Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

Positive Hack Days
Positive Hack DaysPositive Hack Days
How to build Big Brother With blackjack and h--kers Yunusov Timur, Senior expert, Head of dept
How to build Big Brother With blackjack and h--kers With 3G modems and hackers Yunusov Timur, Senior expert, Head of dept
How to build Big Brother When/Who/Where/And why??? • 2014-2015
How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world
How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world • Cause nobody cares(((
How to build Big Brother Boring numbers
How to build Big Brother Boring numbers • >10 (8 diff) 3G/4G modems/routers • 75% vulns to RCE/fw modification • 60% RCE are 0days
How to build Big Brother Boring numbers • ~60 000 devices/1M/Telco • 5000 devices/1W/SecurityLab • 100% vulns to RCE/fw modification
How to build Big Brother How?
How to build Big Brother How? +
How to build Big Brother How? 1. Identification 2. Code injection 3. Data interception 4. SIM cloning / GSM Attacks 5. Host Infection 6. APT 7. Return to 1.
How to build Big Brother Identification
How to build Big Brother Identification • WHOIS?
How to build Big Brother Identification <img src="http://192.168.0.1/img/1.png" style="height:0;width:0;" onload="set('1')"> <img src="http://192.168.0.1/img/2.jpg" style="height:0;width:0;" onload="set('2')"> <img src="http://hostname/img/3.png" style="height:0;width:0;" onload="set('3')"> <img src="http://127.0.0.1:5000/request" style="height:0;width:0;" onload="set('4')">
How to build Big Brother Identification • GeoIP?
How to build Big Brother Code Injection • Public exploits + old FW • Blackbox • FW Access + FW RE + IDA • FW modification + Arbitrary upload
How to build Big Brother Code Injection • Public exploits + old FW
How to build Big Brother Code Injection • Blackbox • ?action=ping||shutdown –r 0|| • ?date=;ping blahblah.com;
How to build Big Brother Code Injection • Blackbox
How to build Big Brother Code Injection • FW Access + FW RE + IDA • Greetings: • Kirill Nesterov, • Dmitry Sklyarov
How to build Big Brother Code Injection • FW modification + Arbitrary upload
How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS)
How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS) • Local upload (diag mode)
How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
How to build Big Brother FW Integrity Control • FW encrypted via RC4 • RSA Digital Signature +SHA1
How to build Big Brother FW Integrity Control
How to build Big Brother FW Integrity Control • FW encrypted via RC4
How to build Big Brother FW Integrity Control • FW encrypted via RC4 • Constant keystream FAIL • Part1 XOR Part2 FAIL • FW1 XOR FW2 FAIL • Lot of plaintext (CDROM) FAIL
How to build Big Brother FW Integrity Control • FW encrypted via RC4 FAIL
How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • AR: !<arch>: • FW • pkginfo: <7742526> • Sign=RSA(SHA1(FW[0..7742526]))
How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1
How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 FAIL • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
How to build Big Brother FW upload/CSRF http://blog.kotowicz.net/2011/04/ how-to-upload-arbitrary-file-contents.html
How to build Big Brother FW upload/ XSS • HUAWEI PSIRT 436642 (2015-05-29) http://www1.huawei.com/en/security/psirt/security- bulletins/security-notices/archive/hw-436642.htm
How to build Big Brother Data interception • Cell ID • WiFi • SMS • HTTP • SSL
How to build Big Brother Data interception • Cell ID • http://opencellid.org/ + XSS
How to build Big Brother Data interception • WiFi
How to build Big Brother Data interception • SMS
How to build Big Brother Data interception • HTTP • ARP-spoofing • DNS-spoofing
How to build Big Brother Data interception • SSL • Host RCE
How to build Big Brother SIM Cloning • Fake BTS + Binary SMS • GEO(!) • IMSI https://media.blackhat.com/us-13/us-13-Nohl-Rooting- SIM-cards-Slides.pdf
How to build Big Brother SIM Cloning • Use The Force
How to build Big Brother SIM Cloning • Diag mode
How to build Big Brother SIM Cloning • Send AT commands • AT+CMGF=0
How to build Big Brother GSM Attacks • Huawei: Remote(!) osmocomm for beggars • VxWorks on baseband hi6920 ― Loaded by Linux ― Packed on flash ― dmesg => load vxworks ok, entey 0x50d10000 ― Cshell • OS communication • Builtin debuger ― Nearly all names of objects/functions ― POSIX + documentation
How to build Big Brother Host Infection • BadUSB • Fake diagnostic tools/CDROM • HTML Injection + 0day • Even real diagnostic tools =))
How to build Big Brother Host Infection • BadUSB • Android gadget driver (supported_functions patching) • HID Gadget onboard! • Lots of boring stuff
How to build Big Brother Host Infection • Drive By Download • CDROM
How to build Big Brother Host Infection • HTML Injection + 0day
How to build Big Brother Host Infection • Kudos to @cyberpunkych • Lots of other stuff at yota.hlsec.ru • But nobody cares(((
How to build Big Brother APT
How to build Big Brother APT
How to build Big Brother APT • Subscribers attacks Subscribers • LISTEN 0.0.0.0:80 • Firewalls
How to build Big Brother Boring numbers
How to build Big Brother Fun numbers • Remote Code Execution via WEB: 5 dev • Arbitrary FW modification (rem/loc): 6 dev • CSRF: 5 dev • XSS: 4 dev
How to build Big Brother DEMO
How to build Big Brother Kudos • @cyberpunkych • D. Sklyarov • K. Nesterov • Al. Osipov • @SCADASL
Stay secure! Questions?
1 of 60

Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

Download to read offline
Internet

Презентация эксперта Positive Technologies Тимура Юнусова

Positive Hack Days
Positive Hack DaysPositive Hack Days

Recommended

D1 t1 t. yunusov k. nesterov - bootkit via sms by
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
4.8K views84 slides
How to hack a telecommunication company and stay alive. Sergey Gordeychik by
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
7.5K views71 slides
Буткит через СМС: оценка безопасности сети 4G by
Буткит через СМС: оценка безопасности сети 4GБуткит через СМС: оценка безопасности сети 4G
Буткит через СМС: оценка безопасности сети 4GPositive Hack Days
1.1K views35 slides
Greater China Cyber Threat Landscape - ISC 2016 by
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Sergey Gordeychik
1.9K views41 slides
Adventures in Femtoland: 350 Yuan for Invaluable Fun by
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
9.7K views87 slides
How to hack a telecom and stay alive by
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
6.8K views71 slides

More Related Content

What's hot

Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015 by
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
2.3K views57 slides
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam... by
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
3.8K views65 slides
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones by
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
3.7K views58 slides
IoT security is a nightmare. But what is the real risk? by
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
7.9K views58 slides
Sergio González - WiFiSlax 4.0 [RootedCON 2010] by
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]RootedCON
1.9K views29 slides
Defcon 22-weston-hecker-burner-phone-ddos by
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddosPriyanka Aash
3.5K views40 slides

What's hot(20)

Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015 by CODE BLUE
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015
CODE BLUE2.3K views
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam... by Zoltan Balazs
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs3.8K views
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones by Priyanka Aash
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Priyanka Aash3.7K views
IoT security is a nightmare. But what is the real risk? by Zoltan Balazs
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs7.9K views
Sergio González - WiFiSlax 4.0 [RootedCON 2010] by RootedCON
Sergio González - WiFiSlax 4.0 [RootedCON 2010]Sergio González - WiFiSlax 4.0 [RootedCON 2010]
Sergio González - WiFiSlax 4.0 [RootedCON 2010]
RootedCON1.9K views
Defcon 22-weston-hecker-burner-phone-ddos by Priyanka Aash
Defcon 22-weston-hecker-burner-phone-ddosDefcon 22-weston-hecker-burner-phone-ddos
Defcon 22-weston-hecker-burner-phone-ddos
Priyanka Aash3.5K views
Shameful secrets of proprietary network protocols by Slawomir Jasek
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek432 views
Fundamentals of network hacking by Pranshu Pareek
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek91 views
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald... by PROIDEA
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald..."Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
PROIDEA186 views
" Breaking Extreme Networks WingOS: How to own millions of devices running on... by PROIDEA
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
PROIDEA103 views
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis by P1Security
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security 31K views
FortiGate 60C by dwaeyaert
FortiGate 60CFortiGate 60C
FortiGate 60C
dwaeyaert4.9K views
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand... by Sergey Gordeychik
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik514 views
[ENG] IPv6 shipworm + My little Windows domain pwnie by Zoltan Balazs
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs1.6K views
SD-WAN Internet Census, Zeronighst 2018 by Sergey Gordeychik
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
Sergey Gordeychik622 views
Attacking and Securing WPA Enterprise Networks by Northeast Ohio Information Security Forum
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum20.3K views
Denis Baranov: Root via XSS by qqlan
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
qqlan3.7K views
CCNP Security-Secure by mohannadalhanahnah
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah1.4K views
Workshop on Wireless Security by amiable_indian
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian3.5K views
Anton Chuvakin on Honeypots by Anton Chuvakin
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
Anton Chuvakin1.8K views

Viewers also liked

Современные DDoS-атаки: тенденции, опасность, подходы к защите by
Современные DDoS-атаки: тенденции, опасность, подходы к защитеСовременные DDoS-атаки: тенденции, опасность, подходы к защите
Современные DDoS-атаки: тенденции, опасность, подходы к защитеPositive Hack Days
1.2K views16 slides
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks by
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksOmer Coskun
1.4K views107 slides
Attacking GRX - GPRS Roaming eXchange by
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
8.4K views46 slides
How to Intercept a Conversation Held on the Other Side of the Planet by
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
137.4K views140 slides
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks by
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
5.1K views63 slides
4G LTE Security - What hackers know? by
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?Stephen Kho
6.1K views29 slides

Viewers also liked(6)

Современные DDoS-атаки: тенденции, опасность, подходы к защите by Positive Hack Days
Современные DDoS-атаки: тенденции, опасность, подходы к защитеСовременные DDoS-атаки: тенденции, опасность, подходы к защите
Современные DDoS-атаки: тенденции, опасность, подходы к защите
Positive Hack Days1.2K views
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks by Omer Coskun
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun1.4K views
Attacking GRX - GPRS Roaming eXchange by P1Security
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security 8.4K views
How to Intercept a Conversation Held on the Other Side of the Planet by Positive Hack Days
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days137.4K views
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks by Jim Geovedi
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
Jim Geovedi5.1K views
4G LTE Security - What hackers know? by Stephen Kho
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?
Stephen Kho6.1K views

Similar to Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

How to build Big Brother by
How to build Big BrotherHow to build Big Brother
How to build Big BrotherPayment Village
610 views57 slides
Don Bailey - A Million Little Tracking Devices by
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
655 views72 slides
Programming for the Internet of Things by
Programming for the Internet of ThingsProgramming for the Internet of Things
Programming for the Internet of ThingsKinoma
2.2K views45 slides
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal by
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
4K views43 slides
Country domination - Causing chaos and wrecking havoc by
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocTiago Henriques
1.5K views78 slides
Fun With SHA2 Certificates by
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
3.1K views54 slides

Similar to Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата(20)

