UPC router reverse engineering - case study

1. UPC router reverse engineering Messing around the firmware & digging for WPA2 password generator Dušan Klinec, Miroslav Svítok deadcode.me

2. The beginning of the story

3. The beginning of the story 31.12.2015 https://haxx.in/upc_keys.c

4. The weakness • Default SSID & Passwd computation from public information Serial ID SAAP12345678 SSID PASSWD Derivation: MD5 + some home-brew mangling

5. The attack • Bruteforce, complexity = 1e8 iterations • For all serial ID combinations • Compute SSID, if matches, print passwd Serial ID SAAP12345678 SSID PASSWD

6. The attack • 20 password candidates on average • Under 2 seconds on Samsung Galaxy S7 Serial ID SAAP12345678 SSID PASSWD

7. Technicolor TC 7200 48.53 % of all UPC[0-9]{7} networks in Brno 02/2016 Vulnerable modem * 2868 UPC samples collected / 17516 total

8. UBEE EVW 3226 15.44 % of all UPC[0-9]{7} networks in Brno 02/2016 Not-yet-vulnerable modem * 2868 UPC samples collected / 17516 total

9. Attack outline • Get the firmware • Analyze binaries generating wifi config files • Reverse engineer password generating routine

10. Getting the firmware – UART

11. Getting the firmware - UART • Some soldering needed • USB-UART bridge (2 USD on eBay)

12. Getting the firmware - UART • Collect information – e.g., memory layout, kernel, compression, encryption, … • Modify boot arguments, dump flash • Default credentials / no-auth access to CLI

13. Getting the firmware – UART

14. Getting the firmware – EEPROM read

15. Getting the firmware – old school way

16. Getting the firmware – old school way • USB-SPI bridge (BusPirate / other) • Dump flash memory • Use binwalk to analyze the dump • Decompress (squashfs, lzma) the FS, kernel

17. Getting the firmware – old school way

18. Getting the firmware – without getting hands dirty

19. Getting the firmware #2 • Attacking the software / APIs • Command injection / code execution • Unsanitized input data in administration interface • Ping command, traceroute command https://firefart.at/post/upc_ubee_fail/

20. Getting the firmware #2 • Via system vulnerability using USB port • .auto file is executed if USB is named “EVW3226” https://firefart.at/post/upc_ubee_fail/

21. Getting the firmware #2 • Rewrite /etc/passwd with a new admin password • Start SSH server on the router • Enjoy the root access

22. Getting the firmware • DD all block devices to the USB flash drive • Tar the whole FS to the USB flash drive

23. Searching the firmware # cli IMAGE_NAME=vgwsdk-3.5.0.24-150324.img FSSTAMP=20150324141918 VERSION=EVW3226_1.0.20

24. Searching the firmware # ps –a 5681 admin 1924 S hostapd -B /tmp/secath0

25. Searching the firmware # cat /tmp/secath0 interface=ath0 bridge=rndbr1 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ssid=UPC2659797 wpa=3 wpa_passphrase=IVGDQAMI wpa_key_mgmt=WPA-PSK

26. Searching the firmware # find . -type f -exec grep -il 'secath0' {} ; ./fss/gw/lib/libUtility.so ./fss/gw/usr/sbin/aimDaemon ./fss/gw/usr/www/cgi-bin/setup.cgi ./var/tmp/conf_filename ./var/tmp/www/cgi-bin/setup.cgi

27. Searching the firmware

31. That’s not all…

32. Profanities • Profanity found? Switch to non-insulting alphabet • BBCDFFGHJJKLMNPQRSTVVWXYZZ

33. Non-optimal • Contains a lot of duplicate entries, varying case • toupper() on runtime – database case mixed • Some entries cannot be generated at all, e.g. PROSTITUTE (10 characters, password has 8)

34. Non-optimal • Substring search test • More efficient to remove substrings from database • “COCK”, “COCKS”, “COCKY”, “ACOCK” • (Only the first one is needed, the rest is redundant)

35. Profanity search • All UBEE MACs generated • 224 = 16777216 passwords • 32105 (0.19%) hit the profanity detection • Cca in 1000 customers, almost 2 could complain

36. Profanity stats # of characters Occurrences 3 23090 4 6014 5 3001

37. Profanity stats

38. Statistic properties of the password function

39. Uniformity tests

40. Uniformity tests • H0: the distribution of characters from the alphabet is uniform over characters. • Halt: The distribution is not uniform.

41. Uniformity tests Uniform distribution on characters A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total

42. Uniformity tests Output alphabet projection distribution A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total

43. Uniformity tests Do not strip the entropy A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total

44. Uniformity tests Do only one hashing – no homebrew mangling A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total

45. Password gen conclusion • Uses only MAC as an input • Only one password guess • Very effective – 2 MD5 hashes • Compared to Blasty (router serial ID space brute-forcing)

46. More vulnerabilities

47. UBEE vulnerabilities • UPC Wi-Free can be sniffed • After gaining root access, Wi-Free can be sniffed / tampered with • Authentication bypass (backdoor) • http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1

48. UBEE vulnerabilities • Insecure session management • no-cookies, IP address authenticated • Local file inclusion http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2 • Buffer overflow in configuration file request http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa • Backup file disclosure – not deleted, publicly available http://192.168.0.1/Configuration_file.cfg

49. UBEE vulnerabilities • Backup file is not encrypted • Web asks for password for backup encryption • Backup is not actually encrypted, password is stored in plaintext • Backup restore buffer overflow • Password longer than 65536 characters • Arbitrary code execution • Backup file = tar, can contain symbolic links • After extraction can overwrite CGI scripts

50. War driving #1 – Brno 02/2016

51. Total networks 17 516 UPC networks 2 868 16.37 % UPC vulnerable 1 835 63.98 % UPC UPC UBEE vulnerable 443 15.45 % UPC UPC Technicolor vulnerable 1 392 48.54 % UPC UBEE changed 98 18.11 % UBEE Technicolor changed 304 17.92 % Tech.

52. War driving #2 – Bratislava 10/2016

53. Total networks 22 172 UPC networks 3 092 13.95 % UPC vulnerable 1 327 42.92 % UPC UPC UBEE vulnerable 822 26.58 % UPC UPC Technicolor vulnerable 505 16.33 % UPC UBEE changed 205 19.96 % UBEE Technicolor changed 96 03.10 % Tech. Compal CH7465LG 930 30.08 % UPC

54. New target • Security Swiss cheese • 35 vulnerabilities found by independent security team • Default WPA2 seems to be properly implemented - allegedly

55. Recap • Firmware dumped • WPA2 pwd gen reverse engineered • Function statistical analysis • Wardriving • Android app for automated testing

56. Timeline • 27. Jan 2016: Start of the analysis. • 04. Feb 2016: Official disclosure to Liberty Global. • 04. May 2016: Check with Liberty Global on state of the fix. • 28. Jun 2016: Sending this article for review to Liberty Global. • 04. Jul 2016: Publication of the research.

57. Thank you for your attention! Questions

58. References / resources • https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2- Reversing.html • https://www.freeture.ch/?p=766 • http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/ • https://haxx.in/upc-wifi/ • https://firefart.at/post/upc_ubee_fail/ • http://www.wifileaks.cz/ • http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router- multiple-vulnerabilities • http://www.search-lab.hu/advisories/secadv-20150720 • http://www.search- lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf • https://github.com/devttys0/binwalk