wertarbyte writes "FON distributed a new firmware revision (0.7.1r3) to all La Fonera devices. According to the changelog, several bugs in the web interface have been fixed, as well as issues regarding the limitation of the shared bandwith. This version however still allows arbitrary commands to be injected through a spoofing attack as utilized by the kolofonium hack, which enables SSH access to the otherwise locked down box.
The hack relies on a manipulated DNS entry leading the Fonera device to a special RADIUS server from which the router retrieves its hotspot configuration. Through this server, arbitrary commands can be inserted in the chillispot (the open source hotspot software employed by FON) configuration. Online demonstration systems are setup, so hacking La Fonera essentially boils down to changing the DNS server to a special ip address.
"La Fonera" is a subsidized WLAN router given away by FON, which creates two seperate wireless 802.11g networks. One of these networks is used to offer internet access to other registred users of FON, while the owner of the router in exchange is allowed to use other FON hotspots for free. Altough the device firmware is based on the open source software OpenWRT, modification are prohibited by a cryptographic signature." top
wertarbyte writes "Although FON tried hard to prevent further software hacking attempts on their (nearly) free wireless routers, the same two students that discovered the first flaw in the web interface in november 2006 discovered a new flaw that allows code injection through a spoofed RADIUS server. This hack is even more severe than the first one, since it does not require the owner's password to execute code. It however enables user to start an SSH daemon on all firmware versions, even the most recent 0.7.1-2, which closed all known web interface vulnerabilities. For those willing to gain SSH access to their own routers, a test system has been set up that enabled the dropbear SSH daemon once a specific DNS server is specified on the router." top
wertarbyte writes "FON is still giving away their wireless routers for free in Germany and Austria until Wednesday — under the premise that the devices will be connected and used as FON access points. The router, called "La Fonera", is a variant of OpenWRT, but locked down to prevent modification, including a signed firmware image to prevent the upload of new software. It is however possible to get shell access by connecting a serial port present on the circuit board, but now two students from Germany discovered vulnerabilities in the CGI scripts used to configure the device, and successfully activated an SSH daemon on the device by exploiting them, giving owners a root shell on their device. They also provide a detailed description of the procedure and "ready-to-use" perl scripts to open up your router."