone with a suitably tweaked Sprint
baseband modem can access.

0)
[http://illmatics.com/Remote%20Car%20Hacking.pdf](http://illmatics.com/Remote%20Car%20Hacking.pdf)

------
kelnos
> _Also, the baseband is privileged over the GUI operating system._

IIRC this is no longer true for current-gen chips and designs.

~~~
mirimir
I'd appreciate cites for that.

Isn't baseband firmware still closed-source?

Edit: OK, I see
[https://www.reddit.com/r/privacy/comments/e9ma76/upcoming_20...](https://www.reddit.com/r/privacy/comments/e9ma76/upcoming_2020_flagship_phones_will_have_baseband/)

However, the effectiveness of baseband isolation on separate chips vs through
software is contentious. It seems to me that using a separate modem/router
with a wired network link (not WiFi) is the safest option.

