My concern is that the N900 is designed to be always connected and it is a Linux system with all the standard security issues. It probably comes with a default root password with lots of open ports. Are users directed to change the root password? Or do users have to know that to do to protect their device?

Anyone reading this is not a typical user. The typical user takes the 'phone' out of the box, puts the SIM in, powers up, and uses it. Security hygiene is not on their radar.

Since this device is different from the previous tablets from Nokia does anyone know what is provided to protect users from the nasties of the world?

My concern is that the N900 is designed to be always connected and it is a Linux system with all the standard security issues. It probably comes with a default root password with lots of open ports. Are users directed to change the root password? Or do users have to know that to do to protect their device?


In previous Maemo version root account has been disabled by default (like in Ubuntu), so you can't log in as root without enabling it.

In previous Maemo version root account has been disabled by default (like in Ubuntu), so you can't log in as root without enabling it.

And what privileges does it take to enable root?

There isn't any standard way in UI. But since all applications are installed as root, you'll Install an application and installation scripts enables sudo or something else.

There isn't any standard way in UI. But since all applications are installed as root, you'll Install an application and installation scripts enables sudo or something else.

And what prevents a malicious installation? [I know you have to get into the device first, what prevents that?]

And what prevents a malicious installation? [I know you have to get into the device first, what prevents that?]

QA on the Extras repository (starting in Fremantle), and the trust that a user puts in the application author and the community.

What stops you installing a malicious application in Ubuntu? Or in Windows?

It probably comes with a default root password with lots of open ports.

Maemo is not a quick paint job. It does not come with any open ports by default (note that this is not really a hard job any longer; you'll have to recheck your assumptions about "Linux systems with all the standard security issues", since Ubuntu does not come with a default root password nor open ports by default).

Of course, preventing the user himself to do something with the device is against what Maemo is, so hopefully we're not going to see any of that ugly "nanny operating system" stuff.

Maemo is not a quick paint job. It does not come with any open ports by default (note that this is not really a hard job any longer; you'll have to recheck your assumptions about "Linux systems with all the standard security issues", since Ubuntu does not come with a default root password nor open ports by default).

Of course, preventing the user himself to do something with the device is against what Maemo is, so hopefully we're not going to see any of that ugly "nanny operating system" stuff.

What do you mean it has no open ports by default? Its used for communicating. Something has be be open.

I did not intend for a flame here but there are always security issues with any operating system. Telling me to believe without proof just raises my concerns. Maemo is not Ubuntu so using that as a proof point is, by itself, not sufficient. Any pointers that will make your point about the security of Maemo?

What do you mean it has no open ports by default? Its used for communicating. Something has be be open.

I did not intend for a flame here but there are always security issues with any operating system. Telling me to believe without proof just raises my concerns. Maemo is not Ubuntu so using that as a proof point is, by itself, not sufficient. Any pointers that will make your point about the security of Maemo?

an "open port" implies a listening daemon that accepts outside connections that are initiated from a remote node. The fact that a given default distro can "communicate" does not, by itself, imply that it has open ports as described above. For instance, I can initiate a ssh session to a remote server without having an SSH daemon process running on my own machine which is accepting connections. Consequently, any attempt to connect to an ssh server on my machine from a remote node would be fruitless as it doesn't exist. I hope that clears up the nomenclature issue.

If you want to see what's listening, you can either log on and run "netstat -an | grep LISTEN", or you can run an nmap port scan against it from an external machine (which is probably more useful in a practical sense as it reveals what's actually reachable through the network after various firewalls and the like have been passed instead of what theoretically is running according to the kernel).

What do you mean it has no open ports by default? Its used for communicating. Something has be be open.
I mean open ports as in "actively listening network services".

You made your initial post sound like if someone was going to take the phone out of the packaging and get rooted remotely in seconds. To do that, the phone would need to e.g. have by default a ssh server running with a default root password. There is no such server in the phone. Without such server, they could even ship "rootme" as the default root password. Nothing would happen; you would need to get at the phone's keyboard to enter it*.

Well, at least in the N810. Which you can buy and test everything we have said in this thread by yourself :)

*Of course, nobody said e.g. 0 exploits in the browser. As you said, no operating system is safe. But between 100% and suicidal there is a big difference. It's not like your average Symbian phone is 100% safe.

so here is the output of nmap to my n800 on a local network.

debsilver:/home/epilido# nmap -v -sS 192.168.1.115

Starting Nmap 4.68 ( http://nmap.org ) at 2009-09-07 18:04 EDT
Initiating ARP Ping Scan at 18:04
Scanning 192.168.1.115 [1 port]
Completed ARP Ping Scan at 18:04, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:04
Completed Parallel DNS resolution of 1 host. at 18:04, 0.01s elapsed
Initiating SYN Stealth Scan at 18:04
Scanning Nokia-N8xxxxxxx (192.168.1.115) [1715 ports]
Discovered open port 22/tcp on 192.168.1.115
Completed SYN Stealth Scan at 18:05, 3.94s elapsed (1715 total ports)
Host Nokia-N8xxxxxxx (192.168.1.115) appears to be up ... good.
Interesting ports on Nokia-N8xxxxxxx (192.168.1.115):
Not shown: 1714 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:19:4Fxxxxxxxx (Nokia Danmark A/S)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.526 seconds
Raw packets sent: 1727 (75.984KB) | Rcvd: 1719 (79.070KB)


I installed ssh. This is by no means an indepth test but i do not find a bunch of open ports.....

