The document describes how to build surveillance capabilities ("Big Brother") using vulnerabilities in internet-connected devices. It details steps like identifying devices using techniques like WHOIS lookups and fingerprinting, injecting code by exploiting firmware vulnerabilities or uploading modified firmware, intercepting data in transit, cloning SIM cards, infecting device operating systems, and creating advanced persistent threats between compromised devices. It provides examples of exploited vulnerabilities and references other researchers in the area. The goal is mass surveillance of users, with acknowledgment that many are unaware of the privacy and security risks.

1. How to build Big Brother
With blackjack and h--kers
Yunusov Timur,
Senior expert, Head of dept

2. How to build Big Brother
With blackjack and h--kers
With 3G modems and hackers
Yunusov Timur,
Senior expert, Head of dept

3. How to build Big Brother
When/Who/Where/And why???
• 2014-2015

4. How to build Big Brother
When/Who/Where/And why???
• 2014-2015
• «root via SMS» SCADA Strange Love
https://youtu.be/T9AFFIVpCa8
• Russia and the whole world

5. How to build Big Brother
When/Who/Where/And why???
• 2014-2015
• «root via SMS» SCADA Strange Love
https://youtu.be/T9AFFIVpCa8
• Russia and the whole world
• Cause nobody cares(((

6. How to build Big Brother
Boring numbers

7. How to build Big Brother
Boring numbers
• >10 (8 diff) 3G/4G modems/routers
• 75% vulns to RCE/fw modification
• 60% RCE are 0days

8. How to build Big Brother
Boring numbers
• ~60 000 devices/1M/Telco
• 5000 devices/1W/SecurityLab
• 100% vulns to RCE/fw modification

9. How to build Big Brother
How?

10. How to build Big Brother
How?
+

11. How to build Big Brother
How?
1. Identification
2. Code injection
3. Data interception
4. SIM cloning / GSM Attacks
5. Host Infection
6. APT
7. Return to 1.

12. How to build Big Brother
Identification

13. How to build Big Brother
Identification
• WHOIS?

14. How to build Big Brother
Identification
<img src="http://192.168.0.1/img/1.png"
style="height:0;width:0;" onload="set('1')">
<img src="http://192.168.0.1/img/2.jpg"
style="height:0;width:0;" onload="set('2')">
<img src="http://hostname/img/3.png"
style="height:0;width:0;" onload="set('3')">
<img src="http://127.0.0.1:5000/request"
style="height:0;width:0;" onload="set('4')">

15. How to build Big Brother
Identification
• GeoIP?

16. How to build Big Brother
Code Injection
• Public exploits + old FW
• Blackbox
• FW Access + FW RE + IDA
• FW modification + Arbitrary upload

17. How to build Big Brother
Code Injection
• Public exploits + old FW

18. How to build Big Brother
Code Injection
• Blackbox
• ?action=ping||shutdown –r 0||
• ?date=;ping blahblah.com;

19. How to build Big Brother
Code Injection
• Blackbox

20. How to build Big Brother
Code Injection
• FW Access + FW RE + IDA
• Greetings:
• Kirill Nesterov,
• Dmitry Sklyarov

21. How to build Big Brother
Code Injection
• FW modification + Arbitrary upload

22. How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks

23. How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks
• Remote upload (CSRF/XSS)

24. How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks
• Remote upload (CSRF/XSS)
• Local upload (diag mode)

25. How to build Big Brother
Code Injection
• FW modification + Arbitrary upload
• Integrity attacks

26. How to build Big Brother
FW Integrity Control
• FW encrypted via RC4
• RSA Digital Signature +SHA1

27. How to build Big Brother
FW Integrity Control

28. How to build Big Brother
FW Integrity Control
• FW encrypted via RC4

29. How to build Big Brother
FW Integrity Control
• FW encrypted via RC4
• Constant keystream FAIL
• Part1 XOR Part2 FAIL
• FW1 XOR FW2 FAIL
• Lot of plaintext (CDROM) FAIL

30. How to build Big Brother
FW Integrity Control
• FW encrypted via RC4 FAIL

31. How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1
• AR: !<arch>:
• FW
• pkginfo: <7742526>
• Sign=RSA(SHA1(FW[0..7742526]))

32. How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1

33. How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1
• ar --add data.tar.gz
• ar -v
• data.tar.gz
• sign
• pkginfo
• data.tar.gz

34. How to build Big Brother
FW Integrity Control
• RSA Digital Signature +SHA1 FAIL
• ar --add data.tar.gz
• ar -v
• data.tar.gz
• sign
• pkginfo
• data.tar.gz

35. How to build Big Brother
FW upload/CSRF
http://blog.kotowicz.net/2011/04/
how-to-upload-arbitrary-file-contents.html

36. How to build Big Brother
FW upload/ XSS
• HUAWEI PSIRT 436642 (2015-05-29)
http://www1.huawei.com/en/security/psirt/security-
bulletins/security-notices/archive/hw-436642.htm

37. How to build Big Brother
Data interception
• Cell ID
• WiFi
• SMS
• HTTP
• SSL

38. How to build Big Brother
Data interception
• Cell ID
• http://opencellid.org/ + XSS

39. How to build Big Brother
Data interception
• WiFi

40. How to build Big Brother
Data interception
• SMS

41. How to build Big Brother
Data interception
• HTTP
• ARP-spoofing
• DNS-spoofing

42. How to build Big Brother
Data interception
• SSL
• Host RCE

43. How to build Big Brother
SIM Cloning
• Fake BTS + Binary SMS
• GEO(!)
• IMSI
https://media.blackhat.com/us-13/us-13-Nohl-Rooting-
SIM-cards-Slides.pdf

44. How to build Big Brother
SIM Cloning
• Use The Force

45. How to build Big Brother
SIM Cloning
• Diag mode

46. How to build Big Brother
SIM Cloning
• Send AT commands
• AT+CMGF=0

47. How to build Big Brother
GSM Attacks
• Huawei: Remote(!) osmocomm for beggars
• VxWorks on baseband hi6920
― Loaded by Linux
― Packed on flash
― dmesg => load vxworks ok, entey 0x50d10000
― Cshell
• OS communication
• Builtin debuger
― Nearly all names of objects/functions
― POSIX + documentation

48. How to build Big Brother
Host Infection
• BadUSB
• Fake diagnostic tools/CDROM
• HTML Injection + 0day
• Even real diagnostic tools =))

49. How to build Big Brother
Host Infection
• BadUSB
• Android gadget driver
(supported_functions patching)
• HID Gadget onboard!
• Lots of boring stuff

50. How to build Big Brother
Host Infection
• Drive By Download
• CDROM

51. How to build Big Brother
Host Infection
• HTML Injection + 0day

52. How to build Big Brother
Host Infection
• Kudos to @cyberpunkych
• Lots of other stuff at yota.hlsec.ru
• But nobody cares(((

53. How to build Big Brother
APT

54. How to build Big Brother
APT

55. How to build Big Brother
APT
• Subscribers attacks Subscribers
• LISTEN 0.0.0.0:80
• Firewalls

56. How to build Big Brother
Boring numbers

57. How to build Big Brother
Fun numbers
• Remote Code Execution via WEB: 5 dev
• Arbitrary FW modification (rem/loc): 6 dev
• CSRF: 5 dev
• XSS: 4 dev

58. How to build Big Brother
DEMO

59. How to build Big Brother
Kudos
• @cyberpunkych
• D. Sklyarov
• K. Nesterov
• Al. Osipov
• @SCADASL

60. Stay secure!
Questions?