How to build Big Brother by Payment Village
How to build Big BrotherHow to build Big Brother
How to build Big Brother
Payment Village610 views
Don Bailey - A Million Little Tracking Devices by Source Conference
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
Source Conference655 views
Programming for the Internet of Things by Kinoma
Programming for the Internet of ThingsProgramming for the Internet of Things
Programming for the Internet of Things
Kinoma2.2K views
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal by 44CON
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON4K views
Country domination - Causing chaos and wrecking havoc by Tiago Henriques
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
Tiago Henriques1.5K views
Fun With SHA2 Certificates by Gabriella Davis
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 Certificates
Gabriella Davis3.1K views
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like... by Felipe Prado
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado106 views
Uncommon MiTM in uncommon conditions by HeadLightSecurity
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
HeadLightSecurity5.6K views
Security events in 2014 by Chong-Kuan Chen
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen1.3K views
Silverlight vs HTML5 - Lessons learned from the real world... by Peter Gfader
Silverlight vs HTML5 - Lessons learned from the real world...Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...
Peter Gfader1.8K views
Wi-Fi Denver OWASP Presentation Feb. 15, 2017 by keyalea
Wi-Fi Denver OWASP Presentation Feb. 15, 2017Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
keyalea248 views
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions" by Defcon Moscow
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow3.7K views
Wi-Fi Hotspot Attacks by Greg Foss
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss10.3K views
A million little tracking devices - Don Bailey by idsecconf
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Bailey
idsecconf621 views
Phonegap for Engineers by Brian LeRoux
Phonegap for EngineersPhonegap for Engineers
Phonegap for Engineers
Brian LeRoux2K views
HTML5 is the Future of Mobile, PhoneGap Takes You There Today by davyjones
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
davyjones74.8K views
SIMCON 3 by Dan Jenkins
SIMCON 3SIMCON 3
SIMCON 3
Dan Jenkins283 views
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超 by 台灣資料科學年會
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
台灣資料科學年會7.9K views
Get Connected Minehead 05.04 by Get up to Speed
Get Connected Minehead 05.04Get Connected Minehead 05.04
Get Connected Minehead 05.04
Get up to Speed88 views
HKNOG 1.0 - DDoS attacks in an IPv6 World by Tom Paseka
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka5.7K views

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes by
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
2.6K views26 slides
Как мы собираем проекты в выделенном окружении в Windows Docker by
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
1.1K views26 slides
Типовая сборка и деплой продуктов в Positive Technologies by
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
902 views29 slides
Аналитика в проектах: TFS + Qlik by
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
883 views16 slides
Использование анализатора кода SonarQube by
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
1K views15 slides
Развитие сообщества Open DevOps Community by
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
901 views18 slides

More from Positive Hack Days(20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes by Positive Hack Days
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Positive Hack Days2.6K views
Как мы собираем проекты в выделенном окружении в Windows Docker by Positive Hack Days
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
Positive Hack Days1.1K views
Типовая сборка и деплой продуктов в Positive Technologies by Positive Hack Days
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
Positive Hack Days902 views
Аналитика в проектах: TFS + Qlik by Positive Hack Days
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
Positive Hack Days883 views
Использование анализатора кода SonarQube by Positive Hack Days
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
Positive Hack Days1K views
Развитие сообщества Open DevOps Community by Positive Hack Days
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
Positive Hack Days901 views
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци... by Positive Hack Days
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Positive Hack Days758 views
Автоматизация построения правил для Approof by Positive Hack Days
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
Positive Hack Days1.5K views
Мастер-класс «Трущобы Application Security» by Positive Hack Days
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days893 views
Формальные методы защиты приложений by Positive Hack Days
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
Positive Hack Days887 views
Эвристические методы защиты приложений by Positive Hack Days
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days911 views
Теоретические основы Application Security by Positive Hack Days
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
Positive Hack Days738 views
От экспериментального программирования к промышленному: путь длиной в 10 лет by Positive Hack Days
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days637 views
Уязвимое Android-приложение: N проверенных способов наступить на грабли by Positive Hack Days
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days813 views
Требования по безопасности в архитектуре ПО by Positive Hack Days
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days784 views
Формальная верификация кода на языке Си by Positive Hack Days
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days1.1K views
Механизмы предотвращения атак в ASP.NET Core by Positive Hack Days
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days813 views
SOC для КИИ: израильский опыт by Positive Hack Days
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
Positive Hack Days775 views
Honeywell Industrial Cyber Security Lab & Services Center by Positive Hack Days
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
Positive Hack Days647 views
Credential stuffing и брутфорс-атаки by Positive Hack Days
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
Positive Hack Days596 views

