UPC router reverse engineering - case study

Dusan Klinec
Dusan KlinecCTO / co-founder at PhoneX Security - šifrovaná komunikace - encrypted/secure communication
UPC router reverse
engineering
Messing around the firmware & digging for WPA2 password generator
Dušan Klinec, Miroslav Svítok
deadcode.me
The beginning of the story
The beginning of the story
31.12.2015
https://haxx.in/upc_keys.c
The weakness
• Default SSID & Passwd computation from public
information
Serial ID
SAAP12345678
SSID
PASSWD
Derivation: MD5 + some home-brew mangling
The attack
• Bruteforce, complexity = 1e8 iterations
• For all serial ID combinations
• Compute SSID, if matches, print passwd
Serial ID
SAAP12345678
SSID
PASSWD
The attack
• 20 password candidates on average
• Under 2 seconds on Samsung Galaxy S7
Serial ID
SAAP12345678
SSID
PASSWD
UPC router reverse engineering - case study
UPC router reverse engineering - case study
Technicolor TC 7200
48.53 % of all UPC[0-9]{7} networks in Brno 02/2016
Vulnerable modem
* 2868 UPC samples collected / 17516 total
UBEE EVW 3226
15.44 % of all UPC[0-9]{7} networks in Brno 02/2016
Not-yet-vulnerable modem
* 2868 UPC samples collected / 17516 total
Attack outline
• Get the firmware
• Analyze binaries generating wifi config files
• Reverse engineer password generating routine
Getting the
firmware – UART
Getting the firmware - UART
• Some soldering needed
• USB-UART bridge (2 USD on eBay)
Getting the firmware - UART
• Collect information – e.g., memory layout, kernel,
compression, encryption, …
• Modify boot arguments, dump flash
• Default credentials / no-auth access to CLI
Getting the
firmware – UART
Getting the firmware – EEPROM read
Getting the firmware – old school way
Getting the firmware – old school way
• USB-SPI bridge (BusPirate / other)
• Dump flash memory
• Use binwalk to analyze the dump
• Decompress (squashfs, lzma) the FS, kernel
Getting the firmware – old school way
Getting the firmware –
without getting hands
dirty
Getting the firmware #2
• Attacking the software / APIs
• Command injection / code execution
• Unsanitized input data in administration interface
• Ping command, traceroute command
https://firefart.at/post/upc_ubee_fail/
Getting the firmware #2
• Via system vulnerability using USB port
• .auto file is executed if USB is named “EVW3226”
https://firefart.at/post/upc_ubee_fail/
Getting the firmware #2
• Rewrite /etc/passwd with a new admin password
• Start SSH server on the router
• Enjoy the root access
Getting the firmware
• DD all block devices to the USB flash drive
• Tar the whole FS to the USB flash drive
Searching the firmware
# cli
IMAGE_NAME=vgwsdk-3.5.0.24-150324.img
FSSTAMP=20150324141918
VERSION=EVW3226_1.0.20
Searching the firmware
# ps –a
5681 admin 1924 S hostapd -B /tmp/secath0
Searching the firmware
# cat /tmp/secath0
interface=ath0
bridge=rndbr1
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ssid=UPC2659797
wpa=3
wpa_passphrase=IVGDQAMI
wpa_key_mgmt=WPA-PSK
Searching the firmware
# find . -type f -exec grep -il 'secath0' {} ;
./fss/gw/lib/libUtility.so
./fss/gw/usr/sbin/aimDaemon
./fss/gw/usr/www/cgi-bin/setup.cgi
./var/tmp/conf_filename
./var/tmp/www/cgi-bin/setup.cgi
Searching the firmware
Searching the firmware
Searching the firmware
Searching the firmware
UPC router reverse engineering - case study
UPC router reverse engineering - case study
That’s not all…
UPC router reverse engineering - case study
UPC router reverse engineering - case study
UPC router reverse engineering - case study
Profanities
• Profanity found? Switch to non-insulting alphabet
• BBCDFFGHJJKLMNPQRSTVVWXYZZ
Non-optimal
• Contains a lot of duplicate entries, varying case
• toupper() on runtime – database case mixed
• Some entries cannot be generated at all, e.g.
PROSTITUTE (10 characters, password has 8)
Non-optimal
• Substring search test
• More efficient to remove substrings from database
• “COCK”, “COCKS”, “COCKY”, “ACOCK”
• (Only the first one is needed, the rest is redundant)
Profanity search
• All UBEE MACs generated
• 224 = 16777216 passwords
