Attacking Mobile Broadband Modems Like A Criminal Would Andreas Lindh, @addelindh, Black Hat USA 2014
es. An investigative committee is est
Nov 18, 2021
byl nuclear power station and that there have been casualties. An investigative committee is established. Slide 4 Slide 5 28 April 1986, 23:00: A Danish nuclear research laboratory announces that an MCA (maximum credible accident) has occurred in the Chernobyl nuclear reactor. 29 April 1986: The MCA at Chernobyl is first reported in German newscasts. Up to 5 May 1986: Over the ten days following the accident, 130,000 people are evacu
Welcome message from author
byl nuclear power station and that there have been casualties. An investigative committee is established. Slide 4 Slide 5 28 April 1986, 23:00: A Danish nuclear research laboratory announces that an MCA (maximum credible accident) has occurred in the Chernobyl nuclear reactor. 29 April 1986: The MCA at Chernobyl is first reported in German newscasts. Up to 5 May 1986: Over the ten days following the accident, 130,000 people are evacu
Transcript
ISecureAndreas Lindh, @addelindh, Black Hat USA 2014
whoami
Technical generalist
Agenda
Introduction
5
Practical attacks
Great potential for paying off
By using this logic, we’re going to take a look at some practical attacks that are likely to happen in the real world
Simply because they are not hard to execute and they have great potential for paying off
6
Few vendors
7
Rahul Sasi
Scope
Huawei
ZTE
Huawei E3276
ZTE MF821D
*Combined market share of more than 80% in 2011 (www.strategyanalytics.com)
Common attack vectors for this kind of devices
Not about specific vulnerabilities in specific devices (even though examples), more about what type of attacks we can expect as a whole
10
11
13
Disconnect the device
Permanently break the application
Permanently brick the device
A number of different Denial of Service attacks are possible
Out of scope as they don’t meet our objectives
15
Attacking configuration
DNS poisoning
First thing I did was go looking for a way to change the network configuration
Not very much for the user to fill out
17
18
Static DNS servers
19
SMS MitM
SCA = service center address, phone number to the carriers Short Message Service Center
21
Set up rogue SMSC
22
Send to premium rate number
Potentially identify the user
Look up phone number
24
Getting persistent
Getting persistent
Configuration is persistent...
Devices have a number of configuration options – set language, enable or disable roaming, auto connect
Go to certain pages, loaded as content in JavaScript variables
Settings are saved in the device – persistent XSS
27
Getting persistent
The web interface is where you go to connect to the Internet
Huawei Hilink opens main page automatically
ZTE creates a desktop shortcut
The main page sets everything up
Loads an iframe for user interaction
It also loads the chosen language
28
Language is a configuration parameter loaded by the main page
It is injectable...
Execute code every time the user connects to the Internet
Interact with injected code
30
Injection attacks
Getting persistent
Stealing information
Attacks on configuration, especially network but SMS is not out of the question
The SMS functionality is bound to be, and probably already is, abused
Injection attacks for persistence and stealing info from the actual device
33
I have no details
ZTE does not seem to have a product security team
Huawei is fixing their entire product line
Nice++
Sounds pretty good though, right?
The update model is broken
Vendors cannot push fixes directly to end-users
Branding complicates things
Vendor -> Carrier -> User
Users might not install the fix
Most existing devices will probably never get patched
Summary: analysis
Attacks not possible without the web interface
Web is easy – implement, use, but also to attack
Web is hard – hard to secure, terrible track record at securing web, especially in the embedded space
IoT – lot’s of embedded with web interfaces and vulns like these – research, report to vendors, report to public
Don’t forget to research the easy stuff too because that’s where attackers will focus their efforts first
36
OWASP Internet of Things top 10
We mustn’t forget researching the easy stuff too because that’s where attackers will focus their efforts first
37
whoami
Technical generalist
Agenda
Introduction
5
Practical attacks
Great potential for paying off
By using this logic, we’re going to take a look at some practical attacks that are likely to happen in the real world
Simply because they are not hard to execute and they have great potential for paying off
6
Few vendors
7
Rahul Sasi
Scope
Huawei
ZTE
Huawei E3276
ZTE MF821D
*Combined market share of more than 80% in 2011 (www.strategyanalytics.com)
Common attack vectors for this kind of devices
Not about specific vulnerabilities in specific devices (even though examples), more about what type of attacks we can expect as a whole
10
11
13
Disconnect the device
Permanently break the application
Permanently brick the device
A number of different Denial of Service attacks are possible
Out of scope as they don’t meet our objectives
15
Attacking configuration
DNS poisoning
First thing I did was go looking for a way to change the network configuration
Not very much for the user to fill out
17
18
Static DNS servers
19
SMS MitM
SCA = service center address, phone number to the carriers Short Message Service Center
21
Set up rogue SMSC
22
Send to premium rate number
Potentially identify the user
Look up phone number
24
Getting persistent
Getting persistent
Configuration is persistent...
Devices have a number of configuration options – set language, enable or disable roaming, auto connect
Go to certain pages, loaded as content in JavaScript variables
Settings are saved in the device – persistent XSS
27
Getting persistent
The web interface is where you go to connect to the Internet
Huawei Hilink opens main page automatically
ZTE creates a desktop shortcut
The main page sets everything up
Loads an iframe for user interaction
It also loads the chosen language
28
Language is a configuration parameter loaded by the main page
It is injectable...
Execute code every time the user connects to the Internet
Interact with injected code
30
Injection attacks
Getting persistent
Stealing information
Attacks on configuration, especially network but SMS is not out of the question
The SMS functionality is bound to be, and probably already is, abused
Injection attacks for persistence and stealing info from the actual device
33
I have no details
ZTE does not seem to have a product security team
Huawei is fixing their entire product line
Nice++
Sounds pretty good though, right?
The update model is broken
Vendors cannot push fixes directly to end-users
Branding complicates things
Vendor -> Carrier -> User
Users might not install the fix
Most existing devices will probably never get patched
Summary: analysis
Attacks not possible without the web interface
Web is easy – implement, use, but also to attack
Web is hard – hard to secure, terrible track record at securing web, especially in the embedded space
IoT – lot’s of embedded with web interfaces and vulns like these – research, report to vendors, report to public
Don’t forget to research the easy stuff too because that’s where attackers will focus their efforts first
36
OWASP Internet of Things top 10
We mustn’t forget researching the easy stuff too because that’s where attackers will focus their efforts first
37
Related Documents
