Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB16] Who put the backdoor in my modem? by Ewerson Guimaraes

437 views

Published on

For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP-Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This talk will discuss a backdoor found on the modem / router rtn, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.

Which lead us to question on the research title: “Who put the backdoor in my modem?”

--- Ewerson Guimaraes

Degree in Computer Science from Fumec University, Security Analyst and Researcher at Epam Systems. Certified by Offesinve Security(OSCP) and Elearn(WPT) as Pentester, Ewerson has published articles in the Brazilian Information Security/Computers magazines H4ck3r and GEEK, moreover, posted exploits and advisory on SecurityFocus found in big companies like: IBM, McAfee, Skype, Technicolor, Tufin, TrendMicro and others. Contrib to develop some modules to Metasploit Framework Project. Founder of BHack Conference and Area31, the first hackerpsace in Minas Gerais and is an active Kali Linux Community Contributor

Published in: Technology
  • Be the first to comment

  • Be the first to like this

[CB16] Who put the backdoor in my modem? by Ewerson Guimaraes

  1. 1. CONFIDENTIAL Who put the backdoor in my router? Ewerson Guimarães (Crash) / 2016
  2. 2. CONFIDENTIAL Research Information This talk was born in Área31 hackerspace. All information contained here is public. No one was hacked(cof cof)
  3. 3. CONFIDENTIAL About Ewerson(Crash):
  4. 4. CONFIDENTIAL Background...
  5. 5. CONFIDENTIAL Background...
  6. 6. CONFIDENTIAL Background...
  7. 7. CONFIDENTIAL Background...
  8. 8. CONFIDENTIAL Let’s start...
  9. 9. CONFIDENTIAL We won't talk about the backdoor itself, so…
  10. 10. CONFIDENTIAL Here is the backdoor...
  11. 11. CONFIDENTIAL Usernames are equal but one is a backdoor account
  12. 12. CONFIDENTIAL Transforming a single user in a backdoor...
  13. 13. CONFIDENTIAL Let's analyze the hardware
  14. 14. CONFIDENTIAL The Strange Device Strange ID TAG!
  15. 15. CONFIDENTIAL The strange Device The device is approved by ANATEL (Brazilian National Telecomunication Agency)
  16. 16. CONFIDENTIAL The strange Device The device is approved by ANATEL (Brazilian National Telecomunication Agency)
  17. 17. CONFIDENTIAL More strange stuff... BayTech:
  18. 18. CONFIDENTIAL BayTech: 18
  19. 19. CONFIDENTIAL More strange stuff... If you look for S&T Technology Shen Zhen .Co LTD:
  20. 20. CONFIDENTIAL More strange stuff... In the device manger you can see Observa Telecom but.... The vendor's website exists but it's a single branded blank page, without any other links to other areas such as manuals, support and firmware.
  21. 21. CONFIDENTIAL More strange stuff... Of course, he didn't reply (11)emails...
  22. 22. CONFIDENTIAL More strange stuff.. This device is distributed by GVT (Global Village Telecom). According to GVT technical support and site, this modem/router is not supported by them. Don’t belive? Take a look at: http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens
  23. 23. CONFIDENTIAL More strange stuff.. Opening its firmware in hex viewer... Wow wait, it’s made by TPLINK??????
  24. 24. CONFIDENTIAL More strange stuff.. The backdoor password: MAC Address last two octets + airocon string
  25. 25. CONFIDENTIAL More strange stuff.. What is Airocon? 25
  26. 26. CONFIDENTIAL More strange stuff.. What is Airocon?
  27. 27. CONFIDENTIAL More strange stuff.. The last avaliable site (Mar. 2005)
  28. 28. CONFIDENTIAL More strange stuff.. Do you remember the tag ID and Anatel seal? 28 Bingo! 41C3
  29. 29. CONFIDENTIAL ...and to finish this strange part... Hadware vendor: Realtek
  30. 30. CONFIDENTIAL Inside of backdoor... Login with normal admin user ( admin:gtv12345) The commands “sh” and "login show" are disabled.
  31. 31. CONFIDENTIAL Inside of backdoor... When logged in with a backdoor account:
  32. 32. CONFIDENTIAL Inside of backdoor... The “login show” command shows the backdoor account (which is hidden on the web interface)
  33. 33. CONFIDENTIAL Inside of backdoor... Taking a closer look at the device’s memory it was possible to find some interesting information: Redirection link to Chinese company: Even after reset it was possible to retrieve the device’s previous user name: The device saves neighbour network names:
  34. 34. CONFIDENTIAL Inside of backdoor... Sensitive data about GVT credential services:
  35. 35. CONFIDENTIAL Inside of backdoor... Furthermore, the admin page for the backdoor user is completely different from the common admin page.
  36. 36. CONFIDENTIAL Inside of backdoor... The factory default password is not admin:admin admin:12345 admin: You can make the factory reset! The password stills: admin:gvt12345
  37. 37. CONFIDENTIAL Outside of backdoor... Shodan is your friend, or not... Divice exposed in internet: Almost 5600
  38. 38. CONFIDENTIAL Small shell script: root@anubis:~# ./gvtfucker.sh GVT RTN04 F*cker Testing:177.206.29.204 Backdoor password: airocon2533 Testing:179.179.72.251 Testing:189.113.134.199 Backdoor password: airocon0E6B Testing:186.213.233.192 Testing:186.215.19.197 Testing:189.113.136.93 Backdoor password: airoconCE4A Testing:189.113.138.111 Testing:189.113.137.203 Testing:189.26.50.164 Testing:189.58.16.44 Testing:191.248.83.225 Testing:177.132.241.119 Backdoor password: airocon02CC Testing:177.156.255.85 Testing:177.156.36.116 Backdoor password: airoconFA1E Testing:177.157.166.210 Testing:187.59.45.9 Testing:189.113.131.161 Testing:189.113.131.197 Testing:189.113.134.226 Testing:189.113.137.32 Testing:189.113.138.111 Backdoor password: airoconDA32
  39. 39. CONFIDENTIAL Outside of backdoor...
  40. 40. CONFIDENTIAL Outside of backdoor...
  41. 41. CONFIDENTIAL Inside again
  42. 42. CONFIDENTIAL Updates.... After around 1 year later, the Observa site was updated.
  43. 43. CONFIDENTIAL Updates.... After around 1 year later, the Observa site was updated.
  44. 44. CONFIDENTIAL Updates.... I tryed another contact...
  45. 45. CONFIDENTIAL How to fix Change the backdoor flag, upload the file and never reset to factory defaults. OR / AND Of course, disable the remote access. Hack the firmaware
  46. 46. CONFIDENTIAL Considerations AUDIT YOUR DECIVES! BURN YOUR DEVICES! FUZZ and F*CK YOUR DEVICES!
  47. 47. CONFIDENTIAL And the golden question: Who put the backdoor in my router?
  48. 48. CONFIDENTIAL Questions? Please, say your full name before to ask*. * I have a Death Note.
  49. 49. CONFIDENTIAL THANKS 49

×