bh 2014

of 39 /39
Attacking Mobile Broadband Modems Like A Criminal Would Andreas Lindh, @addelindh, Black Hat USA 2014

Upload: addelindh

Post on 23-Aug-2014




23 download

Embed Size (px)


My slides for my Black Hat USA 2014 talk.


Page 1: Bh 2014

Attacking Mobile Broadband Modems Like

A Criminal WouldAndreas Lindh, @addelindh, Black Hat USA 2014

Page 2: Bh 2014


• Security Analyst withI Secure Sweden

• Technical generalist• I like web• Not really an expert

on anything

Page 3: Bh 2014


• Introduction• Target overview• Attacks + demos• Summary

Page 4: Bh 2014


Page 5: Bh 2014

What’s it about?


Page 6: Bh 2014

This is what it’s about

• Practical attacks• Likely to happen• Easy to execute• Great potential

for paying off

Page 7: Bh 2014

Why USB modems?

• Very popular–~130 million devices shipped in 2013

• Few vendors– Not that many models– Shared code between models

Page 8: Bh 2014

Target overview

Page 9: Bh 2014

Previous research

• Nikita Tarakanov & Oleg Kupreev– From China With Love (Black Hat EU


• Rahul Sasi– SMS to Meterpreter – Fuzzing USB

Modems (Nullcon Goa 2013)

Page 10: Bh 2014


• Devices from the two biggest vendors*– Huawei– ZTE

• Focus on one device from each– Huawei E3276– ZTE MF821D

• Identify common attack surface*Combined market share of more than 80% in 2011 (

Page 11: Bh 2014

In a nutshell

• Runs embedded Linux• Mobile capabilities– GSM, 3G, 4G, SMS

• Web interface– Part of carrier branding

• No authentication– Single-user device

Page 12: Bh 2014

Network topology


Public IP




Page 13: Bh 2014


“What would Robert Hackerman do?"

Page 14: Bh 2014

Ground rules

• Objectives1. Make money2. Steal information3. Gain persistence

• Pre-requisites1. Remote attacks

only2. See #1

Page 15: Bh 2014

Out of scope (but possible)• Disconnect the device• Lock out PIN and PUK• Permanently break the application

• Permanently brick the device

Page 16: Bh 2014

Attacking configuration

Page 17: Bh 2014

DNS poisoning

Page 18: Bh 2014

DNS poisoning

Page 19: Bh 2014

DNS poisoning

• CSRF to add a new profile• Static DNS servers• Read Only & Set Default• Remove original profile• Send user to ad-networks, malware

sites, spoofed websites, etc.

Page 20: Bh 2014

DNS poisoning - bonus attack• Trigger firmware

update• Spoof update server– Downloads are over

HTTP– No code signing

• Potentially get user to install backdoored firmware...

Page 21: Bh 2014


Page 22: Bh 2014


• Replace the Service Center Address

• Set up rogue SMSC• MitM all outgoing

text messages

Page 23: Bh 2014

Abusing functionality

Page 24: Bh 2014


• CSRF to make the modem send SMS– Send to premium rate number

• Potentially identify the user– Look up phone number– Twin cards

• Useful in targeted phishing attacks

Page 25: Bh 2014


Let’s go phishing!

Page 26: Bh 2014

Getting persistent

Page 27: Bh 2014

Getting persistent

• Multiple XSS vulnerabilities• Configuration parameters

• Configuration is persistent...

Page 28: Bh 2014

Getting persistent

• The web interface is where you go to connect to the Internet– Huawei Hilink opens main page

automatically– ZTE creates a desktop shortcut

• The main page sets everything up– Loads an iframe for user interaction– It also loads the chosen language

Page 29: Bh 2014

Getting persistent

• Language is a configuration parameter loaded by the main page

• It is injectable...

Page 30: Bh 2014

Getting persistent

• Execute code every time the user connects to the Internet

• Interact with injected code• Command channel– Poll remote server (BeEF style)– Out of band over SMS

Page 31: Bh 2014


SMS hooking

Page 32: Bh 2014


Page 33: Bh 2014

What to expect

• Attacks on configuration– Network–Mobile

• Abuse of functionality– Outbound & inbound SMS

• Injection attacks– Getting persistent– Stealing information

Page 34: Bh 2014

Getting it fixed

• ZTE is “working on it”– I have no details– ZTE does not seem to have a product

security team • Huawei is fixing their entire product

line– Nice++ – Huawei has a product security team

• Sounds pretty good though, right?

Page 35: Bh 2014

The update model is broken• Vendors cannot push fixes directly to

end-users– Branding complicates things

• Vendor -> Carrier -> User– Carriers might not make the fix available– Users might not install the fix

• Most existing devices will probably never get patched

Page 36: Bh 2014

Summary: analysis

• Web is easy• Web is hard!• How about the

Internet of Things?

Page 37: Bh 2014

OWASP Internet of Things top 10

Page 38: Bh 2014

Don’t forget...

Page 39: Bh 2014

Thank you for listening!Andreas Lindh, @addelindh, Black Hat USA 2014