The n800 was up and surfing google at the time
Epi

My concern is that the N900 is designed to be always connected and it is a Linux system with all the standard security issues. It probably comes with a default root password with lots of open ports. Are users directed to change the root password? Or do users have to know that to do to protect their device?


Why on earth would an internet tablet (or a pure desktop machine for that matter) have any open ports or any services listening on such ports?!?!

first and foremost, only "server" packages open ports and listen. "client" apps make outbound connections. if you install a server package, and start it, it will listen on the port that package is configured to listen on.

simply because a port is open and an agent is listening does not mean the device is insecure. your alarmist stance is not necessary. not every service is vulnerable to the myriad of issues that other OSes face.

moreover, i believe the iptables firewall is installed, and unless iptables is configured to allow a connection to the server that is listening on any given port, the connection will be rejected/denied based on the iptables policy.

remember, security is based on making the effort/risk cost more than the reward.

IMO, it is easier to "hack" the Palm Pre or the old iPhone (both had/have browser or email exploits) than the internet tablets. Yeah, if you go and stop iptables and change the root password to rootme or something, it might get hacked, but out of the box it is pretty locked down from the outside. If you have physical access to the machine, at least with the n810, its very simple to get root access.

Again, why iptables (iptables is much more than a firewall, but i'll treat it like one for the sake of this thread)?

There are no open ports!

This would be like trying to put a rock inside a safe (poor analogy :D).

And, if I remember correctly, iptables is installed but not configured by default.

debsilver:/home/epilido# nmap -v -sS 192.168.1.115


This only scans a subset of TCP ports, for a more complete scan you should add "-p1-65535", and repeat for UDP ("-sU"). Alternatively you can use netstat on the device, if you trust that it hasn't already been compromised and a rootkit installed ;-)

On mine it currently says:
Nokia-N810-43-7:~# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:39500 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
Nokia-N810-43-7:~# netstat -uln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:39400 0.0.0.0:*
udp 0 0 0.0.0.0:7275 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*



53/UDP & 53/TCP are dnsmasq and nothing to worry about since it only listens on loopback.
22/TCP is openssh which of course isn't present in the default install.
1900/UDP is the UPnP Simple Service Discovery Protocol (SSDP).
7275/UDP is opened by /usr/sbin/supllistenerd.
39500/TCP is an XMPP account.
39400/UDP is a SIP account.


From the above list, the scariest one is 7275, since supllistenerd runs as root and it's a closed source component so can't be audited independently. Note that it's not in the default Diablo installation either though (comes from agps-ui).

There's two questions here:

One is what might be called the "default security level"; for the average consumer, there'll be no root access, no open ports etc. (as far as I know).

The other thing is security on a broader, conceptual level given that this device is also a phone. I can have root access. I can have all sorts of services running and open all ports. I can install software from sources the community here doesn't even know about.
While all of this is my responsibility (and therefore my problem) as far as my own device is concerned, it may cause troubles once some malware interacts with the cellular part.

So: Is there any special security built around the cellular part of the device? Or would it be accessible like anything else and could I, say, run a cron job that calls all of my contacts at 3:40am?

No UAC?!?
C'mon... Nothing like "The phone wants your permission to get HangLoose's call. To continue type the administrator password."

Tsk, maaan... half the fun is OVER.

No UAC?!?
C'mon... Nothing like "The phone wants your permission to get HangLoose's call. To continue type the administrator password."

Tsk, maaan... half the fun is OVER.

Heh, "Windows has detected a left mouse click, click OK to continue." :D

Heh, "Windows has detected a left mouse click, click OK to continue." :D

It would be funny if it would not be so sad :P

@ Ima

now run (as root)


iptables -nL


and see what iptables is allowing

Why on earth would an internet tablet (or a pure desktop machine for that matter) have any open ports or any services listening on such ports?!?!

the product is called an 'internet tablet'. so by that name, one assumes one will use this device to connect to other devices and browse the 'internet'. if you are using ssh, nfs, cifs, samba, bluetooth, e.t..c -- you will have ports open. if you don't use them -- turn them off. (check the linux, ubuntu, debian, and other UNIX sites of how you disable services and tweak inetd -- it's pretty straight forward)

if you start disabling services, installing firewall s/f and hardening -- you have to configure them properly (they have no intelligence of their own and they are usually completely unaware of changes done to the network after they are configured - so you have to remember to maintain them) and you should not expect that you device will work flawlessly 100% of the time. you will probably run into connectivity issues and will have to micro-manage it a bit.

