Post on 13-Apr-2017
How to build Big Brother
Tim Yunusov@a66at
How to build Big Brother
With blackjack and h kersWith 3G modems and hackers
Tim Yunusov@a66at
About me
Tim YunusovSenior Expert, Application SecurityPositive Technologies
https://uk.linkedin.com/in/tyunusovtyunusov@ptsecurity.com@a66at
When/Who/Where/And why???
2014-2015
When/Who/Where/And why???
2014-2015«root via SMS» SCADAStrangeLove https://youtu.be/T9AFFIVpCa8Russia and the whole world
When/Who/Where/And why???
2014-2015«root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8Russia and the whole worldCause nobody cares(((
Boring stats
Boring stats
>10 (8 diff) 3G/4G modems/routers75% vulns to RCE/fw modification60% RCE are 0days
Boring stats
~60 000 devices/1M/Telco5000 devices/1W/SecurityLab100% vulns to RCE/fw modification
How
How
IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT
Identification
WHOISFingerprintingPublic Databases
Fingerprinting
<img src="http://192.168.0.1/img/1.png" style="height:0;width:0;" onload="set('1')">
<img src="http://192.168.0.1/img/2.jpg" style="height:0;width:0;" onload="set('2')">
<img src="http://hostname/img/3.png" style="height:0;width:0;" onload="set('3')">
<img src="http://127.0.0.1:5000/request" style="height:0;width:0;" onload="set('4')">
Fingerprintingmini_httpd/1.19 19dec2003 /html/index.html
How
IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT
Code Injection
Public exploits + old FWBlackboxFW Access + FW RE + IDAFW modification + Arbitrary upload
Code Injection
Code Injection
?action=ping || shutdown –r 0 ||?date=;ping%20blahblah.com;%20
Code Injection
?action=ping || shutdown –r 0 ||?date=;ping%20blahblah.com;%20
Code Injection
FW Access + FW RE + WEB DISASSMGreetings:
• Kirill Nesterov • Dmitry Sklyarov
Code Injection
FW Access + FW RE + #USETHEFORCE
Code Injection
FW modification + Arbitrary upload• Integrity attacks• Remote uploading (CSRF/XSS)• Local upload (diag mode)
Code Injection
Integrity attacks• FW encrypted via RC4• RSA digital signature + SHA1
Code Injection
Integrity attacks
Code Injection
FW encrypted via RC4
• Constant keystreamFAIL
• Part1 XOR Part2FAIL
• FW1 XOR FW2FAIL
• Lot of plaintext (CDROM) FAIL
Code Injection
FW encrypted via RC4FAIL
• Constant keystreamFAIL
• Part1 XOR Part2FAIL
• FW1 XOR FW2FAIL
• Lot of plaintext (CDROM) FAIL
Code Injection
RSA Digital Signature +SHA1
AR: !<arch>:• FW files• pkginfo: <7742526>• sign=RSA(SHA1(FW[0..7742526]))
Code Injection
RSA Digital Signature +SHA1
AR: !<arch>:• FW files• pkginfo: <7742526>• sign=RSA(SHA1(FW[0..7742526]))
Code Injection
RSA Digital Signature +SHA1
AR: !<arch>:• FW files• pkginfo: <7742526>• sign=RSA(SHA1(FW[0..7742526]))
Code Injection
RSA Digital Signature +SHA1
ar --add data.tar.gzar -v
• data.tar.gz• sign• pkginfo• data.tar.gz
Code Injection
RSA Digital Signature +SHA1 FAIL
ar --add data.tar.gzar -v
• data.tar.gz• sign• pkginfo• data.tar.gz
Code Injection
FW uploading via CSRF
http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html
Code Injection
FW uploading via XSS
HUAWEI PSIRT 436642 (2015-05-29)http://www1.huawei.com/en/security/
psirt/security-bulletins/security-notices/archive/hw-436642.htm
How
IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT
Data Interception
Cell IDWiFiSMSHTTPSSL
Data Interception
Cell ID + http://opencellid.org/• RCE • XSS
Data Interception
Wi-Fi
Data Interception
SMS
Data Interception
HTTP• ARP spoofing• DNS spoofing
Data Interception
SSL• Host RCE
How
IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT
GEO(!) + IMSI =• Fake BTS + Binary SMS• OSMO + Radio dump + Kraken
https://media.blackhat.com/us-13/us-13-nohl-rooting-sim-cards-slides.pdf
SIM Cloning + GSM attacks
#USETHEFORCE
SIM Cloning + GSM attacks
Diag Mode
SIM Cloning + GSM attacks
Send AT commands
AT+CMGF=0
SIM Cloning + GSM attacks
How
IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT
Host Infection
BadUSBFake diagnostic tools/CDROMHTML Injection + 0dayEven real diagnostic tools =))
Host Infection
Drive By DownloadCD-ROM
Host Infection
HTML Injection + 0day
Host Infection
Kudos to @cyberpunkychLots of other stuff at http://yota.hlsec.ru
How
IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT
APT
Ident
RCE
Data
GSM
Host
APT
APT
Subscribers attacks subscribers• LISTEN 0.0.0.0:80• Firewalls
How
IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT
Resume
KUDOS
@cyberpunkych@GIFTSUNGIVEN@SCADASLD. SklyarovK. Nesterov
Write me ;-)
Tim Yunusovhttps://uk.linkedin.com/in/tyunusovtyunusov@ptsecurity.com@a66at