Attacking Mobile Broadband Modems Like A Criminal Would Andreas Lindh, @addelindh, Black Hat USA 2014
x 20 = $200 Square-Inch Calculation
Mar 24, 2022
StrategiesOther Common Pricing Strategies By Size 8 x 10 = $100 16 x 20 = $200 Square-Inch Calculation / Method Width x Height x $X (+ 2 x Frame Costs) 16 x 20 x $6 = $1,920 $1,900 Smaller works = higher sq-in constant, e.g. $8 Larger works = lower sq-in constant, e.g. $4-5 By Size 8 x 10 = $100 16 x 20 = $200 Square-Inch Calculation / Method Width x Height x $X (+ 2 x Frame Costs) 16 x 20 x $6 = $1,920 $1,900 Smaller works = higher sq-in constant, e.g. $8 Larger works = lower sq-in constant, e.g. $4-5 ArtSites.caArtSites.ca Compare to What's Sold
Welcome message from author
Dear Sir/Madam
We would like to inform you that we have received your copyright infringement report. We are so sorry again if one of our members uploads your documents. Our system has a lot of websites as well as members uploading a large number of materials every day, so it's difficult to control it all. It means that the documents that violated copyright infringement are unwanted but inevitable. Please be sympathetic!
Because there are so many documents, we don't know exactly which is your one. To ensure to remove your link exactly, we really need your help by sending us the link of the copyrighted material so that we will resolve it as soon as possible. Thanks for your consideration! Have a great day!
Best Regards,
Transcript
ISecureAndreas Lindh, @addelindh, Black Hat USA 2014
whoami
Technical generalist
Agenda
Introduction
5
Practical attacks
Great potential for paying off
By using this logic, we’re going to take a look at some practical attacks that are likely to happen in the real world
Simply because they are not hard to execute and they have great potential for paying off
6
Few vendors
7
Rahul Sasi
Scope
Huawei
ZTE
Huawei E3276
ZTE MF821D
*Combined market share of more than 80% in 2011 (www.strategyanalytics.com)
Common attack vectors for this kind of devices
Not about specific vulnerabilities in specific devices (even though examples), more about what type of attacks we can expect as a whole
10
11
13
Disconnect the device
Permanently break the application
Permanently brick the device
A number of different Denial of Service attacks are possible
Out of scope as they don’t meet our objectives
15
Attacking configuration
DNS poisoning
First thing I did was go looking for a way to change the network configuration
Not very much for the user to fill out
17
18
Static DNS servers
19
SMS MitM
SCA = service center address, phone number to the carriers Short Message Service Center
21
Set up rogue SMSC
22
Send to premium rate number
Potentially identify the user
Look up phone number
24
Getting persistent
Getting persistent
Configuration is persistent...
Devices have a number of configuration options – set language, enable or disable roaming, auto connect
Go to certain pages, loaded as content in JavaScript variables
Settings are saved in the device – persistent XSS
27
Getting persistent
The web interface is where you go to connect to the Internet
Huawei Hilink opens main page automatically
ZTE creates a desktop shortcut
The main page sets everything up
Loads an iframe for user interaction
It also loads the chosen language
28
Language is a configuration parameter loaded by the main page
It is injectable...
Execute code every time the user connects to the Internet
Interact with injected code
30
Injection attacks
Getting persistent
Stealing information
Attacks on configuration, especially network but SMS is not out of the question
The SMS functionality is bound to be, and probably already is, abused
Injection attacks for persistence and stealing info from the actual device
33
I have no details
ZTE does not seem to have a product security team
Huawei is fixing their entire product line
Nice++
Sounds pretty good though, right?
The update model is broken
Vendors cannot push fixes directly to end-users
Branding complicates things
Vendor -> Carrier -> User
Users might not install the fix
Most existing devices will probably never get patched
Summary: analysis
Attacks not possible without the web interface
Web is easy – implement, use, but also to attack
Web is hard – hard to secure, terrible track record at securing web, especially in the embedded space
IoT – lot’s of embedded with web interfaces and vulns like these – research, report to vendors, report to public
Don’t forget to research the easy stuff too because that’s where attackers will focus their efforts first
36
OWASP Internet of Things top 10
We mustn’t forget researching the easy stuff too because that’s where attackers will focus their efforts first
37
whoami
Technical generalist
Agenda
Introduction
5
Practical attacks
Great potential for paying off
By using this logic, we’re going to take a look at some practical attacks that are likely to happen in the real world
Simply because they are not hard to execute and they have great potential for paying off
6
Few vendors
7
Rahul Sasi
Scope
Huawei
ZTE
Huawei E3276
ZTE MF821D
*Combined market share of more than 80% in 2011 (www.strategyanalytics.com)
Common attack vectors for this kind of devices
Not about specific vulnerabilities in specific devices (even though examples), more about what type of attacks we can expect as a whole
10
11
13
Disconnect the device
Permanently break the application
Permanently brick the device
A number of different Denial of Service attacks are possible
Out of scope as they don’t meet our objectives
15
Attacking configuration
DNS poisoning
First thing I did was go looking for a way to change the network configuration
Not very much for the user to fill out
17
18
Static DNS servers
19
SMS MitM
SCA = service center address, phone number to the carriers Short Message Service Center
21
Set up rogue SMSC
22
Send to premium rate number
Potentially identify the user
Look up phone number
24
Getting persistent
Getting persistent
Configuration is persistent...
Devices have a number of configuration options – set language, enable or disable roaming, auto connect
Go to certain pages, loaded as content in JavaScript variables
Settings are saved in the device – persistent XSS
27
Getting persistent
The web interface is where you go to connect to the Internet
Huawei Hilink opens main page automatically
ZTE creates a desktop shortcut
The main page sets everything up
Loads an iframe for user interaction
It also loads the chosen language
28
Language is a configuration parameter loaded by the main page
It is injectable...
Execute code every time the user connects to the Internet
Interact with injected code
30
Injection attacks
Getting persistent
Stealing information
Attacks on configuration, especially network but SMS is not out of the question
The SMS functionality is bound to be, and probably already is, abused
Injection attacks for persistence and stealing info from the actual device
33
I have no details
ZTE does not seem to have a product security team
Huawei is fixing their entire product line
Nice++
Sounds pretty good though, right?
The update model is broken
Vendors cannot push fixes directly to end-users
Branding complicates things
Vendor -> Carrier -> User
Users might not install the fix
Most existing devices will probably never get patched
Summary: analysis
Attacks not possible without the web interface
Web is easy – implement, use, but also to attack
Web is hard – hard to secure, terrible track record at securing web, especially in the embedded space
IoT – lot’s of embedded with web interfaces and vulns like these – research, report to vendors, report to public
Don’t forget to research the easy stuff too because that’s where attackers will focus their efforts first
36
OWASP Internet of Things top 10
We mustn’t forget researching the easy stuff too because that’s where attackers will focus their efforts first
37
Related Documents