Recently uploaded

Marketing and Community Building in Web3 by
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
12 views64 slides
Building trust in our information ecosystem: who do we trust in an emergency by
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
92 views18 slides
How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
5 views33 slides
DU Series - Day 4.pptx by
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptxUiPathCommunity
100 views28 slides
information by
informationinformation
informationkhelgishekhar
8 views4 slides
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 by
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲Infosec train
9 views6 slides

Recently uploaded(12)

Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast12 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat92 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views
DU Series - Day 4.pptx by UiPathCommunity
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunity100 views
information by khelgishekhar
informationinformation
information
khelgishekhar8 views
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 by Infosec train
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
Infosec train9 views
WEB 2.O TOOLS: Empowering education.pptx by narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2116 views
PORTFOLIO 1 (Bret Michael Pepito).pdf by brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04107 views
IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC186 views
Is Entireweb better than Google by sebastianthomasbejan
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan12 views
We see everywhere that many people are talking about technology.docx by ssuserc5935b
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docx
ssuserc5935b6 views
UiPath Document Understanding_Day 3.pptx by UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity101 views

Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

  • 1. How to build Big Brother With blackjack and h--kers Yunusov Timur, Senior expert, Head of dept
  • 2. How to build Big Brother With blackjack and h--kers With 3G modems and hackers Yunusov Timur, Senior expert, Head of dept
  • 3. How to build Big Brother When/Who/Where/And why??? • 2014-2015
  • 4. How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world
  • 5. How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world • Cause nobody cares(((
  • 6. How to build Big Brother Boring numbers
  • 7. How to build Big Brother Boring numbers • >10 (8 diff) 3G/4G modems/routers • 75% vulns to RCE/fw modification • 60% RCE are 0days
  • 8. How to build Big Brother Boring numbers • ~60 000 devices/1M/Telco • 5000 devices/1W/SecurityLab • 100% vulns to RCE/fw modification
  • 9. How to build Big Brother How?
  • 10. How to build Big Brother How? +
  • 11. How to build Big Brother How? 1. Identification 2. Code injection 3. Data interception 4. SIM cloning / GSM Attacks 5. Host Infection 6. APT 7. Return to 1.
  • 12. How to build Big Brother Identification
  • 13. How to build Big Brother Identification • WHOIS?
  • 14. How to build Big Brother Identification <img src="http://192.168.0.1/img/1.png" style="height:0;width:0;" onload="set('1')"> <img src="http://192.168.0.1/img/2.jpg" style="height:0;width:0;" onload="set('2')"> <img src="http://hostname/img/3.png" style="height:0;width:0;" onload="set('3')"> <img src="http://127.0.0.1:5000/request" style="height:0;width:0;" onload="set('4')">
  • 15. How to build Big Brother Identification • GeoIP?
  • 16. How to build Big Brother Code Injection • Public exploits + old FW • Blackbox • FW Access + FW RE + IDA • FW modification + Arbitrary upload
  • 17. How to build Big Brother Code Injection • Public exploits + old FW
  • 18. How to build Big Brother Code Injection • Blackbox • ?action=ping||shutdown –r 0|| • ?date=;ping blahblah.com;
