Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

D1 t1 t. yunusov k. nesterov - bootkit via sms

4,360 views

Published on

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.

And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.

Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.

Published in: Technology
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Visit Here to Download PDF Format === http://capitolcurrents.com/b0014tfsgw-mathematiques-premiere-sms.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ http://bit.ly/2F4cEJi ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❤❤❤ http://bit.ly/2F4cEJi ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

D1 t1 t. yunusov k. nesterov - bootkit via sms

  1. 1. #root  via  SMS:  4G  access  level   security  assessment    Timur  Yunusov   Kirill  Nesterov   h;p://scadasl.org  
  2. 2. who  we  are   SCADAStrangeLove   Timur  @a66at  Yunusov   Sergey  @scadasl  Gordeychik   Alex  @arbitrarycode  Zaitsev   Alexey  @GiLsUngiven  Osipov   Kirill  @k_v_Nesterov  Nesterov   Gleb  @repdet  Gritsai       Dmitry  @_Dmit  Sklyarov   Dmitry  Kurbatov     Sergey  Puzankov     Pavel  Novikov   h"p://scadasl.org  
  3. 3. 3G/4G  network  
  4. 4. the  Evil  
  5. 5. 4G access level É  Branded mobile equipment É  3G/4G USB Modems É  Routers / Wireless Access Point É  Smartphones/Femtocell/Branded applications É  (U)SIM cards É  Radio/IP access network É  Radio access network É  IP access (GGSN, Routers, GRX)
  6. 6. why? É  we use it every day É  Internet É  social network É  to hack stuff É  IT use it everyday É  ATM É  IoT É  SCADA
  7. 7. radio  access  network   •  Well  researched  by  community   –  h;p://security.osmocom.org/trac/     •  Special  thanks  to   –   Sylvain  Munaut/Alexander  Chemeris/Karsten  Nohl/et  al.   h;p://security.osmocom.org/trac/  
  8. 8. the  NET  
  9. 9. the  NET  
  10. 10. thanks  John   h;p://www.shodanhq.com/  
  11. 11. by  devices    
  12. 12. GPRS  Tunnelling  Protocol   É GTP-­‐C  UDP/2123     É GTP-­‐U  UDP/2152   É GTP'  TCP/UDP/3386      
  13. 13. Meanwhile  in  the  real  world   h;p://blog.ptsecurity.com/2015/02/the-­‐research-­‐mobile-­‐internet-­‐traffic.html  
  14. 14. A;acks       É  GGSN  PWN   É  GRX   É  GPRS  a;acks   É  DoS   É  Informacon  leakage   É  Fraud   É  APN  guessing         h;p://blog.ptsecurity.com/2013/09/inside-­‐mobile-­‐internet-­‐security.html                      h;p://bit.ly/195ZYMR  
  15. 15. Example:  GTP  “Synflood”   h;p://blog.ptsecurity.com/2013/09/inside-­‐mobile-­‐internet-­‐security.html                      h;p://bit.ly/195ZYMR  
  16. 16. We’re inside, what’s next? É  All old IP stuff É  traces 1.1.1.1/10.1.1.1 É  IP source routing É  Management ports É  All new IP stuff É  IPv6 É  MPTCP É  Telco specific (GTP, SCTP M3UA, DIAMETER etc) h;p://ubm.io/11K3yLT              h;ps://www.thc.org/thc-­‐ipv6/  
  17. 17. Here There Be Tygers
  18. 18. 1990th É  Your balance is insufficient É  Connect to your favorite UDP VPN
  19. 19. Resume É  For telcos É  Please scan all your Internets! É  Your subscribers network is not your internal network É  For auditors É  Check all states É  online/blocked/roaming É  Check all subscribers É  APN’s, subscribers plans É  Don’t hack other subscribers h;p://www.slideshare.net/phdays/how-­‐to-­‐hack-­‐a-­‐telecommunicacon-­‐company-­‐and-­‐stay-­‐alive-­‐gordeychik/32  
  20. 20. The Device
  21. 21. Who is mister USB-modem? É  Rebranded hardware platform É  Linux/Android/BusyBox onboard É  Multifunctional É  Storage É  CWID USB SCSI CD-ROM USB Device É  MMC Storage USB Device (MicroSD Card Reader) É  Local management É  COM-Port (UI, AT commands) É  Network É  Remote NDIS based Internet Sharing Device É  WiFi
  22. 22. Ooooold story É  Well researched É  «Unlock» É  «Firmware customization» É  «Dashboard customization» É  Some security researches É  http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages É  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi É  http://2014.phdays.com/program/business/37688/ É  http://www.evilsocket.net/2015/02/01/huawei-usb-modems-authentication-bypass/ É  http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-360246.htm
  23. 23. Where’re you from? É  Huawei É  Quanta É  ZTE É  GEMTEK
  24. 24. Developers ‘security’ path É Device «Hardening» É Disabling of local interfaces (COM) É Web-dashboards
  25. 25. How it works (RNDIS) New  Ethernet  adapter   DHCP  client   DHCP  server   DNS   Web  dashboard   Roucng/NAT   Broadband  conneccon  
