How to build Big Brother With blackjack and h--kers
Yunusov Timur, Senior expert, Head of dept
How to build Big Brother With blackjack and h--kers With 3G modems and hackers Yunusov Timur, Senior expert, Head of dept
How to build Big Brother
When/Who/Where/Andwhy???
• 2014-2015
How to build Big Brother
When/Who/Where/Andwhy???
• 2014-2015• «rootviaSMS»SCADAStrangeLoveh@ps://youtu.be/T9AFFIVpCa8
• Russiaandthewholeworld
How to build Big Brother
When/Who/Where/Andwhy???
• 2014-2015• «rootviaSMS»SCADAStrangeLoveh@ps://youtu.be/T9AFFIVpCa8
• Russiaandthewholeworld• Causenobodycares(((
How to build Big Brother
Boringnumbers
How to build Big Brother
Boringnumbers
• >10(8diff)3G/4Gmodems/routers• 75%vulnstoRCE/fwmodifica]on• 60%RCEare0days
How to build Big Brother
Boringnumbers
• ~60000devices/1M/Telco• 5000devices/1W/SecurityLab• 100%vulnstoRCE/fwmodifica]on
How to build Big Brother
How?
How to build Big Brother
How?
+
How to build Big Brother
How?1. Iden]fica]on2. Codeinjec]on3. Dataintercep]on4. SIMcloning/GSMA@acks5. HostInfec]on6. APT7. Returnto1.
How to build Big Brother
Iden]fica]on
How to build Big Brother
Iden]fica]on• WHOIS?
How to build Big Brother
Iden]fica]on<imgsrc="h@p://192.168.0.1/img/1.png"style="height:0;width:0;"onload="set('1')"><imgsrc="h@p://192.168.0.1/img/2.jpg"style="height:0;width:0;"onload="set('2')"><imgsrc="h@p://hostname/img/3.png"style="height:0;width:0;"onload="set('3')"><imgsrc="h@p://127.0.0.1:5000/request"style="height:0;width:0;"onload="set('4')">
How to build Big Brother
Iden]fica]on• GeoIP?
How to build Big Brother
CodeInjec]on• Publicexploits+oldFW• Blackbox• FWAccess+FWRE+IDA• FWmodifica]on+Arbitraryupload
How to build Big Brother
CodeInjec]on• Publicexploits+oldFW
How to build Big Brother
CodeInjec]on• Blackbox
• ?ac]on=ping||shutdown–r0||• ?date=;pingblahblah.com;
How to build Big Brother
CodeInjec]on• Blackbox
How to build Big Brother
CodeInjec]on• FWAccess+FWRE+IDA• Gree]ngs:
• KirillNesterov,• DmitrySklyarov
How to build Big Brother
CodeInjec]on• FWmodifica]on+Arbitraryupload
How to build Big Brother
CodeInjec]on• FWmodifica]on+Arbitraryupload
• Integritya@acks
How to build Big Brother
CodeInjec]on• FWmodifica]on+Arbitraryupload
• Integritya@acks• Remoteupload(CSRF/XSS)
How to build Big Brother
CodeInjec]on• FWmodifica]on+Arbitraryupload
• Integritya@acks• Remoteupload(CSRF/XSS)• Localupload(diagmode)
How to build Big Brother
CodeInjec]on• FWmodifica]on+Arbitraryupload
• Integritya@acks
How to build Big Brother
FWIntegrityControl• FWencryptedviaRC4• RSADigitalSignature+SHA1
How to build Big Brother
FWIntegrityControl
How to build Big Brother
FWIntegrityControl• FWencryptedviaRC4
How to build Big Brother
FWIntegrityControl• FWencryptedviaRC4
• Constantkeystream FAIL• Part1XORPart2 FAIL• FW1XORFW2 FAIL• Lotofplaintext(CDROM) FAIL
How to build Big Brother
FWIntegrityControl• FWencryptedviaRC4 FAIL
How to build Big Brother
FWIntegrityControl• RSADigitalSignature+SHA1
• AR:!<arch>:• FW• pkginfo:<7742526>• Sign=RSA(SHA1(FW[0..7742526]))
How to build Big Brother
FWIntegrityControl• RSADigitalSignature+SHA1
How to build Big Brother
FWIntegrityControl• RSADigitalSignature+SHA1
• ar--adddata.tar.gz• ar-v
• data.tar.gz• sign• pkginfo• data.tar.gz
How to build Big Brother
FWIntegrityControl• RSADigitalSignature+SHA1 FAIL
• ar--adddata.tar.gz• ar-v
• data.tar.gz• sign• pkginfo• data.tar.gz
How to build Big Brother
FWupload/CSRF
h@p://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html
How to build Big Brother
FWupload/XSS• HUAWEIPSIRT436642(2015-05-29)
h@p://www1.huawei.com/en/security/psirt/security-bulle]ns/security-no]ces/archive/hw-436642.htm
How to build Big Brother
Dataintercep]on• CellID• WiFi• SMS• HTTP• SSL
How to build Big Brother
Dataintercep]on• CellID
• h@p://opencellid.org/+XSS
How to build Big Brother
Dataintercep]on• WiFi
How to build Big Brother
Dataintercep]on• SMS
How to build Big Brother
Dataintercep]on• HTTP
• ARP-spoofing• DNS-spoofing
How to build Big Brother
Dataintercep]on• SSL
• HostRCE
How to build Big Brother
SIMCloning• FakeBTS+BinarySMS• GEO(!)• IMSI
h@ps://media.blackhat.com/us-13/us-13-Nohl-Roo]ng-SIM-cards-Slides.pdf
How to build Big Brother
SIMCloning• UseTheForce
How to build Big Brother
SIMCloning• Diagmode
How to build Big Brother
SIMCloning• SendATcommands
• AT+CMGF=0
How to build Big Brother
GSMA@acks• Huawei:Remote(!)osmocommforbeggars• VxWorksonbasebandhi6920
―LoadedbyLinux―Packedonflash―dmesg=>loadvxworksok,entey0x50d10000―Cshell •OScommunica]on •Buil]ndebuger―Nearlyallnamesofobjects/func]ons―POSIX+documenta]on
How to build Big Brother
HostInfec]on• BadUSB• Fakediagnos]ctools/CDROM• HTMLInjec]on+0day• Evenrealdiagnos]ctools=))
How to build Big Brother
HostInfec]on• BadUSB
• Androidgadgetdriver(supported_func]onspatching)
• HIDGadgetonboard!• Lotsofboringstuff
How to build Big Brother
HostInfec]on• DriveByDownload• CDROM
How to build Big Brother
HostInfec]on• HTMLInjec]on+0day
How to build Big Brother
HostInfec]on• Kudosto@cyberpunkych• Lotsofotherstuffatyota.hlsec.ru• Butnobodycares(((
How to build Big Brother
APT
How to build Big Brother
APT
How to build Big Brother
APT• Subscribersa@acksSubscribers
• LISTEN0.0.0.0:80• Firewalls
How to build Big Brother
Boringnumbers
How to build Big Brother
Funnumbers
• RemoteCodeExecu]onviaWEB:5dev• ArbitraryFWmodifica]on(rem/loc):6dev• CSRF:5dev• XSS:4dev
How to build Big Brother
DEMO
How to build Big Brother
Kudos
• @cyberpunkych• D.Sklyarov• K.Nesterov• Al.Osipov• @SCADASL
Stay secure! Questions?