but once again, ask yourself, what is your goal? to make sure you don't show up on scans or to have a device that does what you expect it to.

in a previous life, i used to be a network IT guy. the general rule of thumb is -- if you start to lie to the network (proxy, NAT, port blocking, filtering, e.t.c.) the network will start to kick you in the ***.

regarding security on an internet tablet. common sense dictates that you probably dont want to do your online baking and leave important information such as banking, credit card, mortgate on it. it's small and easily stealable. it usues wifi which is easily snoopable and easily trickable.

the product is called an 'internet tablet'. so by that name, one assumes one will use this device to connect to other devices and browse the 'internet'. if you are using ssh, nfs, cifs, samba, bluetooth, e.t..c -- you will have ports open. if you don't use them -- turn them off. (check the linux, ubuntu, debian, and other UNIX sites of how you disable services and tweak inetd -- it's pretty straight forward)

This depends if you are using it as a client or a server....
using ssh doesn't mean you have port 22 open, using sshd does.

if you start disabling services, installing firewall s/f and hardening -- you have to configure them properly (they have no intelligence of their own and they are usually completely unaware of changes done to the network after they are configured - so you have to remember to maintain them) and you should not expect that you device will work flawlessly 100% of the time. you will probably run into connectivity issues and will have to micro-manage it a bit.

but once again, ask yourself, what is your goal? to make sure you don't show up on scans or to have a device that does what you expect it to.

in a previous life, i used to be a network IT guy. the general rule of thumb is -- if you start to lie to the network (proxy, NAT, port blocking, filtering, e.t.c.) the network will start to kick you in the ***.

ummm

regarding security on an internet tablet. common sense dictates that you probably dont want to do your online baking and leave important information such as banking, credit card, mortgate on it. it's small and easily stealable. it usues wifi which is easily snoopable and easily trickable.

mmm? why would you leave details such as that on any computer?

Any website processing those kinds of details needs at least 128 bit encryption, and you shouldn't store credit card information anywhere, except in your head and on your credit card.

And if your overly paranoid like me, use vpn and ssl on public connections ;-)

and see what iptables is allowing

Everything, iptables may be installed by default but it's not being used.

is iptables installed by default? mine doesn't have it.

It's not installed and the kernel doesn't have the required hooks enabled either.

Alternatively you can use netstat on the device, if you trust that it hasn't already been compromised and a rootkit installed ;-)

On mine it currently says:
...
From the above list, the scariest one is 7275, since supllistenerd runs as root and it's a closed source component so can't be audited independently. Note that it's not in the default Diablo installation either though (comes from agps-ui).How do you find out which process is listening on a port? The fuser command seems broken (c.f. http://talk.maemo.org/showthread.php?t=43912) and the netstat command does not support the -p option in Maemo X Terminal.

How do you find out which process is listening on a port?

Try lsof -i

Try lsof -ithanks for the hint. but I am not sure if the output of lsof -i is complete. this is what I get:
~/MyDocs/Scripts $ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
browser 1405 user 14u IPv4 7251 UDP *:60211
~/MyDocs/Scripts $ netstat -tulne
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:28782 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
netstat: no kernel support for AF INET6 (tcp)
udp 0 0 0.0.0.0:2948 0.0.0.0:*
udp 0 0 0.0.0.0:60211 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 127.0.0.1:3001 0.0.0.0:*
udp 0 0 127.0.0.1:3002 0.0.0.0:*
netstat: no kernel support for AF INET6 (udp)
what about the udp port 2948?

thanks for the hint. but I am not sure if the output of lsof -i is complete. this is what I get:
~/MyDocs/Scripts $ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
browser 1405 user 14u IPv4 7251 UDP *:60211
~/MyDocs/Scripts $ netstat -tulne
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:28782 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
netstat: no kernel support for AF INET6 (tcp)
udp 0 0 0.0.0.0:2948 0.0.0.0:*
udp 0 0 0.0.0.0:60211 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 127.0.0.1:3001 0.0.0.0:*
udp 0 0 127.0.0.1:3002 0.0.0.0:*
netstat: no kernel support for AF INET6 (udp)
what about the udp port 2948?

You could always nmap your phone. It's actually not a bad idea to do this from another machine to all the machines in your house (including phones, TVs, consoles, appliances, etc). BTW, I tried installing the Debian Bastille hardening (http://www.bastille-unix.org) package (which sets up the firewall), and got about as far as it asking for libcurses-perl, and got lazy and stopped. It might break a lot of things, but it might also be nice to have a more secure phone. Sure, it might break the UPnP (http://en.wikipedia.org/wiki/Universal_Plug_and_Play) stuff that works pretty nicely out of the box in the Media Player, but that's something I don't think I'd miss too much.