  26. 26. Scan it
  27. 27. Sometimes you get lucky…
  28. 28. …other times you don’t
  29. 29. all I need is RCE Love ! É  telnet/snmp? É  Internal interface only É  Blocked by browsers É  http/UPNP? É  Attack via browser (never found CSRF tokens) É  broadband É  still researching
  30. 30. Basic impact É  Info disclosure É  Change settings É  DNS (intercept traffic) É  SMS Center (intercept SMS) É  Manipulate (Set/Get) É  SMS É  Contacts É  USSD É  WiFi networks
  31. 31. Advanced impact É  Self-service portal access É  XSS (SMS) to “pwn” browser É  CSRF to send “password reset” USSD É  XSS to transfer password to attacker É  “Brick” É  PIN/PUK “bruteforce” É  Wrong IP settings É  Spy device
  32. 32. DEMO
  33. 33. “hidden” firmware uploads
  34. 34. Cute, but… É  You need to have firmware É Sometimes you get lucky… É …other times you don’t É  Integrity control É At least should be… É CRC16 É Crypto Functions (ok, then we just delete checksum.sh)
  35. 35. dig deeper… É  Direct shell calls É  awk to calculate Content-Length É  Other trivial RCE
  36. 36. Getting the shell
  37. 37. 6month’s homework: NSA at home É  You can rent the modem for 1 week É  You can use RCE and CSRF for local remote infection of the system É  Return it É  You can spy with opensource products ( http://opencellid.org/ etc) via CellID and WiFi É  You can intercept HTTP/HTTPS via DNS spoofing É  Maybe more? É  Do not hack other subscribers!
  38. 38. I’m watching you…
  39. 39. Stat (1 week of detecting) Modem   Vulnerabili8es   Total   A   RCE  CSRF  XSS  WiFi  Access    1411   B   RCE  CSRF  XSS    1250   C   RCE  CSRF    1409   D    ”Unvulnerable”    946   É 1  step  to  5000+  infected  modems  
  40. 40. Cute, but… É  Get firmware? É Yes it nice. É  Find more bugs? É We have enough… É  Get SMS, send USSD? É Can be done via CSRF/XSS… É  PWN the subscriber?
  41. 41. RCE+CD-ROM Interface=Host infection É  Maybe we’ll wrote our own “diagnostic tool for YOUR modem xxx”
  42. 42. It still in USB!
  43. 43. It still in (bad) USB! h;ps://srlabs.de/blog/wp-­‐content/uploads/2014/07/SRLabs-­‐BadUSB-­‐BlackHat-­‐v1.pdf  
  44. 44. USB  gadgets  &  Linux   •  drivers/usb/gadget/*   •  Composite  framework   – allows  mulcfuncconal  gadgets   – implemented  in  composite.c  
  45. 45. Android  gadget  driver   •  Implemented  in  android.c   •  Composite  driver  wrapper  with  some  UI   •  /sys/class/android_usb/android0   – enabled   – funccons   – Class/Protocol/SubClass  etc.   – List  of  supported  funccons   •  Your  favorite  phone  can  become   audio_source  instead  of  mass  storage  
  46. 46. What  about  HID  device?   •  Patch  kernel,  compile,  flash  new  kernel  =>   BORING!!!  
  47. 47. What  about  HID  device?   •  Android  gadget  driver  works  with   supported_funccons   •  We  can  patch  it  in  runcme!   – Add  new  hid  funccon  in  supported_funccons   array   – Restart  device   – …   – PROFIT  
  48. 48. Sad  Linux   •  By  default  kernel  doesn’t  have  g_hid  support   •  Hard  to  build  universal  HID  driver  for  different   versions   – vermagic   – Funccon  prototypes/structures  changes  over  cme   – Different  CPU   •  Vendors  have  a  hobby  –  rewrite  kernel  at   unexpected  places   •  Fingerprint  device  before  hack  it!  
  49. 49. DEMO
  50. 50. Some Huawei ― Hisilicon hi6920 ― ARM ― Linux box ― Stack overflow ― Remote firmware upload
  51. 51. Unexpected VxWorks ― dmesg ― [000003144ms] his_modem_load_vxworks:164: >>loading:vxworks.....
  52. 52. Baseband reversing ― Network stack protocol •  ASN1 hell •  Lots 3GPP ― RTOS ― Debug can be hard
  53. 53. VxWorks on baseband ― Loaded by Linux ― Packed on flash ― dmesg => load vxworks ok, entey 0x50d10000 ― CShell •  OS communication •  Builtin debuger ― Nearly all names of objects/functions ― POSIX + documentation
  54. 54. Resume É  For telcos É  Do not try to reinvent the wheel webserver É  All your 3/4G modems/routers are 5/>< belong to us É  For everybody É  Please don’t plug computers into your USB É  Even if it’s your harmless network printer 4G modem
  55. 55. The Chip
  56. 56. What is SIM: for hacker ― Microcontroller •  Own OS •  Own file system •  Application platform and API ― Used in different phones (even after upgrade) ― OS in independent, but can kill all security •  Baseband access •  OS sandbox bypass