• 32105 (0.19%) hit the profanity detection
• Cca in 1000 customers, almost 2 could
complain
Profanity stats
# of characters Occurrences
3 23090
4 6014
5 3001
Profanity stats
Statistic properties of the password function
UPC router reverse engineering - case study
UPC router reverse engineering - case study
UPC router reverse engineering - case study
UPC router reverse engineering - case study
Uniformity tests
UPC router reverse engineering - case study
Uniformity tests
• H0: the distribution of characters from the alphabet
is uniform over characters.
• Halt: The distribution is not uniform.
Uniformity tests
Uniform distribution on characters
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Uniformity tests
Output alphabet projection distribution
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Uniformity tests
Do not strip the entropy
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Uniformity tests
Do only one hashing – no homebrew mangling
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total
Password gen conclusion
• Uses only MAC as an input
• Only one password guess
• Very effective – 2 MD5 hashes
• Compared to Blasty (router serial ID space
brute-forcing)
UPC router reverse engineering - case study
More vulnerabilities
UBEE vulnerabilities
• UPC Wi-Free can be sniffed
• After gaining root access, Wi-Free can be sniffed / tampered with
• Authentication bypass (backdoor)
• http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1
UBEE vulnerabilities
• Insecure session management
• no-cookies, IP address authenticated
• Local file inclusion
http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2
• Buffer overflow in configuration file request
http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
• Backup file disclosure – not deleted, publicly available
http://192.168.0.1/Configuration_file.cfg
UBEE vulnerabilities
• Backup file is not encrypted
• Web asks for password for backup encryption
• Backup is not actually encrypted, password is stored in plaintext
• Backup restore buffer overflow
• Password longer than 65536 characters
• Arbitrary code execution
• Backup file = tar, can contain symbolic links
• After extraction can overwrite CGI scripts
War driving #1 – Brno
02/2016
UPC router reverse engineering - case study
UPC router reverse engineering - case study
Total networks 17 516
UPC networks 2 868 16.37 %
UPC vulnerable 1 835 63.98 % UPC
UPC UBEE vulnerable 443 15.45 % UPC
UPC Technicolor vulnerable 1 392 48.54 % UPC
UBEE changed 98 18.11 % UBEE
Technicolor changed 304 17.92 % Tech.
War driving #2 – Bratislava
10/2016
UPC router reverse engineering - case study
Total networks 22 172
UPC networks 3 092 13.95 %
UPC vulnerable 1 327 42.92 % UPC
UPC UBEE vulnerable 822 26.58 % UPC
UPC Technicolor vulnerable 505 16.33 % UPC
UBEE changed 205 19.96 % UBEE
Technicolor changed 96 03.10 % Tech.
Compal CH7465LG 930 30.08 % UPC
New target
• Security Swiss cheese
• 35 vulnerabilities found by
independent security team
• Default WPA2 seems to be
properly implemented -
allegedly
Recap
• Firmware dumped
• WPA2 pwd gen reverse engineered
• Function statistical analysis
• Wardriving
• Android app for automated testing
Timeline
• 27. Jan 2016: Start of the analysis.
• 04. Feb 2016: Official disclosure to Liberty Global.
• 04. May 2016: Check with Liberty Global on state of
the fix.
• 28. Jun 2016: Sending this article for review to
Liberty Global.
• 04. Jul 2016: Publication of the research.
Thank you for your attention!
Questions
References / resources
• https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-
Reversing.html
• https://www.freeture.ch/?p=766
• http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
• https://haxx.in/upc-wifi/
• https://firefart.at/post/upc_ubee_fail/
• http://www.wifileaks.cz/
• http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-
multiple-vulnerabilities
• http://www.search-lab.hu/advisories/secadv-20150720
• http://www.search-
lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
• https://github.com/devttys0/binwalk
1 of 74

