How to build Big Brother

How to build Big Brother

Tim Yunusov@a66at

How to build Big Brother

With blackjack and h kersWith 3G modems and hackers

Tim Yunusov@a66at

About me

Tim YunusovSenior Expert, Application SecurityPositive Technologies

https://uk.linkedin.com/in/[email protected]@a66at

When/Who/Where/And why???

2014-2015


2014-2015«root via SMS» SCADAStrangeLove https://youtu.be/T9AFFIVpCa8Russia and the whole world


2014-2015«root via SMS» SCADA Strange Love https://youtu.be/T9AFFIVpCa8Russia and the whole worldCause nobody cares(((

Boring stats

Тимур Юнусов1

img

Boring stats

>10 (8 diff) 3G/4G modems/routers75% vulns to RCE/fw modification60% RCE are 0days

Boring stats

~60 000 devices/1M/Telco5000 devices/1W/SecurityLab100% vulns to RCE/fw modification

How

IdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

Identification

WHOISFingerprintingPublic Databases

Fingerprinting

<img src="http://192.168.0.1/img/1.png" style="height:0;width:0;" onload="set('1')">

<img src="http://192.168.0.1/img/2.jpg" style="height:0;width:0;" onload="set('2')">

<img src="http://hostname/img/3.png" style="height:0;width:0;" onload="set('3')">

<img src="http://127.0.0.1:5000/request" style="height:0;width:0;" onload="set('4')">

Fingerprintingmini_httpd/1.19 19dec2003 /html/index.html

How


Code Injection

Public exploits + old FWBlackboxFW Access + FW RE + IDAFW modification + Arbitrary upload

Code Injection

Code Injection

?action=ping || shutdown –r 0 ||?date=;ping%20blahblah.com;%20

Code Injection

FW Access + FW RE + WEB DISASSMGreetings:

• Kirill Nesterov • Dmitry Sklyarov

Code Injection

FW Access + FW RE + #USETHEFORCE

Code Injection

FW modification + Arbitrary upload• Integrity attacks• Remote uploading (CSRF/XSS)• Local upload (diag mode)

Code Injection

Integrity attacks• FW encrypted via RC4• RSA digital signature + SHA1

Code Injection

Integrity attacks

Code Injection

FW encrypted via RC4

• Constant keystreamFAIL

• Part1 XOR Part2FAIL

• FW1 XOR FW2FAIL

• Lot of plaintext (CDROM) FAIL

Code Injection

FW encrypted via RC4FAIL

• Constant keystreamFAIL

• Part1 XOR Part2FAIL

• FW1 XOR FW2FAIL

• Lot of plaintext (CDROM) FAIL

Code Injection

RSA Digital Signature +SHA1

AR: !<arch>:• FW files• pkginfo: <7742526>• sign=RSA(SHA1(FW[0..7742526]))

Code Injection

RSA Digital Signature +SHA1

ar --add data.tar.gzar -v

• data.tar.gz• sign• pkginfo• data.tar.gz

Code Injection

RSA Digital Signature +SHA1 FAIL

ar --add data.tar.gzar -v

• data.tar.gz• sign• pkginfo• data.tar.gz

Code Injection

FW uploading via CSRF

http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html

Code Injection

FW uploading via XSS

HUAWEI PSIRT 436642 (2015-05-29)http://www1.huawei.com/en/security/

psirt/security-bulletins/security-notices/archive/hw-436642.htm

How


Data Interception

Cell IDWiFiSMSHTTPSSL

Data Interception

Cell ID + http://opencellid.org/• RCE • XSS

Data Interception

Wi-Fi

Data Interception

SMS

Data Interception

HTTP• ARP spoofing• DNS spoofing

Data Interception

SSL• Host RCE

How


GEO(!) + IMSI =• Fake BTS + Binary SMS• OSMO + Radio dump + Kraken

https://media.blackhat.com/us-13/us-13-nohl-rooting-sim-cards-slides.pdf

SIM Cloning + GSM attacks

#USETHEFORCE


Diag Mode


Send AT commands

AT+CMGF=0


How


Host Infection

BadUSBFake diagnostic tools/CDROMHTML Injection + 0dayEven real diagnostic tools =))

Host Infection

Drive By DownloadCD-ROM

Host Infection

HTML Injection + 0day

Host Infection

Kudos to @cyberpunkychLots of other stuff at http://yota.hlsec.ru

How


APT

Ident

RCE

Data

GSM

Host

APT

APT

Subscribers attacks subscribers• LISTEN 0.0.0.0:80• Firewalls

How


Resume

KUDOS

@cyberpunkych@GIFTSUNGIVEN@SCADASLD. SklyarovK. Nesterov

Write me ;-)

Tim Yunusovhttps://uk.linkedin.com/in/[email protected]@a66at

How to build Big Brother

Devices & Hardware

Transcript of How to build Big Brother