Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to build Big Brother
With blackjack and h--kers
Yunusov Timur,
Senior expert, Head of dept
How to build Big Brother
With blackjack and h--kers
With 3G modems and hackers
Yunusov Timur,
Senior expert, Head of dept
How to build Big Brother
When/Who/Where/And why???
• 2014-2015
How to build Big Brother
When/Who/Where/And why???
• 2014-2015
• «root via SMS» SCADA Strange Love
https://youtu.be/T9AFFI...
How to build Big Brother
When/Who/Where/And why???
• 2014-2015
• «root via SMS» SCADA Strange Love
https://youtu.be/T9AFFI...
How to build Big Brother
Boring numbers
How to build Big Brother
Boring numbers
• >10 (8 diff) 3G/4G modems/routers
• 75% vulns to RCE/fw modification
• 60% RCE a...
How to build Big Brother
Boring numbers
• ~60 000 devices/1M/Telco
• 5000 devices/1W/SecurityLab
• 100% vulns to RCE/fw mo...
How to build Big Brother
How?
How to build Big Brother
How?
+
How to build Big Brother
How?
1. Identification
2. Code injection
3. Data interception
4. SIM cloning / GSM Attacks
5. Hos...
How to build Big Brother
Identification
How to build Big Brother
Identification
• WHOIS?
How to build Big Brother
Identification
<img src="http://192.168.0.1/img/1.png"
style="height:0;width:0;" onload="set('1')...
How to build Big Brother
Identification
• GeoIP?
How to build Big Brother
Code Injection
• Public exploits + old FW
• Blackbox
• FW Access + FW RE + IDA
• FW modification ...
How to build Big Brother
Code Injection
• Public exploits + old FW
How to build Big Brother
Code Injection
• Blackbox
• ?action=ping||shutdown –r 0||
• ?date=;ping blahblah.com;
How to build Big Brother
Code Injection
• Blackbox
How to build Big Brother
Code Injection
• FW Access + FW RE + IDA
• Greetings:
• Kirill Nesterov,
• Dmitry Sklyarov
How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks
How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks
• Remote upload (CSRF/XSS)
How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks
• Remote upload (CSRF/XSS...
How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks
How to build Big Brother
FW Integrity Control
• FW encrypted via RC4
• RSA Digital Signature +SHA1
How to build Big Brother
FW Integrity Control
How to build Big Brother
FW Integrity Control
• FW encrypted via RC4
How to build Big Brother
FW Integrity Control
• FW encrypted via RC4
• Constant keystream FAIL
• Part1 XOR Part2 FAIL
• FW...
How to build Big Brother
FW Integrity Control
• FW encrypted via RC4 FAIL
How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1
• AR: !<arch>:
• FW
• pkginfo: <7742526>
• Sig...
How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1
How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1
• ar --add data.tar.gz
• ar -v
• data.tar.gz
•...
How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1 FAIL
• ar --add data.tar.gz
• ar -v
• data.tar...
How to build Big Brother
FW upload/CSRF
http://blog.kotowicz.net/2011/04/
how-to-upload-arbitrary-file-contents.html
How to build Big Brother
FW upload/ XSS
• HUAWEI PSIRT 436642 (2015-05-29)
http://www1.huawei.com/en/security/psirt/securi...
How to build Big Brother
Data interception
• Cell ID
• WiFi
• SMS
• HTTP
• SSL
How to build Big Brother
Data interception
• Cell ID
• http://opencellid.org/ + XSS
How to build Big Brother
Data interception
• WiFi
How to build Big Brother
Data interception
• SMS
How to build Big Brother
Data interception
• HTTP
• ARP-spoofing
• DNS-spoofing
How to build Big Brother
Data interception
• SSL
• Host RCE
How to build Big Brother
SIM Cloning
• Fake BTS + Binary SMS
• GEO(!)
• IMSI
https://media.blackhat.com/us-13/us-13-Nohl-R...
How to build Big Brother
SIM Cloning
• Use The Force
How to build Big Brother
SIM Cloning
• Diag mode
How to build Big Brother
SIM Cloning
• Send AT commands
• AT+CMGF=0
How to build Big Brother
GSM Attacks
• Huawei: Remote(!) osmocomm for beggars
• VxWorks on baseband hi6920
― Loaded by Lin...
How to build Big Brother
Host Infection
• BadUSB
• Fake diagnostic tools/CDROM
• HTML Injection + 0day
• Even real diagnos...
How to build Big Brother
Host Infection
• BadUSB
• Android gadget driver
(supported_functions patching)
• HID Gadget onboa...
How to build Big Brother
Host Infection
• Drive By Download
• CDROM
How to build Big Brother
Host Infection
• HTML Injection + 0day
How to build Big Brother
Host Infection
• Kudos to @cyberpunkych
• Lots of other stuff at yota.hlsec.ru
• But nobody cares...
How to build Big Brother
APT
How to build Big Brother
APT
How to build Big Brother
APT
• Subscribers attacks Subscribers
• LISTEN 0.0.0.0:80
• Firewalls
How to build Big Brother
Boring numbers
How to build Big Brother
Fun numbers
• Remote Code Execution via WEB: 5 dev
• Arbitrary FW modification (rem/loc): 6 dev
•...
How to build Big Brother
DEMO
How to build Big Brother
Kudos
• @cyberpunkych
• D. Sklyarov
• K. Nesterov
• Al. Osipov
• @SCADASL
Stay secure!
Questions?
Upcoming SlideShare
Loading in …5
×

Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

65,676 views

Published on

Презентация эксперта Positive Technologies Тимура Юнусова

Published in: Internet

Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить Большого Брата

  1. 1. How to build Big Brother With blackjack and h--kers Yunusov Timur, Senior expert, Head of dept
  2. 2. How to build Big Brother With blackjack and h--kers With 3G modems and hackers Yunusov Timur, Senior expert, Head of dept
  3. 3. How to build Big Brother When/Who/Where/And why??? • 2014-2015
  4. 4. How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world
  5. 5. How to build Big Brother When/Who/Where/And why??? • 2014-2015 • «root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8 • Russia and the whole world • Cause nobody cares(((
  6. 6. How to build Big Brother Boring numbers
  7. 7. How to build Big Brother Boring numbers • >10 (8 diff) 3G/4G modems/routers • 75% vulns to RCE/fw modification • 60% RCE are 0days
  8. 8. How to build Big Brother Boring numbers • ~60 000 devices/1M/Telco • 5000 devices/1W/SecurityLab • 100% vulns to RCE/fw modification
  9. 9. How to build Big Brother How?
  10. 10. How to build Big Brother How? +
  11. 11. How to build Big Brother How? 1. Identification 2. Code injection 3. Data interception 4. SIM cloning / GSM Attacks 5. Host Infection 6. APT 7. Return to 1.
  12. 12. How to build Big Brother Identification
  13. 13. How to build Big Brother Identification • WHOIS?
  14. 14. How to build Big Brother Identification <img src="http://192.168.0.1/img/1.png" style="height:0;width:0;" onload="set('1')"> <img src="http://192.168.0.1/img/2.jpg" style="height:0;width:0;" onload="set('2')"> <img src="http://hostname/img/3.png" style="height:0;width:0;" onload="set('3')"> <img src="http://127.0.0.1:5000/request" style="height:0;width:0;" onload="set('4')">
  15. 15. How to build Big Brother Identification • GeoIP?
  16. 16. How to build Big Brother Code Injection • Public exploits + old FW • Blackbox • FW Access + FW RE + IDA • FW modification + Arbitrary upload
  17. 17. How to build Big Brother Code Injection • Public exploits + old FW
  18. 18. How to build Big Brother Code Injection • Blackbox • ?action=ping||shutdown –r 0|| • ?date=;ping blahblah.com;
  19. 19. How to build Big Brother Code Injection • Blackbox
  20. 20. How to build Big Brother Code Injection • FW Access + FW RE + IDA • Greetings: • Kirill Nesterov, • Dmitry Sklyarov
  21. 21. How to build Big Brother Code Injection • FW modification + Arbitrary upload
  22. 22. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
  23. 23. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS)
  24. 24. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks • Remote upload (CSRF/XSS) • Local upload (diag mode)
  25. 25. How to build Big Brother Code Injection • FW modification + Arbitrary upload • Integrity attacks
  26. 26. How to build Big Brother FW Integrity Control • FW encrypted via RC4 • RSA Digital Signature +SHA1
  27. 27. How to build Big Brother FW Integrity Control
  28. 28. How to build Big Brother FW Integrity Control • FW encrypted via RC4