Recommended

Apache Hive Hook by
Apache Hive HookApache Hive Hook
Apache Hive HookMinwoo Kim
17K views47 slides
スローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudy by
スローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudyスローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudy
スローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudyYusuke Yamamoto
6.4K views53 slides
Troubleshooting Cassandra (J.B. Langston, DataStax) | C* Summit 2016 by
Troubleshooting Cassandra (J.B. Langston, DataStax) | C* Summit 2016Troubleshooting Cassandra (J.B. Langston, DataStax) | C* Summit 2016
Troubleshooting Cassandra (J.B. Langston, DataStax) | C* Summit 2016DataStax
4.6K views107 slides
オンプレ&HTTP Proxyな環境でRancherOS入れてみた話 by
オンプレ&HTTP Proxyな環境でRancherOS入れてみた話オンプレ&HTTP Proxyな環境でRancherOS入れてみた話
オンプレ&HTTP Proxyな環境でRancherOS入れてみた話YASUKAZU NAGATOMI
2.7K views20 slides
Apache Hadoopの未来 3系になって何が変わるのか? by
Apache Hadoopの未来 3系になって何が変わるのか?Apache Hadoopの未来 3系になって何が変わるのか?
Apache Hadoopの未来 3系になって何が変わるのか?NTT DATA OSS Professional Services
6.7K views48 slides
Apache Hadoopの新機能Ozoneの現状 by
Apache Hadoopの新機能Ozoneの現状Apache Hadoopの新機能Ozoneの現状
Apache Hadoopの新機能Ozoneの現状NTT DATA OSS Professional Services
6.2K views35 slides

More Related Content

What's hot

Return Oriented Programming by
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programmingsounakano
216 views14 slides
Scalar DB: Universal Transaction Manager by
Scalar DB: Universal Transaction ManagerScalar DB: Universal Transaction Manager
Scalar DB: Universal Transaction ManagerScalar, Inc.
2.6K views30 slides
Yahoo! JAPANのサービス開発を10倍早くした社内PaaS構築の今とこれから by
Yahoo! JAPANのサービス開発を10倍早くした社内PaaS構築の今とこれからYahoo! JAPANのサービス開発を10倍早くした社内PaaS構築の今とこれから
Yahoo! JAPANのサービス開発を10倍早くした社内PaaS構築の今とこれからYahoo!デベロッパーネットワーク
11.5K views104 slides
輪読資料: Staring into the abyss an evaluation of concurrency control with one t... by
輪読資料: Staring into the abyss  an evaluation of concurrency control with one t...輪読資料: Staring into the abyss  an evaluation of concurrency control with one t...
輪読資料: Staring into the abyss an evaluation of concurrency control with one t...Sho Nakazono
105 views40 slides
Hiveハンズオン by
HiveハンズオンHiveハンズオン
HiveハンズオンSatoshi Noto
8.7K views52 slides
業務システムにおけるMongoDB活用法 by
業務システムにおけるMongoDB活用法業務システムにおけるMongoDB活用法
業務システムにおけるMongoDB活用法Yoshitaka Mori
5.6K views33 slides

What's hot(20)

