How to build Big Brother

  • Published on
    13-Apr-2017

  • View
    291

  • Download
    3

Embed Size (px)

Transcript

PowerPoint Presentation

How to build Big Brother

Tim Yunusov@a66at

How to build Big BrotherWith blackjack and h kersWith 3G modems and hackers

Tim Yunusov@a66at

About meTim YunusovSenior Expert, Application SecurityPositive Technologies

https://uk.linkedin.com/in/tyunusovtyunusov@ptsecurity.com@a66at

When/Who/Where/And why???2014-2015

When/Who/Where/And why???2014-2015root via SMS SCADAStrangeLove https://youtu.be/T9AFFIVpCa8Russia and the whole world

When/Who/Where/And why???2014-2015root via SMS SCADA Strange Love https://youtu.be/T9AFFIVpCa8Russia and the whole worldCause nobody cares(((

Boring stats

1 () - imgBoring stats>10 (8 diff) 3G/4G modems/routers75% vulns to RCE/fw modification60% RCE are 0days

Boring stats~60 000 devices/1M/Telco5000 devices/1W/SecurityLab100% vulns to RCE/fw modification

How

HowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

IdentificationWHOISFingerprintingPublic Databases

Fingerprinting

Fingerprinting

mini_httpd/1.19 19dec2003 /html/index.html

HowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

Code InjectionPublic exploits + old FWBlackboxFW Access + FW RE + IDAFW modification + Arbitrary upload

Code Injection

Code Injection?action=ping || shutdown r 0 ||?date=;ping%20blahblah.com;%20

Code Injection?action=ping || shutdown r 0 ||?date=;ping%20blahblah.com;%20

Code InjectionFW Access + FW RE + WEB DISASSMGreetings: Kirill Nesterov Dmitry Sklyarov

Code InjectionFW Access + FW RE + #USETHEFORCE

Code InjectionFW modification + Arbitrary uploadIntegrity attacksRemote uploading (CSRF/XSS)Local upload (diag mode)

Code InjectionIntegrity attacksFW encrypted via RC4RSA digital signature + SHA1

Code InjectionIntegrity attacks

Code InjectionFW encrypted via RC4

Constant keystreamFAILPart1 XOR Part2FAILFW1 XOR FW2FAILLot of plaintext (CDROM)FAIL

Code InjectionFW encrypted via RC4FAIL

Constant keystreamFAILPart1 XOR Part2FAILFW1 XOR FW2FAILLot of plaintext (CDROM)FAIL

Code InjectionRSA Digital Signature +SHA1

AR: !:FW filespkginfo: sign=RSA(SHA1(FW[0..7742526]))

Code InjectionRSA Digital Signature +SHA1

AR: !:FW filespkginfo: sign=RSA(SHA1(FW[0..7742526]))

Code InjectionRSA Digital Signature +SHA1

AR: !:FW filespkginfo: sign=RSA(SHA1(FW[0..7742526]))

Code InjectionRSA Digital Signature +SHA1

ar --add data.tar.gzar -vdata.tar.gzsignpkginfodata.tar.gz

Code InjectionRSA Digital Signature +SHA1FAIL

ar --add data.tar.gzar -vdata.tar.gzsignpkginfodata.tar.gz

Code InjectionFW uploading via CSRF

http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html

Code InjectionFW uploading via XSS

HUAWEI PSIRT 436642 (2015-05-29)http://www1.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-436642.htm

HowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

Data InterceptionCell IDWiFiSMSHTTPSSL

Data InterceptionCell ID + http://opencellid.org/RCE XSS

Data InterceptionWi-Fi

Data InterceptionSMS

Data InterceptionHTTPARP spoofingDNS spoofing

Data InterceptionSSLHost RCE

HowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

GEO(!) + IMSI =Fake BTS + Binary SMSOSMO + Radio dump + Kraken

https://media.blackhat.com/us-13/us-13-nohl-rooting-sim-cards-slides.pdf

SIM Cloning + GSM attacks

#USETHEFORCESIM Cloning + GSM attacks

Diag ModeSIM Cloning + GSM attacks

Send AT commands

AT+CMGF=0SIM Cloning + GSM attacks

HowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

Host InfectionBadUSBFake diagnostic tools/CDROMHTML Injection + 0dayEven real diagnostic tools =))

Host InfectionDrive By DownloadCD-ROM

Host InfectionHTML Injection + 0day

Host InfectionKudos to @cyberpunkychLots of other stuff at http://yota.hlsec.ru

HowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

APT

APTSubscribers attacks subscribersLISTEN 0.0.0.0:80Firewalls

HowIdentificationCode injectionData interceptionSIM cloning / GSM AttacksHost InfectionAPT

Resume

KUDOS@cyberpunkych@GIFTSUNGIVEN@SCADASLD. SklyarovK. Nesterov

Write me ;-)Tim Yunusovhttps://uk.linkedin.com/in/tyunusovtyunusov@ptsecurity.com@a66at