![]() |
Security on N900
My concern is that the N900 is designed to be always connected and it is a Linux system with all the standard security issues. It probably comes with a default root password with lots of open ports. Are users directed to change the root password? Or do users have to know that to do to protect their device?
Anyone reading this is not a typical user. The typical user takes the 'phone' out of the box, puts the SIM in, powers up, and uses it. Security hygiene is not on their radar. Since this device is different from the previous tablets from Nokia does anyone know what is provided to protect users from the nasties of the world? |
Re: Security on N900
Quote:
|
Re: Security on N900
Quote:
|
Re: Security on N900
There isn't any standard way in UI. But since all applications are installed as root, you'll Install an application and installation scripts enables sudo or something else.
|
Re: Security on N900
Quote:
|
Re: Security on N900
Quote:
What stops you installing a malicious application in Ubuntu? Or in Windows? |
Re: Security on N900
Quote:
Of course, preventing the user himself to do something with the device is against what Maemo is, so hopefully we're not going to see any of that ugly "nanny operating system" stuff. |
Re: Security on N900
Quote:
I did not intend for a flame here but there are always security issues with any operating system. Telling me to believe without proof just raises my concerns. Maemo is not Ubuntu so using that as a proof point is, by itself, not sufficient. Any pointers that will make your point about the security of Maemo? |
Re: Security on N900
Quote:
If you want to see what's listening, you can either log on and run "netstat -an | grep LISTEN", or you can run an nmap port scan against it from an external machine (which is probably more useful in a practical sense as it reveals what's actually reachable through the network after various firewalls and the like have been passed instead of what theoretically is running according to the kernel). |
Re: Security on N900
Quote:
You made your initial post sound like if someone was going to take the phone out of the packaging and get rooted remotely in seconds. To do that, the phone would need to e.g. have by default a ssh server running with a default root password. There is no such server in the phone. Without such server, they could even ship "rootme" as the default root password. Nothing would happen; you would need to get at the phone's keyboard to enter it*. Well, at least in the N810. Which you can buy and test everything we have said in this thread by yourself :) *Of course, nobody said e.g. 0 exploits in the browser. As you said, no operating system is safe. But between 100% and suicidal there is a big difference. It's not like your average Symbian phone is 100% safe. |
Re: Security on N900
so here is the output of nmap to my n800 on a local network.
debsilver:/home/epilido# nmap -v -sS 192.168.1.115 Starting Nmap 4.68 ( http://nmap.org ) at 2009-09-07 18:04 EDT Initiating ARP Ping Scan at 18:04 Scanning 192.168.1.115 [1 port] Completed ARP Ping Scan at 18:04, 0.13s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:04 Completed Parallel DNS resolution of 1 host. at 18:04, 0.01s elapsed Initiating SYN Stealth Scan at 18:04 Scanning Nokia-N8xxxxxxx (192.168.1.115) [1715 ports] Discovered open port 22/tcp on 192.168.1.115 Completed SYN Stealth Scan at 18:05, 3.94s elapsed (1715 total ports) Host Nokia-N8xxxxxxx (192.168.1.115) appears to be up ... good. Interesting ports on Nokia-N8xxxxxxx (192.168.1.115): Not shown: 1714 closed ports PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:19:4Fxxxxxxxx (Nokia Danmark A/S) Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 4.526 seconds Raw packets sent: 1727 (75.984KB) | Rcvd: 1719 (79.070KB) I installed ssh. This is by no means an indepth test but i do not find a bunch of open ports..... The n800 was up and surfing google at the time Epi |
Re: Security on N900
Quote:
|
Re: Security on N900
first and foremost, only "server" packages open ports and listen. "client" apps make outbound connections. if you install a server package, and start it, it will listen on the port that package is configured to listen on.
simply because a port is open and an agent is listening does not mean the device is insecure. your alarmist stance is not necessary. not every service is vulnerable to the myriad of issues that other OSes face. moreover, i believe the iptables firewall is installed, and unless iptables is configured to allow a connection to the server that is listening on any given port, the connection will be rejected/denied based on the iptables policy. remember, security is based on making the effort/risk cost more than the reward. |
Re: Security on N900
IMO, it is easier to "hack" the Palm Pre or the old iPhone (both had/have browser or email exploits) than the internet tablets. Yeah, if you go and stop iptables and change the root password to rootme or something, it might get hacked, but out of the box it is pretty locked down from the outside. If you have physical access to the machine, at least with the n810, its very simple to get root access.
|
Re: Security on N900
Again, why iptables (iptables is much more than a firewall, but i'll treat it like one for the sake of this thread)?
There are no open ports! This would be like trying to put a rock inside a safe (poor analogy :D). And, if I remember correctly, iptables is installed but not configured by default. |
Re: Security on N900
Quote:
On mine it currently says: Code:
Nokia-N810-43-7:~# netstat -tln
From the above list, the scariest one is 7275, since supllistenerd runs as root and it's a closed source component so can't be audited independently. Note that it's not in the default Diablo installation either though (comes from agps-ui). |
Re: Security on N900
There's two questions here:
One is what might be called the "default security level"; for the average consumer, there'll be no root access, no open ports etc. (as far as I know). The other thing is security on a broader, conceptual level given that this device is also a phone. I can have root access. I can have all sorts of services running and open all ports. I can install software from sources the community here doesn't even know about. While all of this is my responsibility (and therefore my problem) as far as my own device is concerned, it may cause troubles once some malware interacts with the cellular part. So: Is there any special security built around the cellular part of the device? Or would it be accessible like anything else and could I, say, run a cron job that calls all of my contacts at 3:40am? |
Re: Security on N900
No UAC?!?
C'mon... Nothing like "The phone wants your permission to get HangLoose's call. To continue type the administrator password." Tsk, maaan... half the fun is OVER. |
Re: Security on N900
Quote:
|
Re: Security on N900
Quote:
|
Re: Security on N900
@ Ima
now run (as root) Code:
iptables -nL |
Re: Security on N900
Quote:
if you start disabling services, installing firewall s/f and hardening -- you have to configure them properly (they have no intelligence of their own and they are usually completely unaware of changes done to the network after they are configured - so you have to remember to maintain them) and you should not expect that you device will work flawlessly 100% of the time. you will probably run into connectivity issues and will have to micro-manage it a bit. but once again, ask yourself, what is your goal? to make sure you don't show up on scans or to have a device that does what you expect it to. in a previous life, i used to be a network IT guy. the general rule of thumb is -- if you start to lie to the network (proxy, NAT, port blocking, filtering, e.t.c.) the network will start to kick you in the ***. regarding security on an internet tablet. common sense dictates that you probably dont want to do your online baking and leave important information such as banking, credit card, mortgate on it. it's small and easily stealable. it usues wifi which is easily snoopable and easily trickable. |
Re: Security on N900
Quote:
using ssh doesn't mean you have port 22 open, using sshd does. Quote:
Quote:
Any website processing those kinds of details needs at least 128 bit encryption, and you shouldn't store credit card information anywhere, except in your head and on your credit card. And if your overly paranoid like me, use vpn and ssl on public connections ;-) |
Re: Security on N900
Quote:
|
Re: Security on N900
is iptables installed by default? mine doesn't have it.
|
Re: Security on N900
It's not installed and the kernel doesn't have the required hooks enabled either.
|
Re: Security on N900
Quote:
|
Re: Security on N900
Quote:
|
Re: Security on N900
Quote:
Code:
~/MyDocs/Scripts $ lsof -i |
Re: Security on N900
Quote:
|
All times are GMT. The time now is 02:14. |
vBulletin® Version 3.8.8