Return Oriented Programming by sounakano
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
sounakano216 views
Scalar DB: Universal Transaction Manager by Scalar, Inc.
Scalar DB: Universal Transaction ManagerScalar DB: Universal Transaction Manager
Scalar DB: Universal Transaction Manager
Scalar, Inc.2.6K views
輪読資料: Staring into the abyss an evaluation of concurrency control with one t... by Sho Nakazono
輪読資料: Staring into the abyss  an evaluation of concurrency control with one t...輪読資料: Staring into the abyss  an evaluation of concurrency control with one t...
輪読資料: Staring into the abyss an evaluation of concurrency control with one t...
Sho Nakazono105 views
Hiveハンズオン by Satoshi Noto
HiveハンズオンHiveハンズオン
Hiveハンズオン
Satoshi Noto8.7K views
業務システムにおけるMongoDB活用法 by Yoshitaka Mori
業務システムにおけるMongoDB活用法業務システムにおけるMongoDB活用法
業務システムにおけるMongoDB活用法
Yoshitaka Mori5.6K views
大規模データ処理の定番OSS Hadoop / Spark 最新動向 - 2021秋 -(db tech showcase 2021 / ONLINE 発... by NTT DATA Technology & Innovation
大規模データ処理の定番OSS Hadoop / Spark 最新動向 - 2021秋 -(db tech showcase 2021 / ONLINE 発...大規模データ処理の定番OSS Hadoop / Spark 最新動向 - 2021秋 -(db tech showcase 2021 / ONLINE 発...
大規模データ処理の定番OSS Hadoop / Spark 最新動向 - 2021秋 -(db tech showcase 2021 / ONLINE 発...
HDFSのスケーラビリティの限界を突破するためのさまざまな取り組み | Hadoop / Spark Conference Japan 2019 #hc... by Yahoo!デベロッパーネットワーク
HDFSのスケーラビリティの限界を突破するためのさまざまな取り組み | Hadoop / Spark Conference Japan 2019  #hc...HDFSのスケーラビリティの限界を突破するためのさまざまな取り組み | Hadoop / Spark Conference Japan 2019  #hc...
HDFSのスケーラビリティの限界を突破するためのさまざまな取り組み | Hadoop / Spark Conference Japan 2019 #hc...
Deep Dive into GPU Support in Apache Spark 3.x by Databricks
Deep Dive into GPU Support in Apache Spark 3.xDeep Dive into GPU Support in Apache Spark 3.x
Deep Dive into GPU Support in Apache Spark 3.x
Databricks2.3K views
Hadoop -NameNode HAの仕組み- by Yuki Gonda
Hadoop -NameNode HAの仕組み-Hadoop -NameNode HAの仕組み-
Hadoop -NameNode HAの仕組み-
Yuki Gonda4.1K views
Large partition in Cassandra by Shogo Hoshii
Large partition in CassandraLarge partition in Cassandra
Large partition in Cassandra
Shogo Hoshii4.3K views
ScyllaDBユーザー勉強会 #1 by Changhwan Lee
ScyllaDBユーザー勉強会 #1ScyllaDBユーザー勉強会 #1
ScyllaDBユーザー勉強会 #1
Changhwan Lee1.4K views
Binary exploitation - AIS3 by Angel Boy
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy7.3K views
ただいまHadoop勉強中 by Satoshi Noto
ただいまHadoop勉強中ただいまHadoop勉強中
ただいまHadoop勉強中
Satoshi Noto5.7K views
類義語検索と類義語ハイライト by Shinichiro Abe
類義語検索と類義語ハイライト類義語検索と類義語ハイライト
類義語検索と類義語ハイライト
Shinichiro Abe8K views

Viewers also liked

WarDriving - Stockholm October 2013 by
WarDriving - Stockholm October 2013WarDriving - Stockholm October 2013
WarDriving - Stockholm October 2013Gabor Sebastiani
926 views9 slides
Water Lifting Devices for your Garden by
Water Lifting Devices for your GardenWater Lifting Devices for your Garden
Water Lifting Devices for your GardenSchool Vegetable Gardening - Victory Gardens
1.6K views10 slides
Wardriving 101 by
Wardriving 101Wardriving 101
Wardriving 101n|u - The Open Security Community
3K views22 slides
WardivingHackedBussinesWifi by
WardivingHackedBussinesWifiWardivingHackedBussinesWifi
WardivingHackedBussinesWifiAdul Andreas
557 views18 slides
Wardriving & Kismet Introduction by
Wardriving & Kismet IntroductionWardriving & Kismet Introduction
Wardriving & Kismet IntroductionLance Howell
4.7K views30 slides
Kismet by
KismetKismet
KismetNilesh Pawar
7.9K views29 slides

Viewers also liked(17)

