SlideShare a Scribd company logo

4G modem – best present ever!

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 22
Dmitry Sklyarov Senior Analyst @ Department for Advanced Developments Positive Technologies Positive Hack Days IV, May 21-22, 2014
How it looks (approximately ;)
Explore textual marks on Modem Front side: • “4G” logo • operator’s logo Under the cover (access to SIM and SD cards): • operator’s internal model number • IMEI • serial number Hmm, what the actual manufacturer name and model number? Back side: • nothing
Explore packaging Manufacturer name (ZTE) printed on the box and in booklet
ZTE MF823 4G Modem Specification • LTE-FDD: 800/900/1800/2600MHz; • UMTS: 900/2100MHz; • LTE-FDD: DL/UL 100/50Mbps (Category3) • DC-HSPA+: DL/UL 42/5.76Mbps • Size: 90 x 28.4 x 13mm • OS: Win7, Windows XP,Vista, Win8, Mac OS
ZTE MF823 4G Modem re-Branding MegaFon (Russia) O2(Germany)
Is there Modem anymore? After plugging into PC running Windows 7: • CWID USB SCSI CD-ROM USB Device • ZTE MMC Storage USB Device (MicroSD Card Reader) After performing “Eject CD Drive”: • CD-ROM (sometimes they come back!) • MicroSD Card Reader • Remote NDIS* based Internet Sharing Device *NDIS == Network Driver Interface Specification No drivers required! (at least on Windows 7 ;)
Remote NDIS adapter properties > ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.0.182 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1
How to speak with MF823? Results of ports scan for 192.168.0.1
HTTP server on 192.168.0.1 NB: Some brand-customized firmware contains web-interface that relies on “GoForm” handlers GET /index.html HTTP/1.1 Host: 192.168.0.1 HTTP/1.1 404 Site or Page Not Found GET / HTTP/1.1 Host: 192.168.0.1 HTTP/1.0 302 Redirect Server: GoAhead-Webs/2.5.0 Location: http://192.168.0.1/index.html
HTTP server Handlers Defined UrlHandlers: /goform /cgi-bin /mmc2 /api/xmlclient/post /client/backup /api/nvramul.cgi Defined GoForm handlers: /goform/goform_get_cmd_process /goform/goform_set_cmd_process /goform/goform_process /goform/formTest
Getting diagnostics info http://192.168.0.1/goform/ goform_get_cmd_process? cmd=device_diagnostics Returns: productName softwareVersion modemVersion routerVersion webUiVersion hardwareVersion serialNumber simSerialNumber simMsisdn deviceImei simImsi simStatus sdCardAvailable sdCardTotalMemory sdCardUsedMemory currentConnectedUsers maxConnectedUsers timeSinceStartup
Switching to Download (FACTORY) mode http://192.168.0.1/goform/goform_process? goformId=MODE_SWITCH&switchCmd=FACTORY New devices appears: • ZTE Diagnostics Interface (COMX) • ZTE NMEA Device (COMY) • ZTE Proprietary USB Modem NB: Send AT+ZCDRUN=F to COM-port associated with “ZTE NMEA Device” to return from Download mode
telnetd on 192.168.0.1 OpenEmbedded Linux 9615-cdp msm 20130729 9615-cdp 9615-cdp login: root Password: zte9x15 root@9615-cdp:~# id uid=0(root) gid=0(root) groups=0(root)
root is good! Full-featured ARM-based Linux • busybox apps (e.g. nc and netstat) • iptables • tcpdump • gdbserver CD image at /usr/zte_web/ZTEMODEM.ISO HTTP server root at /usr/zte_web/web/* • auto_apn • copy • zte_log
What is actually under your control?
What is actually under your control?
What are the treats? controls all external traffic log all internet activity replicate all internet activity WiFi-enabled? access to local WiFi GPS-enabled? store/report GPS location under remote management access to local network
My favorite Modem ;)
That’s all… Thanks for your patience ;) Dmitry Sklyarov DSklyarov@ptsecurity.ru Senior Analyst @ Department for Advanced Developments Positive Technologies
4G modem – best present ever!

