1. UPC router reverse
engineering
Messing around the firmware & digging for WPA2 password generator
Dušan Klinec, Miroslav Svítok
deadcode.me

2. The beginning of the story

3. The beginning of the story
31.12.2015
https://haxx.in/upc_keys.c

4. The weakness
• Default SSID & Passwd computation from public
information
Serial ID
SAAP12345678
SSID
PASSWD
Derivation: MD5 + some home-brew mangling

5. The attack
• Bruteforce, complexity = 1e8 iterations
• For all serial ID combinations
• Compute SSID, if matches, print passwd
Serial ID
SAAP12345678
SSID
PASSWD

6. The attack
• 20 password candidates on average
• Under 2 seconds on Samsung Galaxy S7
Serial ID
SAAP12345678
SSID
PASSWD

9. Technicolor TC 7200
48.53 % of all UPC[0-9]{7} networks in Brno 02/2016
Vulnerable modem
* 2868 UPC samples collected / 17516 total

10. UBEE EVW 3226
15.44 % of all UPC[0-9]{7} networks in Brno 02/2016
Not-yet-vulnerable modem
* 2868 UPC samples collected / 17516 total

11. Attack outline
• Get the firmware
• Analyze binaries generating wifi config files
• Reverse engineer password generating routine

12. Getting the
firmware – UART

13. Getting the firmware - UART
• Some soldering needed
• USB-UART bridge (2 USD on eBay)

14. Getting the firmware - UART
• Collect information – e.g., memory layout, kernel,
compression, encryption, …
• Modify boot arguments, dump flash
• Default credentials / no-auth access to CLI

15. Getting the
firmware – UART

16. Getting the firmware – EEPROM read

17. Getting the firmware – old school way

18. Getting the firmware – old school way
• USB-SPI bridge (BusPirate / other)
• Dump flash memory
• Use binwalk to analyze the dump
• Decompress (squashfs, lzma) the FS, kernel

19. Getting the firmware – old school way

20. Getting the firmware –
without getting hands
dirty

21. Getting the firmware #2
• Attacking the software / APIs
• Command injection / code execution
• Unsanitized input data in administration interface
• Ping command, traceroute command
https://firefart.at/post/upc_ubee_fail/

22. Getting the firmware #2
• Via system vulnerability using USB port
• .auto file is executed if USB is named “EVW3226”
https://firefart.at/post/upc_ubee_fail/

23. Getting the firmware #2
• Rewrite /etc/passwd with a new admin password
• Start SSH server on the router
• Enjoy the root access

24. Getting the firmware
• DD all block devices to the USB flash drive
• Tar the whole FS to the USB flash drive

25. Searching the firmware
# cli
IMAGE_NAME=vgwsdk-3.5.0.24-150324.img
FSSTAMP=20150324141918
VERSION=EVW3226_1.0.20

26. Searching the firmware
# ps –a
5681 admin 1924 S hostapd -B /tmp/secath0

27. Searching the firmware
# cat /tmp/secath0
interface=ath0
bridge=rndbr1
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ssid=UPC2659797
wpa=3
wpa_passphrase=IVGDQAMI
wpa_key_mgmt=WPA-PSK

28. Searching the firmware
# find . -type f -exec grep -il 'secath0' {} ;
./fss/gw/lib/libUtility.so
./fss/gw/usr/sbin/aimDaemon
./fss/gw/usr/www/cgi-bin/setup.cgi
./var/tmp/conf_filename
./var/tmp/www/cgi-bin/setup.cgi

29. Searching the firmware

30. Searching the firmware

31. Searching the firmware

32. Searching the firmware

35. That’s not all…

39. Profanities
• Profanity found? Switch to non-insulting alphabet
• BBCDFFGHJJKLMNPQRSTVVWXYZZ

40. Non-optimal
• Contains a lot of duplicate entries, varying case
• toupper() on runtime – database case mixed
• Some entries cannot be generated at all, e.g.
PROSTITUTE (10 characters, password has 8)

