We have moved to a new Sailfish OS Forum. Please start new discussions there.
5

OpenSSH password vulnerability on cellular connection? [answered]

asked 2015-07-22 23:06:13 +0300

Camil B gravatar image

In this Ars Technica article, a vulnerability of OpenSSH is described, which would enable a brute-force attack against a password login. I would like to know how vulnerable was my Jolla phone through this bug. Here is the context:

Long ago, I enabled the option "Remote connection - Allow signing in via SSH" on the phone, and left it on (I did some development on it). I already use a key pair to connect from my laptop, and I never connected the phone on a WLAN except mine, so I think I should be okay. But would it be theoretically possible to exploit this OpenSSH vulnerability through the data connection, which was very often enabled? Does the firewall in Sailfish even allow access to SSH through anything else except USB and WLAN? I'm thinking of random bots around the world, which might attempt to detect exposed SSH connections on the Internet (having SSH exposed isn't good practice at all).

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by drummer12
close date 2015-07-24 18:16:02.738874

3 Answers

Sort by » oldest newest most voted
13

answered 2015-07-23 10:39:57 +0300

Philippe De Swert gravatar image

There is indeed a problem with openSSH but due to bad press reporting (It seems most journalists don't even check what they write or even remotely understand what they are talking about) it is not made clear it is not as bad as it seems. Namely the KbdInteractiveAuthentication option has to be turned on, which is not that often the case. And is not the case on Jolla. So the device is not vulnerable to the attack.

edit flag offensive delete publish link more

Comments

10

And I will patch the vulnerability on next week when I will get off my vacation. :)

tigeli ( 2015-07-23 22:52:48 +0300 )edit
1

@tigeli patched?

simo ( 2015-08-08 12:41:44 +0300 )edit
3

answered 2015-07-24 14:16:14 +0300

xkr47 gravatar image

If you still want the extra security, there is SSH Access confirmation which is available through the Warehouse app. For every incoming ssh connection it will give a popup on the phone screen asking whether to allow it. And you can whitelist your WLAN/USB IP addresses for convenience.

edit flag offensive delete publish link more
1

answered 2015-07-22 23:33:53 +0300

Mario gravatar image

Well, usually your cellular provider would block incoming connections from the Internet. However, this actually depends on your provider (though, I've never seen a provider that doesn't block incoming connections).

edit flag offensive delete publish link more

Comments

Isn't that because you'll be on NAT on most providers? If so, I'd guess that using IPv6 you're wide open.

Fuzzillogic ( 2015-07-22 23:53:48 +0300 )edit

Some cellular providers use a 1:1 NAT, that maps exactly one internal address to one external address, so the NAT will not restrict the access automatically. In any case (IPv4 and IPv6) a firewall can be used by the provider.

Mario ( 2015-07-23 11:10:09 +0300 )edit
3

I was surprised and shocked to find out that mobile connections aren't on NAT with some providers. And I was able to ssh from a friend's Jolla via mobile network into my Jolla. Also, one day, when my Jolla became hot in the pocket all of a sudden, I checked the phone to find that someone was driving brute-force attacks on the ssh port. Since then I have ssh access disabled on my phone.

The two operators where I made this shocking experience were Sonera (Finland) and T-Mobile (Germany).

pycage ( 2015-07-24 18:36:26 +0300 )edit
2

NAT is not and has never been a security feature. Close the SSH port or use a firewall instead. NAT destroys end-to-end communication which is essential in an IP network. I'm so happy we get rid of it in IPV6.

johanh ( 2015-07-24 21:11:49 +0300 )edit
1

@pycage Thanks for that information, very valuable! That should IMO be an answer!

I'm going to disable SSH now first, and then check if I can allow SSH access only from certain interfaces, which, if I remember correctly, is possible. Thankfully, both of my Jolla phones' carriers' mobile broadband options has been configured to have NAT enabled.

@johanh In my experience, NAT is not a bad feature, it can be very useful actually. It immediately turns into nuisance if it is forced, and thrice more so if it can't be configured. I don't know its history, but it sure acts as one more layer of security. Of course, NAT can only be as secure as the least secure thing inside it.

Direc ( 2015-07-25 12:34:15 +0300 )edit

Question tools

Follow
3 followers

subscribe to rss feed

Stats

Asked: 2015-07-22 23:06:13 +0300

Seen: 554 times

Last updated: Jul 24 '15

Related questions

VPN client [released]

Word prediction should be always turned off when entering passwords in Android apps [released]

Password manager for Sailfish [answered]

Android VKB saves and suggests passwords in plaintext

[Feature-request] Track & protect my Jolla

Keychain linked to TOH

Cloud backup should be encrypted

Guest account for demonstration [answered]

SSH Host Key fingerprint & regeneration

Enhance security & privacy options for native Apps

Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49