Recommended

Solving text search problems with Ruby on Rails
Solving text search problems with Ruby on RailsSolving text search problems with Ruby on Rails
Solving text search problems with Ruby on Rails
Andrii Gladkyi
 
Ejercicios sql
Ejercicios sqlEjercicios sql
Ejercicios sql
MaraMagdalenaBlancoR
 
Joins in databases
Joins in databases Joins in databases
Joins in databases
CourseHunt
 
Lesson 7 - Structured cabling.ppt
Lesson 7 - Structured cabling.pptLesson 7 - Structured cabling.ppt
Lesson 7 - Structured cabling.ppt
KISHOYIANKISH
 
Abstract data types
Abstract data typesAbstract data types
Abstract data types
Tony Nguyen
 
OBD365-FAQ BMW INPA, EDIABAS, and Tool set
OBD365-FAQ BMW INPA, EDIABAS, and Tool setOBD365-FAQ BMW INPA, EDIABAS, and Tool set
OBD365-FAQ BMW INPA, EDIABAS, and Tool set
OBD365
 
Dimensional Modeling Basic Concept with Example
Dimensional Modeling Basic Concept with ExampleDimensional Modeling Basic Concept with Example
Dimensional Modeling Basic Concept with Example
Sajjad Zaheer
 
DMS 22319 Viva questions
DMS 22319 Viva questions DMS 22319 Viva questions
DMS 22319 Viva questions
ARVIND SARDAR
 

Recommended

Solving text search problems with Ruby on Rails
Solving text search problems with Ruby on RailsSolving text search problems with Ruby on Rails
Solving text search problems with Ruby on Rails
Andrii Gladkyi
 
Ejercicios sql
Ejercicios sqlEjercicios sql
Ejercicios sql
MaraMagdalenaBlancoR
 
Joins in databases
Joins in databases Joins in databases
Joins in databases
CourseHunt
 
Lesson 7 - Structured cabling.ppt
Lesson 7 - Structured cabling.pptLesson 7 - Structured cabling.ppt
Lesson 7 - Structured cabling.ppt
KISHOYIANKISH
 
Abstract data types
Abstract data typesAbstract data types
Abstract data types
Tony Nguyen
 
OBD365-FAQ BMW INPA, EDIABAS, and Tool set
OBD365-FAQ BMW INPA, EDIABAS, and Tool setOBD365-FAQ BMW INPA, EDIABAS, and Tool set
OBD365-FAQ BMW INPA, EDIABAS, and Tool set
OBD365
 
Dimensional Modeling Basic Concept with Example
Dimensional Modeling Basic Concept with ExampleDimensional Modeling Basic Concept with Example
Dimensional Modeling Basic Concept with Example
Sajjad Zaheer
 
DMS 22319 Viva questions
DMS 22319 Viva questions DMS 22319 Viva questions
DMS 22319 Viva questions
ARVIND SARDAR
 
Sort presentation
Sort presentationSort presentation
Sort presentation
Ramakrishna Pulikonda
 
scripting in Python
scripting in Pythonscripting in Python
scripting in Python
Team-VLSI-ITMU
 
Smart Memory ppt
Smart Memory pptSmart Memory ppt
Smart Memory ppt
OECLIB Odisha Electronics Control Library
 
Wireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesWireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best Practices
Cisco Mobility
 
Sql join
Sql joinSql join
Sql join
Vikas Gupta
 
Difference between HDD & SSD
Difference between HDD & SSDDifference between HDD & SSD
Difference between HDD & SSD
mohibullah rahimi
 
40G 100G gigabit ethernet technology overview
40G 100G gigabit ethernet technology overview40G 100G gigabit ethernet technology overview
40G 100G gigabit ethernet technology overview
MapYourTech
 
SQL select clause
SQL select clauseSQL select clause
SQL select clause
arpit bhadoriya
 
SQL Constraints
SQL ConstraintsSQL Constraints
SQL Constraints
Randy Riness @ South Puget Sound Community College
 
Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)
Alok Singh
 
Elasticsearch Query DSL - Not just for wizards...
Elasticsearch Query DSL - Not just for wizards...Elasticsearch Query DSL - Not just for wizards...
Elasticsearch Query DSL - Not just for wizards...
clintongormley
 
Steps of-creating-a-database
Steps of-creating-a-databaseSteps of-creating-a-database
Steps of-creating-a-database
AIMS Education
 
Database administrator
Database administratorDatabase administrator
Database administrator
Tech_MX
 
Subrack and cabinet numbering rules
Subrack and cabinet numbering rulesSubrack and cabinet numbering rules
Subrack and cabinet numbering rules
Khawla Boulaares
 