WardivingHackedBussinesWifi by Adul Andreas
WardivingHackedBussinesWifiWardivingHackedBussinesWifi
WardivingHackedBussinesWifi
Adul Andreas557 views
Wardriving & Kismet Introduction by Lance Howell
Wardriving & Kismet IntroductionWardriving & Kismet Introduction
Wardriving & Kismet Introduction
Lance Howell4.7K views
Wardriving by Sajan Sahu
WardrivingWardriving
Wardriving
Sajan Sahu1.9K views
Introduction to Reverse Engineering by Dobromir Enchev
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
Dobromir Enchev4.6K views
HUMAN POWER OPERATED DEVICES by Mayur Mohurle
HUMAN POWER OPERATED DEVICESHUMAN POWER OPERATED DEVICES
HUMAN POWER OPERATED DEVICES
Mayur Mohurle15.5K views
A Group Minor Project by Angel Bajaj
A Group Minor ProjectA Group Minor Project
A Group Minor Project
Angel Bajaj4.2K views
Reverse engineering by Yuffie Valen
Reverse  engineeringReverse  engineering
Reverse engineering
Yuffie Valen7.7K views
Reverse engineering by ananya0122
Reverse engineeringReverse engineering
Reverse engineering
ananya012236.1K views
Reverse Engineering by dswanson
Reverse EngineeringReverse Engineering
Reverse Engineering
dswanson13.2K views
Reverse engineering & its application by mapqrs
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
mapqrs37.1K views

Similar to UPC router reverse engineering - case study

Scada deep inside: protocols and security mechanisms by
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
3.3K views84 slides
We will charge you. How to [b]reach vendor’s network using EV charging station. by
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
443 views50 slides
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security... by
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
609 views75 slides
SCADA deep inside: protocols and security mechanisms by
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
13.1K views75 slides
Cracking WEP Secured Wireless Networks by
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksHammam Samara
6K views13 slides
Fundamentals of network hacking by
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
91 views38 slides

Similar to UPC router reverse engineering - case study(20)

Scada deep inside: protocols and security mechanisms by Aleksandr Timorin
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin3.3K views
We will charge you. How to [b]reach vendor’s network using EV charging station. by DefCamp
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp443 views
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security... by PROIDEA
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA609 views
SCADA deep inside: protocols and security mechanisms by Aleksandr Timorin
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin13.1K views
Cracking WEP Secured Wireless Networks by Hammam Samara
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
Hammam Samara6K views
Fundamentals of network hacking by Pranshu Pareek
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek91 views
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf by ssuser6e61b3
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdfeu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf
ssuser6e61b315 views
WiFi practical hacking "Show me the passwords!" by DefCamp
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
DefCamp1.6K views
Cellular technology with Embedded Linux - COSCUP 2016 by SZ Lin
Cellular technology with Embedded Linux - COSCUP 2016Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016
SZ Lin5.9K views
Advanced Diagnostics 2 by Aero Plane
Advanced Diagnostics 2Advanced Diagnostics 2
Advanced Diagnostics 2
Aero Plane1.9K views
Hack.LU 2018 ARM IoT Firmware Emulation Workshop by Saumil Shah
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Saumil Shah5.4K views
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand... by Sergey Gordeychik
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik514 views
HITCON 2015: Your Lightbulb Is Not Hacking You: Observation from a Honeypot B... by Philippe Lin
HITCON 2015: Your Lightbulb Is Not Hacking You: Observation from a Honeypot B...HITCON 2015: Your Lightbulb Is Not Hacking You: Observation from a Honeypot B...
HITCON 2015: Your Lightbulb Is Not Hacking You: Observation from a Honeypot B...
Philippe Lin635 views
Ripe71 FastNetMon open source DoS / DDoS mitigation by Pavel Odintsov
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov8.8K views
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar... by idsecconf
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf614 views
SCADA Strangelove: взлом во имя by Ekaterina Melnik
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik718 views
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols by PROIDEA
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA826 views

Recently uploaded

Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... by
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...ShapeBlue
28 views17 slides
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院IttrainingIttraining
69 views8 slides
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...ShapeBlue
61 views15 slides
NTGapps NTG LowCode Platform by
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform Mustafa Kuğu
28 views30 slides
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Safe Software
317 views86 slides
The Research Portal of Catalonia: Growing more (information) & more (services) by
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
115 views25 slides

