Security analysis of the UPC UBEE EVW3226 router, reverse engineering, WPA2 password generation algorithm. Statistic analysis of the password generation function is provided. Results from the wardriving.

1. UPC router reverse
engineering
Messing around the firmware & digging for WPA2 password generator
Dušan Klinec, Miroslav Svítok
deadcode.me

2. The beginning of the story

3. The beginning of the story
31.12.2015
https://haxx.in/upc_keys.c

4. The weakness
• Default SSID & Passwd computation from public
information
Serial ID
SAAP12345678
SSID
PASSWD
Derivation: MD5 + some home-brew mangling

5. The attack
• Bruteforce, complexity = 1e8 iterations
• For all serial ID combinations
• Compute SSID, if matches, print passwd
Serial ID
SAAP12345678
SSID
PASSWD

6. The attack
• 20 password candidates on average
• Under 2 seconds on Samsung Galaxy S7
Serial ID
SAAP12345678
SSID
PASSWD

9. Technicolor TC 7200
48.53 % of all UPC[0-9]{7} networks in Brno 02/2016
Vulnerable modem
* 2868 UPC samples collected / 17516 total

10. UBEE EVW 3226
15.44 % of all UPC[0-9]{7} networks in Brno 02/2016
Not-yet-vulnerable modem
* 2868 UPC samples collected / 17516 total

11. Attack outline
• Get the firmware
• Analyze binaries generating wifi config files
• Reverse engineer password generating routine

12. Getting the
firmware – UART

13. Getting the firmware - UART
• Some soldering needed
• USB-UART bridge (2 USD on eBay)

14. Getting the firmware - UART
• Collect information – e.g., memory layout, kernel,
compression, encryption, …
• Modify boot arguments, dump flash
• Default credentials / no-auth access to CLI

15. Getting the
firmware – UART

16. Getting the firmware – EEPROM read

17. Getting the firmware – old school way

18. Getting the firmware – old school way
• USB-SPI bridge (BusPirate / other)
• Dump flash memory
• Use binwalk to analyze the dump
• Decompress (squashfs, lzma) the FS, kernel

19. Getting the firmware – old school way

20. Getting the firmware –
without getting hands
dirty

21. Getting the firmware #2
• Attacking the software / APIs
• Command injection / code execution
• Unsanitized input data in administration interface
• Ping command, traceroute command
https://firefart.at/post/upc_ubee_fail/

22. Getting the firmware #2
• Via system vulnerability using USB port
• .auto file is executed if USB is named “EVW3226”
https://firefart.at/post/upc_ubee_fail/

23. Getting the firmware #2
• Rewrite /etc/passwd with a new admin password
• Start SSH server on the router
• Enjoy the root access

24. Getting the firmware
• DD all block devices to the USB flash drive
• Tar the whole FS to the USB flash drive

25. Searching the firmware
# cli
IMAGE_NAME=vgwsdk-3.5.0.24-150324.img
FSSTAMP=20150324141918
VERSION=EVW3226_1.0.20

26. Searching the firmware
# ps –a
5681 admin 1924 S hostapd -B /tmp/secath0

27. Searching the firmware
# cat /tmp/secath0
interface=ath0
bridge=rndbr1
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ssid=UPC2659797
wpa=3
wpa_passphrase=IVGDQAMI
wpa_key_mgmt=WPA-PSK

28. Searching the firmware
# find . -type f -exec grep -il 'secath0' {} ;
./fss/gw/lib/libUtility.so
./fss/gw/usr/sbin/aimDaemon
./fss/gw/usr/www/cgi-bin/setup.cgi
./var/tmp/conf_filename
./var/tmp/www/cgi-bin/setup.cgi

29. Searching the firmware

30. Searching the firmware

31. Searching the firmware

32. Searching the firmware

35. That’s not all…

39. Profanities
• Profanity found? Switch to non-insulting alphabet
• BBCDFFGHJJKLMNPQRSTVVWXYZZ

40. Non-optimal
• Contains a lot of duplicate entries, varying case
• toupper() on runtime – database case mixed
• Some entries cannot be generated at all, e.g.
PROSTITUTE (10 characters, password has 8)