41. Non-optimal
• Substring search test
• More efficient to remove substrings from database
• “COCK”, “COCKS”, “COCKY”, “ACOCK”
• (Only the first one is needed, the rest is redundant)

42. Profanity search
• All UBEE MACs generated
• 224 = 16777216 passwords
• 32105 (0.19%) hit the profanity detection
• Cca in 1000 customers, almost 2 could
complain

43. Profanity stats
# of characters Occurrences
3 23090
4 6014
5 3001

44. Profanity stats

45. Statistic properties of the password function

50. Uniformity tests

52. Uniformity tests
• H0: the distribution of characters from the alphabet
is uniform over characters.
• Halt: The distribution is not uniform.

53. Uniformity tests
Uniform distribution on characters
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

54. Uniformity tests
Output alphabet projection distribution
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

55. Uniformity tests
Do not strip the entropy
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

56. Uniformity tests
Do only one hashing – no homebrew mangling
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

57. Password gen conclusion
• Uses only MAC as an input
• Only one password guess
• Very effective – 2 MD5 hashes
• Compared to Blasty (router serial ID space
brute-forcing)

59. More vulnerabilities

60. UBEE vulnerabilities
• UPC Wi-Free can be sniffed
• After gaining root access, Wi-Free can be sniffed / tampered with
• Authentication bypass (backdoor)
• http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1

61. UBEE vulnerabilities
• Insecure session management
• no-cookies, IP address authenticated
• Local file inclusion
http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2
• Buffer overflow in configuration file request
http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
• Backup file disclosure – not deleted, publicly available
http://192.168.0.1/Configuration_file.cfg

62. UBEE vulnerabilities
• Backup file is not encrypted
• Web asks for password for backup encryption
• Backup is not actually encrypted, password is stored in plaintext
• Backup restore buffer overflow
• Password longer than 65536 characters
• Arbitrary code execution
• Backup file = tar, can contain symbolic links
• After extraction can overwrite CGI scripts

63. War driving #1 – Brno
02/2016

66. Total networks 17 516
UPC networks 2 868 16.37 %
UPC vulnerable 1 835 63.98 % UPC
UPC UBEE vulnerable 443 15.45 % UPC
UPC Technicolor vulnerable 1 392 48.54 % UPC
UBEE changed 98 18.11 % UBEE
Technicolor changed 304 17.92 % Tech.

67. War driving #2 – Bratislava
10/2016

69. Total networks 22 172
UPC networks 3 092 13.95 %
UPC vulnerable 1 327 42.92 % UPC
UPC UBEE vulnerable 822 26.58 % UPC
UPC Technicolor vulnerable 505 16.33 % UPC
UBEE changed 205 19.96 % UBEE
Technicolor changed 96 03.10 % Tech.
Compal CH7465LG 930 30.08 % UPC

70. New target
• Security Swiss cheese
• 35 vulnerabilities found by
independent security team
• Default WPA2 seems to be
properly implemented -
allegedly

71. Recap
• Firmware dumped
• WPA2 pwd gen reverse engineered
• Function statistical analysis
• Wardriving
• Android app for automated testing

72. Timeline
• 27. Jan 2016: Start of the analysis.
• 04. Feb 2016: Official disclosure to Liberty Global.
• 04. May 2016: Check with Liberty Global on state of
the fix.
• 28. Jun 2016: Sending this article for review to
Liberty Global.
• 04. Jul 2016: Publication of the research.

73. Thank you for your attention!
Questions

74. References / resources
• https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-
Reversing.html
• https://www.freeture.ch/?p=766
• http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
• https://haxx.in/upc-wifi/
• https://firefart.at/post/upc_ubee_fail/
• http://www.wifileaks.cz/
• http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-
multiple-vulnerabilities
• http://www.search-lab.hu/advisories/secadv-20150720
• http://www.search-
lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
• https://github.com/devttys0/binwalk