The msg box function and the messagebox class
The msg box function and the messagebox classThe msg box function and the messagebox class
The msg box function and the messagebox class
Faisal Aziz
 
Verilog HDL- 2
Verilog HDL- 2Verilog HDL- 2
Verilog HDL- 2
Prabhavathi P
 
eMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overvieweMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overview
VijayGESYS
 
Overview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche TelekomOverview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche Telekom
Eiko Seidel
 
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
Priyanka Aash
 
ModelSim 기초 매뉴얼
ModelSim 기초 매뉴얼ModelSim 기초 매뉴얼
ModelSim 기초 매뉴얼
Jihyun Lee
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
Felipe Prado
 
Mvi56 mcm datasheet
Mvi56 mcm datasheetMvi56 mcm datasheet
Mvi56 mcm datasheet
Franz07
 

More Related Content

What's hot

Elasticsearch Query DSL - Not just for wizards...
Elasticsearch Query DSL - Not just for wizards...Elasticsearch Query DSL - Not just for wizards...
Elasticsearch Query DSL - Not just for wizards...
clintongormley
 
Database administrator
Database administratorDatabase administrator
Database administrator
Tech_MX
 
The msg box function and the messagebox class
The msg box function and the messagebox classThe msg box function and the messagebox class
The msg box function and the messagebox class
Faisal Aziz
 

What's hot (20)

Sort presentation
Sort presentationSort presentation
Sort presentation
 
scripting in Python
scripting in Pythonscripting in Python
scripting in Python
 
Smart Memory ppt
Smart Memory pptSmart Memory ppt
Smart Memory ppt
 
Wireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best PracticesWireless LAN Security, Policy, and Deployment Best Practices
Wireless LAN Security, Policy, and Deployment Best Practices
 
Sql join
Sql joinSql join
Sql join
 
Difference between HDD & SSD
Difference between HDD & SSDDifference between HDD & SSD
Difference between HDD & SSD
 
40G 100G gigabit ethernet technology overview
40G 100G gigabit ethernet technology overview40G 100G gigabit ethernet technology overview
40G 100G gigabit ethernet technology overview
 
SQL select clause
SQL select clauseSQL select clause
SQL select clause
 
SQL Constraints
SQL ConstraintsSQL Constraints
SQL Constraints
 
Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)
 
Elasticsearch Query DSL - Not just for wizards...
Elasticsearch Query DSL - Not just for wizards...Elasticsearch Query DSL - Not just for wizards...
Elasticsearch Query DSL - Not just for wizards...
 
Steps of-creating-a-database
Steps of-creating-a-databaseSteps of-creating-a-database
Steps of-creating-a-database
 
Database administrator
Database administratorDatabase administrator
Database administrator
 
Subrack and cabinet numbering rules
Subrack and cabinet numbering rulesSubrack and cabinet numbering rules
Subrack and cabinet numbering rules
 
The msg box function and the messagebox class
The msg box function and the messagebox classThe msg box function and the messagebox class
The msg box function and the messagebox class
 
Verilog HDL- 2
Verilog HDL- 2Verilog HDL- 2
Verilog HDL- 2
 
eMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overvieweMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overview
 
Overview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche TelekomOverview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche Telekom
 
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and CloudIEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud
 
ModelSim 기초 매뉴얼
ModelSim 기초 매뉴얼ModelSim 기초 매뉴얼
ModelSim 기초 매뉴얼
 

Similar to 4G modem – best present ever!

Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasi
Rahul Sasi
 
Wifi obd auto checker using step
Wifi obd auto checker using stepWifi obd auto checker using step
Wifi obd auto checker using step
Bill Zhao
 
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Pietro F. Maggi
 
3 g modem_tutorial
3 g modem_tutorial3 g modem_tutorial
3 g modem_tutorial
aljarous
 
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfEDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
Rajeshravi49
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)
家榮 張
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
inovex GmbH
 
DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015
Mark Davis
 
Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010
Alvaro Roldan Peral
 

Similar to 4G modem – best present ever! (20)

DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
 
Mvi56 mcm datasheet
Mvi56 mcm datasheetMvi56 mcm datasheet
Mvi56 mcm datasheet
 
Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasi
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
 
Wifi obd auto checker using step
Wifi obd auto checker using stepWifi obd auto checker using step
Wifi obd auto checker using step
 
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
 
3 g modem_tutorial
3 g modem_tutorial3 g modem_tutorial
3 g modem_tutorial
 
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfEDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
 
gofortution
gofortutiongofortution
gofortution
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !
 
DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010
 
Droid Pro Launch
Droid Pro LaunchDroid Pro Launch
Droid Pro Launch
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 

4G modem – best present ever!

  • 1.
  • 2. Dmitry Sklyarov Senior Analyst @ Department for Advanced Developments Positive Technologies Positive Hack Days IV, May 21-22, 2014
  • 3. How it looks (approximately ;)
  • 4. Explore textual marks on Modem Front side: • “4G” logo • operator’s logo Under the cover (access to SIM and SD cards): • operator’s internal model number • IMEI • serial number Hmm, what the actual manufacturer name and model number? Back side: • nothing
  • 5. Explore packaging Manufacturer name (ZTE) printed on the box and in booklet
  • 6. ZTE MF823 4G Modem Specification • LTE-FDD: 800/900/1800/2600MHz; • UMTS: 900/2100MHz; • LTE-FDD: DL/UL 100/50Mbps (Category3) • DC-HSPA+: DL/UL 42/5.76Mbps • Size: 90 x 28.4 x 13mm • OS: Win7, Windows XP,Vista, Win8, Mac OS
  • 7. ZTE MF823 4G Modem re-Branding MegaFon (Russia) O2(Germany)
  • 8. Is there Modem anymore? After plugging into PC running Windows 7: • CWID USB SCSI CD-ROM USB Device • ZTE MMC Storage USB Device (MicroSD Card Reader) After performing “Eject CD Drive”: • CD-ROM (sometimes they come back!) • MicroSD Card Reader • Remote NDIS* based Internet Sharing Device *NDIS == Network Driver Interface Specification No drivers required! (at least on Windows 7 ;)
  • 9. Remote NDIS adapter properties > ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.0.182 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1
  • 10. How to speak with MF823? Results of ports scan for 192.168.0.1
  • 11. HTTP server on 192.168.0.1 NB: Some brand-customized firmware contains web-interface that relies on “GoForm” handlers GET /index.html HTTP/1.1 Host: 192.168.0.1 HTTP/1.1 404 Site or Page Not Found GET / HTTP/1.1 Host: 192.168.0.1 HTTP/1.0 302 Redirect Server: GoAhead-Webs/2.5.0 Location: http://192.168.0.1/index.html
  • 12. HTTP server Handlers Defined UrlHandlers: /goform /cgi-bin /mmc2 /api/xmlclient/post /client/backup /api/nvramul.cgi Defined GoForm handlers: /goform/goform_get_cmd_process /goform/goform_set_cmd_process /goform/goform_process /goform/formTest
  • 13. Getting diagnostics info http://192.168.0.1/goform/ goform_get_cmd_process? cmd=device_diagnostics Returns: productName softwareVersion modemVersion routerVersion webUiVersion hardwareVersion serialNumber simSerialNumber simMsisdn deviceImei simImsi simStatus sdCardAvailable sdCardTotalMemory sdCardUsedMemory currentConnectedUsers maxConnectedUsers timeSinceStartup
  • 14. Switching to Download (FACTORY) mode http://192.168.0.1/goform/goform_process? goformId=MODE_SWITCH&switchCmd=FACTORY New devices appears: • ZTE Diagnostics Interface (COMX) • ZTE NMEA Device (COMY) • ZTE Proprietary USB Modem NB: Send AT+ZCDRUN=F to COM-port associated with “ZTE NMEA Device” to return from Download mode
  • 15. telnetd on 192.168.0.1 OpenEmbedded Linux 9615-cdp msm 20130729 9615-cdp 9615-cdp login: root Password: zte9x15 root@9615-cdp:~# id uid=0(root) gid=0(root) groups=0(root)
  • 16. root is good! Full-featured ARM-based Linux • busybox apps (e.g. nc and netstat) • iptables • tcpdump • gdbserver CD image at /usr/zte_web/ZTEMODEM.ISO HTTP server root at /usr/zte_web/web/* • auto_apn • copy • zte_log
  • 17. What is actually under your control?
  • 18. What is actually under your control?
  • 19. What are the treats? controls all external traffic log all internet activity replicate all internet activity WiFi-enabled? access to local WiFi GPS-enabled? store/report GPS location under remote management access to local network
  • 21. That’s all… Thanks for your patience ;) Dmitry Sklyarov DSklyarov@ptsecurity.ru Senior Analyst @ Department for Advanced Developments Positive Technologies