  29. 29. How to build Big Brother FW Integrity Control • FW encrypted via RC4 • Constant keystream FAIL • Part1 XOR Part2 FAIL • FW1 XOR FW2 FAIL • Lot of plaintext (CDROM) FAIL
  30. 30. How to build Big Brother FW Integrity Control • FW encrypted via RC4 FAIL
  31. 31. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • AR: !<arch>: • FW • pkginfo: <7742526> • Sign=RSA(SHA1(FW[0..7742526]))
  32. 32. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1
  33. 33. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
  34. 34. How to build Big Brother FW Integrity Control • RSA Digital Signature +SHA1 FAIL • ar --add data.tar.gz • ar -v • data.tar.gz • sign • pkginfo • data.tar.gz
  35. 35. How to build Big Brother FW upload/CSRF http://blog.kotowicz.net/2011/04/ how-to-upload-arbitrary-file-contents.html
  36. 36. How to build Big Brother FW upload/ XSS • HUAWEI PSIRT 436642 (2015-05-29) http://www1.huawei.com/en/security/psirt/security- bulletins/security-notices/archive/hw-436642.htm
  37. 37. How to build Big Brother Data interception • Cell ID • WiFi • SMS • HTTP • SSL
  38. 38. How to build Big Brother Data interception • Cell ID • http://opencellid.org/ + XSS
  39. 39. How to build Big Brother Data interception • WiFi
  40. 40. How to build Big Brother Data interception • SMS
  41. 41. How to build Big Brother Data interception • HTTP • ARP-spoofing • DNS-spoofing
  42. 42. How to build Big Brother Data interception • SSL • Host RCE
  43. 43. How to build Big Brother SIM Cloning • Fake BTS + Binary SMS • GEO(!) • IMSI https://media.blackhat.com/us-13/us-13-Nohl-Rooting- SIM-cards-Slides.pdf
  44. 44. How to build Big Brother SIM Cloning • Use The Force
  45. 45. How to build Big Brother SIM Cloning • Diag mode
  46. 46. How to build Big Brother SIM Cloning • Send AT commands • AT+CMGF=0
  47. 47. How to build Big Brother GSM Attacks • Huawei: Remote(!) osmocomm for beggars • VxWorks on baseband hi6920 ― Loaded by Linux ― Packed on flash ― dmesg => load vxworks ok, entey 0x50d10000 ― Cshell • OS communication • Builtin debuger ― Nearly all names of objects/functions ― POSIX + documentation
  48. 48. How to build Big Brother Host Infection • BadUSB • Fake diagnostic tools/CDROM • HTML Injection + 0day • Even real diagnostic tools =))
  49. 49. How to build Big Brother Host Infection • BadUSB • Android gadget driver (supported_functions patching) • HID Gadget onboard! • Lots of boring stuff
  50. 50. How to build Big Brother Host Infection • Drive By Download • CDROM
  51. 51. How to build Big Brother Host Infection • HTML Injection + 0day
  52. 52. How to build Big Brother Host Infection • Kudos to @cyberpunkych • Lots of other stuff at yota.hlsec.ru • But nobody cares(((
  53. 53. How to build Big Brother APT
  54. 54. How to build Big Brother APT
  55. 55. How to build Big Brother APT • Subscribers attacks Subscribers • LISTEN 0.0.0.0:80 • Firewalls
  56. 56. How to build Big Brother Boring numbers
  57. 57. How to build Big Brother Fun numbers • Remote Code Execution via WEB: 5 dev • Arbitrary FW modification (rem/loc): 6 dev • CSRF: 5 dev • XSS: 4 dev
  58. 58. How to build Big Brother DEMO
  59. 59. How to build Big Brother Kudos • @cyberpunkych • D. Sklyarov • K. Nesterov • Al. Osipov • @SCADASL
  60. 60. Stay secure! Questions?

×