Recently uploaded(20)

Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... by ShapeBlue
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
ShapeBlue28 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue61 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu28 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software317 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue26 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue75 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue46 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 -  Week 4 Session 7Business Analyst Series 2023 -  Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray1042 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro27 views
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue71 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue54 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue55 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue44 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker48 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi139 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman38 views

UPC router reverse engineering - case study

  • 1. UPC router reverse engineering Messing around the firmware & digging for WPA2 password generator Dušan Klinec, Miroslav Svítok deadcode.me
  • 2. The beginning of the story
  • 3. The beginning of the story 31.12.2015 https://haxx.in/upc_keys.c
  • 4. The weakness • Default SSID & Passwd computation from public information Serial ID SAAP12345678 SSID PASSWD Derivation: MD5 + some home-brew mangling
  • 5. The attack • Bruteforce, complexity = 1e8 iterations • For all serial ID combinations • Compute SSID, if matches, print passwd Serial ID SAAP12345678 SSID PASSWD
  • 6. The attack • 20 password candidates on average • Under 2 seconds on Samsung Galaxy S7 Serial ID SAAP12345678 SSID PASSWD
  • 9. Technicolor TC 7200 48.53 % of all UPC[0-9]{7} networks in Brno 02/2016 Vulnerable modem * 2868 UPC samples collected / 17516 total
  • 10. UBEE EVW 3226 15.44 % of all UPC[0-9]{7} networks in Brno 02/2016 Not-yet-vulnerable modem * 2868 UPC samples collected / 17516 total
  • 11. Attack outline • Get the firmware • Analyze binaries generating wifi config files • Reverse engineer password generating routine
  • 13. Getting the firmware - UART • Some soldering needed • USB-UART bridge (2 USD on eBay)
  • 14. Getting the firmware - UART • Collect information – e.g., memory layout, kernel, compression, encryption, … • Modify boot arguments, dump flash • Default credentials / no-auth access to CLI
  • 16. Getting the firmware – EEPROM read
  • 17. Getting the firmware – old school way
  • 18. Getting the firmware – old school way • USB-SPI bridge (BusPirate / other) • Dump flash memory • Use binwalk to analyze the dump • Decompress (squashfs, lzma) the FS, kernel
  • 19. Getting the firmware – old school way
  • 20. Getting the firmware – without getting hands dirty
  • 21. Getting the firmware #2 • Attacking the software / APIs • Command injection / code execution • Unsanitized input data in administration interface • Ping command, traceroute command https://firefart.at/post/upc_ubee_fail/
  • 22. Getting the firmware #2 • Via system vulnerability using USB port • .auto file is executed if USB is named “EVW3226” https://firefart.at/post/upc_ubee_fail/
  • 23. Getting the firmware #2 • Rewrite /etc/passwd with a new admin password • Start SSH server on the router • Enjoy the root access
  • 24. Getting the firmware • DD all block devices to the USB flash drive • Tar the whole FS to the USB flash drive
  • 25. Searching the firmware # cli IMAGE_NAME=vgwsdk-3.5.0.24-150324.img FSSTAMP=20150324141918 VERSION=EVW3226_1.0.20
  • 26. Searching the firmware # ps –a 5681 admin 1924 S hostapd -B /tmp/secath0
  • 27. Searching the firmware # cat /tmp/secath0 interface=ath0 bridge=rndbr1 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ssid=UPC2659797 wpa=3 wpa_passphrase=IVGDQAMI wpa_key_mgmt=WPA-PSK
  • 28. Searching the firmware # find . -type f -exec grep -il 'secath0' {} ; ./fss/gw/lib/libUtility.so ./fss/gw/usr/sbin/aimDaemon ./fss/gw/usr/www/cgi-bin/setup.cgi ./var/tmp/conf_filename ./var/tmp/www/cgi-bin/setup.cgi
  • 39. Profanities • Profanity found? Switch to non-insulting alphabet • BBCDFFGHJJKLMNPQRSTVVWXYZZ
