Who put the backdoor in my modem? For quite some time we have been seeing espionage cases reaching countries, governments and large companies. A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP-Link, Dlink, Linksys, Samsung and other companies which are internationally renowned. This article will discuss a backdoor found on the modem / router rtn, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed. Which lead us to question on the research title: “Who put the backdoor in my modem?”

1. Ewerson Guimaraes (Crash)
Who put the backdoor in
my router?

3. Research Information
This talk was born in Área31 hackerspace.
All information contained here are public.
No one was hacked(cof cof)
3

4. About Ewerson(Crash)
4

5. Before to start...
5

6. Before to start...
6

7. Before to start...
7

8. Let’s start this...
8

9. We won't talk about the backdoor
itself, so..
9

10. Here is the backdoor...
10

11. Usernames are
equal but one is
a backdoor
account
11

12. Transforming a single user in a backdoor...
12

13. Let's analyze the hardware
13
Weird TAG!

14. The Strange Device
14
Weird TAG!

15. The strange Device
15
The device is approved by ANATEL (Brazilian National Telecomunication Agency)

16. The strange Device
16

17. The strange Device
17

18. More strange stuff...
BayTech:
18

19. BayTech:
19

20. More strange stuff..
If you look for S&T Technology Shen Zhen .Co LTD:
20
If you look for S&T Technology Shen Zhen .Co LTD

21. More strange stuff..
21
In the device manger you can see Observa Telecom but....
The vendor's website exists but it's a single branded blank page,
without any other links to other areas such as manuals, support and firmware

22. More strange stuff..
Of course, he didn't replied
(11)emails...
22

23. More strange stuff..
This device is distributed by GVT (Global Village Telecom).
According to GVT technical support and site, this modem/router is not supported by
them.
Dont belive? Take a look at:
http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens
23

24. More strange stuff..
Opening its firmware in hex viewer... Wow wait, it’s made by TPLINK??????
24

25. More strange stuff..
The backdoor password: MAC Address last two octets + airocon string
25

26. More strange stuff..
What is Airocon?
26

27. More strange stuff..
What is Airocon?
27

28. More strange stuff..
The last avaliable site (Mar. 2005)
28

29. More strange stuff..
Do you remember the tag ID and Anatel seal?
29
Bingo! 41C3

30. ...and to finish this strange part..
Hadware vendor: Realtek
30

31. Inside of backdoor...
31
Login with normal admin user ( admin:gtv12345)
The commands “sh” and "login show" are disabled.

32. Inside of backdoor...
32
When logged in with a backdoor
account:

33. Inside of backdoor...
33
The “login show” command shows the backdoor account (which is hidden on the
web interface)

34. Inside of backdoor...
34
Taking a closer look at the device’s memory it was possible to find some interesting
information:
Redirection link to Chinese company:
Even after reset it was possible to retrieve the device’s previous user name:
The device saves neighbour network names:

35. Inside of backdoor...
Sensitive data about GVT credential services:

36. Inside of backdoor...
Furthermore, the admin page for the backdoor user is completely different from the common
admin page.

37. Inside of backdoor...
The factory default password not is admin:admin or admin:12345 or
admin:
You can make the factory reset!
The password is: admin:gvt12345

38. Outside of backdoor...
Shodan is your
friend,
or not...
Divice exposed in
internet: Almost
5600

39. Outside of backdoor...

40. Outside of backdoor...

41. Outside of backdoor...

42. Updates....
After around 1 year later, the Observa site was updated.

43. Updates....
After around 1 year later, the Observa site was updated.

44. Updates....
I tryed another contact...

45. Considerations
AUDIT YOUR DECIVES!
BURN YOUR DEVICES!
FUZZ and F*CK YOUR DEVICES!

46. And the golden question:
Who put the backdoor in my
router?

47. Questions?
crash@dclabs.com.br
@crashbrz

48. THANKS TO
ALL!!!
48