  • 19. How to build Big Brother Code Injection • Blackbox
  • 20. How to build Big Brother Code Injection • FW Access + FW RE + IDA • Greetings: • Kirill Nesterov, • Dmitry Sklyarov
  • 21. How to build Big Brother Code Injection • FW modification + Arbitrary upload
  • 22. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
  • 23. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS)
  • 24. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS) • Local upload (diag mode)
  • 25. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
  • 26. How to build Big Brother FW Integrity Control • FW encrypted via RC4 • RSA Digital Signature +SHA1
  • 27. How to build Big Brother FW Integrity Control
  • 28. How to build Big Brother FW Integrity Control • FW encrypted via RC4
  • 29. How to build Big Brother FW Integrity Control • FW encrypted via RC4 • Constant keystream FAIL • Part1 XOR Part2 FAIL • FW1 XOR FW2 FAIL • Lot of plaintext (CDROM) FAIL
  • 30. How to build Big Brother FW Integrity Control • FW encrypted via RC4 FAIL
  • 31. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • AR: !<arch>: • FW • pkginfo: <7742526> • Sign=RSA(SHA1(FW[0..7742526]))
  • 32. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1
  • 33. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
  • 34. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 FAIL • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
  • 35. How to build Big Brother FW upload/CSRF http://blog.kotowicz.net/2011/04/ how-to-upload-arbitrary-file-contents.html
  • 36. How to build Big Brother FW upload/ XSS • HUAWEI PSIRT 436642 (2015-05-29) http://www1.huawei.com/en/security/psirt/security- bulletins/security-notices/archive/hw-436642.htm
  • 37. How to build Big Brother Data interception • Cell ID • WiFi • SMS • HTTP • SSL
  • 38. How to build Big Brother Data interception • Cell ID • http://opencellid.org/ + XSS
  • 39. How to build Big Brother Data interception • WiFi
  • 40. How to build Big Brother Data interception • SMS
  • 41. How to build Big Brother Data interception • HTTP • ARP-spoofing • DNS-spoofing
  • 42. How to build Big Brother Data interception • SSL • Host RCE
  • 43. How to build Big Brother SIM Cloning • Fake BTS + Binary SMS • GEO(!) • IMSI https://media.blackhat.com/us-13/us-13-Nohl-Rooting- SIM-cards-Slides.pdf
  • 44. How to build Big Brother SIM Cloning • Use The Force
  • 45. How to build Big Brother SIM Cloning • Diag mode
  • 46. How to build Big Brother SIM Cloning • Send AT commands • AT+CMGF=0
  • 47. How to build Big Brother GSM Attacks • Huawei: Remote(!) osmocomm for beggars • VxWorks on baseband hi6920 ― Loaded by Linux ― Packed on flash ― dmesg => load vxworks ok, entey 0x50d10000 ― Cshell • OS communication • Builtin debuger ― Nearly all names of objects/functions ― POSIX + documentation
  • 48. How to build Big Brother Host Infection • BadUSB • Fake diagnostic tools/CDROM • HTML Injection + 0day • Even real diagnostic tools =))
  • 49. How to build Big Brother Host Infection • BadUSB • Android gadget driver (supported_functions patching) • HID Gadget onboard! • Lots of boring stuff
  • 50. How to build Big Brother Host Infection • Drive By Download • CDROM
  • 51. How to build Big Brother Host Infection • HTML Injection + 0day
  • 52. How to build Big Brother Host Infection • Kudos to @cyberpunkych • Lots of other stuff at yota.hlsec.ru • But nobody cares(((
  • 53. How to build Big Brother APT
  • 54. How to build Big Brother APT
  • 55. How to build Big Brother APT • Subscribers attacks Subscribers • LISTEN 0.0.0.0:80 • Firewalls
  • 56. How to build Big Brother Boring numbers
  • 57. How to build Big Brother Fun numbers • Remote Code Execution via WEB: 5 dev • Arbitrary FW modification (rem/loc): 6 dev • CSRF: 5 dev • XSS: 4 dev
  • 58. How to build Big Brother DEMO
  • 59. How to build Big Brother Kudos • @cyberpunkych • D. Sklyarov • K. Nesterov • Al. Osipov • @SCADASL