41. Non-optimal
• Substring search test
• More efficient to remove substrings from database
• “COCK”, “COCKS”, “COCKY”, “ACOCK”
• (Only the first one is needed, the rest is redundant)

42. Profanity search
• All UBEE MACs generated
• 224 = 16777216 passwords
• 32105 (0.19%) hit the profanity detection
• Cca in 1000 customers, almost 2 could
complain

43. Profanity stats
# of characters Occurrences
3 23090
4 6014
5 3001

44. Profanity stats

45. Statistic properties of the password function

50. Uniformity tests

52. Uniformity tests
• H0: the distribution of characters from the alphabet
is uniform over characters.
• Halt: The distribution is not uniform.

53. Uniformity tests
Uniform distribution on characters
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

54. Uniformity tests
Output alphabet projection distribution
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

55. Uniformity tests
Do not strip the entropy
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

56. Uniformity tests
Do only one hashing – no homebrew mangling
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
1 pos
2 pos
3 pos
4 pos
5 pos
6 pos
7 pos
8 pos
total

57. Password gen conclusion
• Uses only MAC as an input
• Only one password guess
• Very effective – 2 MD5 hashes
• Compared to Blasty (router serial ID space
brute-forcing)

59. More vulnerabilities

60. UBEE vulnerabilities
• UPC Wi-Free can be sniffed
• After gaining root access, Wi-Free can be sniffed / tampered with
• Authentication bypass (backdoor)
• http://192.168.0.1/cgi-bin/setup.cgi?factoryBypass=1

61. UBEE vulnerabilities
• Insecure session management
• no-cookies, IP address authenticated
• Local file inclusion
http://192.168.0.1/cgi-bin/setup.cgi?gonext=../www/main2
• Buffer overflow in configuration file request
http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
• Backup file disclosure – not deleted, publicly available
http://192.168.0.1/Configuration_file.cfg

62. UBEE vulnerabilities
• Backup file is not encrypted
• Web asks for password for backup encryption
• Backup is not actually encrypted, password is stored in plaintext
• Backup restore buffer overflow
• Password longer than 65536 characters
• Arbitrary code execution
• Backup file = tar, can contain symbolic links
• After extraction can overwrite CGI scripts

63. War driving #1 – Brno
02/2016

66. Total networks 17 516
UPC networks 2 868 16.37 %
UPC vulnerable 1 835 63.98 % UPC
UPC UBEE vulnerable 443 15.45 % UPC
UPC Technicolor vulnerable 1 392 48.54 % UPC
UBEE changed 98 18.11 % UBEE
Technicolor changed 304 17.92 % Tech.

67. War driving #2 – Bratislava
10/2016

69. Total networks 22 172
UPC networks 3 092 13.95 %
UPC vulnerable 1 327 42.92 % UPC
UPC UBEE vulnerable 822 26.58 % UPC
UPC Technicolor vulnerable 505 16.33 % UPC
UBEE changed 205 19.96 % UBEE
Technicolor changed 96 03.10 % Tech.
Compal CH7465LG 930 30.08 % UPC

70. New target
• Security Swiss cheese
• 35 vulnerabilities found by
independent security team
• Default WPA2 seems to be
properly implemented -
allegedly

71. Recap
• Firmware dumped
• WPA2 pwd gen reverse engineered
• Function statistical analysis
• Wardriving
• Android app for automated testing

72. Timeline
• 27. Jan 2016: Start of the analysis.
• 04. Feb 2016: Official disclosure to Liberty Global.
• 04. May 2016: Check with Liberty Global on state of
the fix.
• 28. Jun 2016: Sending this article for review to
Liberty Global.
• 04. Jul 2016: Publication of the research.

73. Thank you for your attention!
Questions

74. References / resources
• https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-
Reversing.html
• https://www.freeture.ch/?p=766
• http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
• https://haxx.in/upc-wifi/
• https://firefart.at/post/upc_ubee_fail/
• http://www.wifileaks.cz/
• http://www.search-lab.hu/advisories/122-ubee-evw3226-modem-router-
multiple-vulnerabilities
• http://www.search-lab.hu/advisories/secadv-20150720
• http://www.search-
lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
• https://github.com/devttys0/binwalk