  • 40. Non-optimal • Contains a lot of duplicate entries, varying case • toupper() on runtime – database case mixed • Some entries cannot be generated at all, e.g. PROSTITUTE (10 characters, password has 8)
  • 41. Non-optimal • Substring search test • More efficient to remove substrings from database • “COCK”, “COCKS”, “COCKY”, “ACOCK” • (Only the first one is needed, the rest is redundant)
  • 42. Profanity search • All UBEE MACs generated • 224 = 16777216 passwords • 32105 (0.19%) hit the profanity detection • Cca in 1000 customers, almost 2 could complain
  • 43. Profanity stats # of characters Occurrences 3 23090 4 6014 5 3001
  • 45. Statistic properties of the password function
  • 52. Uniformity tests • H0: the distribution of characters from the alphabet is uniform over characters. • Halt: The distribution is not uniform.
  • 53. Uniformity tests Uniform distribution on characters A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  • 54. Uniformity tests Output alphabet projection distribution A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  • 55. Uniformity tests Do not strip the entropy A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  • 56. Uniformity tests Do only one hashing – no homebrew mangling A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 pos 2 pos 3 pos 4 pos 5 pos 6 pos 7 pos 8 pos total
  • 57. Password gen conclusion • Uses only MAC as an input • Only one password guess • Very effective – 2 MD5 hashes • Compared to Blasty (router serial ID space brute-forcing)
  • 60. UBEE vulnerabilities • UPC Wi-Free can be sniffed • After gaining root access, Wi-Free can be sniffed / tampered with • Authentication bypass (backdoor) • http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1
  • 61. UBEE vulnerabilities • Insecure session management • no-cookies, IP address authenticated • Local file inclusion http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2 • Buffer overflow in configuration file request http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa • Backup file disclosure – not deleted, publicly available http://192.168.0.1/Configuration_file.cfg
  • 62. UBEE vulnerabilities • Backup file is not encrypted • Web asks for password for backup encryption • Backup is not actually encrypted, password is stored in plaintext • Backup restore buffer overflow • Password longer than 65536 characters • Arbitrary code execution • Backup file = tar, can contain symbolic links • After extraction can overwrite CGI scripts
  • 63. War driving #1 – Brno 02/2016
  • 66. Total networks 17 516 UPC networks 2 868 16.37 % UPC vulnerable 1 835 63.98 % UPC UPC UBEE vulnerable 443 15.45 % UPC UPC Technicolor vulnerable 1 392 48.54 % UPC UBEE changed 98 18.11 % UBEE Technicolor changed 304 17.92 % Tech.
  • 67. War driving #2 – Bratislava 10/2016
  • 69. Total networks 22 172 UPC networks 3 092 13.95 % UPC vulnerable 1 327 42.92 % UPC UPC UBEE vulnerable 822 26.58 % UPC UPC Technicolor vulnerable 505 16.33 % UPC UBEE changed 205 19.96 % UBEE Technicolor changed 96 03.10 % Tech. Compal CH7465LG 930 30.08 % UPC
  • 70. New target • Security Swiss cheese • 35 vulnerabilities found by independent security team • Default WPA2 seems to be properly implemented - allegedly
  • 71. Recap • Firmware dumped • WPA2 pwd gen reverse engineered • Function statistical analysis • Wardriving • Android app for automated testing
  • 72. Timeline • 27. Jan 2016: Start of the analysis. • 04. Feb 2016: Official disclosure to Liberty Global. • 04. May 2016: Check with Liberty Global on state of the fix. • 28. Jun 2016: Sending this article for review to Liberty Global. • 04. Jul 2016: Publication of the research.
  • 73. Thank you for your attention! Questions
  • 74. References / resources • https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2- Reversing.html • https://www.freeture.ch/?p=766 • http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/ • https://haxx.in/upc-wifi/ • https://firefart.at/post/upc_ubee_fail/ • http://www.wifileaks.cz/ • http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router- multiple-vulnerabilities • http://www.search-lab.hu/advisories/secadv-20150720 • http://www.search- lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf • https://github.com/devttys0/binwalk