  57. 57. What has Karsten taught us? É  There are applications on SIM card É  Operator can access you SIM card by means of binary SMS É  Identifier for accessing such applications is TAR (Toolkit Application Reference)
  58. 58. What has Karsten taught us? É  Not all TARs are equally secure É  If you are lucky enough you could find something to bruteforce É  If you are even more lucky you can crack some keys É  Or some TARs would accept commands without any crypto at all h;ps://srlabs.de/roocng-­‐sim-­‐cards/  
  59. 59. Getting the keys É  Either using rainbow tables or by plain old DES cracking É  We've chosen the way of brute force É  Existing solutions were too slow for us É  So why not to build something new?
  60. 60. Getting the keys É  So why not to build something new? É  Bitcoin mining business made another twist É  Which resulted in a number of affordable FPGAs on the market É  So…
  61. 61. The rig É  Here’s what we’ve done – proto #1
  62. 62. The rig É  Here’s what we’ve done – proto #2
  63. 63. The rig É  Here’s what we’ve done –“final” edition
  64. 64. The rig É  Some specs: Hardware   Speed (Mcrypt/sec)   Time for DES (days)   Time for 3DES (part of key is known, days)   Intel CPU (Core i7-2600K)   475   1755,8   (~5 years)   5267,4   Radeon GPU (R290X)   3`000   278   834   Single chip (xs6slx150-2)   7`680   108,6   325,8   ZTEX 1.15y   30`720   27,2   81,6   Our rig (8*ZTEX 1.15y)   245`760   3,4   10,2   +  descrypt  bruteforcer  -­‐  h;ps://twi;er.com/GiLsUngiven/status/492243408120213505  
  65. 65. Now what? É  So you either got the keys or didn’t need them, what’s next? É  Send random commands to any TARs that accept them É  Send commands to known TARs
  66. 66. Now what? É  Send random commands to TARs that accept them É  Many variables to guess: CLA INS P1 P2 P3 PROC DATA SW1 SW2 É  Good manuals or intelligent fuzzing needed É  Or you'll end up with nothing: not knowing what you send and receive
  67. 67. Now what? É  Send commands to known TARs É  Card manager (00 00 00) É  File system (B0 00 00 - B0 FF FF) É  …
  68. 68. Now what? File system (B0 00 00 - B0 FF FF) É  Stores interesting stuff: TMSI, Kc É  May be protected by CHV1 == PIN code
  69. 69. Attack? É  No fun in sending APDUs through card reader É  Let's do it over the air! É  Wrap file system access APDUs in binary SMS É  Can be done with osmocom, some gsm modems or SMSC gateway
  70. 70. Attack? É  Binary SMS can be filtered É  Several vectors exist: É  Intra-network É  Inter-network É  SMS gates É  Fake BTS/FemtoCell
  71. 71. Attack? É  Wait! What about access conditions? É  We still need a PIN to read interesting stuff É  Often PIN is set to 0000 by operator and is never changed É  Otherwise needs bruteforcing
  72. 72. Attack? É  PIN bruteforce É  Only 3 attempts until PIN is blocked É  Needs a wide range of victims to get appropriate success rate É  Provides some obvious possibilities…
  73. 73. Attack? É  Byproduct attack – subscriber DoS É  Try 3 wrong PINs É  PIN is locked, PUK requested É  Try 10 wrong PUKs É  PUK is locked É  Subscriber is locked out of GSM network - needs to replace SIM card
  74. 74. Attack? É  To sniff we still got to figure out the ARFCN É  There are different ways… É  Catching paging responses on CCCH feels like the most obvious way É  Still have to be coded – go do it! É  Everything could be built on osmocom-bb…
  75. 75. Attack? É  Assuming we were lucky enough É  We do have the OTA key either don’t need one É  We’ve got the PIN either don’t need one É  All we need is to read two elementary files É  MF/DF/EF/Kc and MF/DF/EF/loci É  Go look at SIMTracer!
  76. 76. Attack? É  Assuming we were lucky enough É  We now got TMSI and Kc and don't need to rely on Kraken anymore É  Collect some GSM traffic with your SDR of choice or osmocom-bb phone É  Decrypt it using obtained Kc É  Or just clone the victim for a while using obtained TMSI & Kc É  Looks like A5/3 friendly! É  Profit!
  77. 77. DEMO
  78. 78. So? É  Traffic decryption only takes 2 binary messages É  DoS takes 13 binary messages and can be done via SMS gate É  There are valuable SMS-packages. Catch the deal. É  There are also USSDs…
  79. 79. “What a girl to do?” É  Change PIN, maybe… É  Run SIMTester! É  Use PSTN FTW:( É  Pigeon mail anyone?
  80. 80. “What a girl to do?” É  Change PIN, maybe… É  Run SIMTester! É  Use PSTN FTW:( É  Pigeon mail anyone?
  81. 81. Resume É  For telcos É  Check all your SIMs É  Train your/contractor of SIM/App/Sec É  For everybody É  Pray
  82. 82. Thanks!

×