[cb16] who put the backdoor in my modem? by ewerson guimaraes
TRANSCRIPT
CONFIDENTIAL
Who put the backdoor in my router?
Ewerson Guimarães (Crash) / 2016
CONFIDENTIAL
Research Information
This talk was born in Área31 hackerspace.
All information contained here is public.
No one was hacked(cof cof)
CONFIDENTIAL
About Ewerson(Crash):
CONFIDENTIAL
Background...
CONFIDENTIAL
Background...
CONFIDENTIAL
Background...
CONFIDENTIAL
Background...
CONFIDENTIAL
Let’s start...
CONFIDENTIAL
We won't talk about the backdoor itself, so…
CONFIDENTIAL
Here is the backdoor...
CONFIDENTIAL
Usernames are equal but one is a backdoor account
CONFIDENTIAL
Transforming a single user in a backdoor...
CONFIDENTIAL
Let's analyze the hardware
CONFIDENTIAL
The Strange Device
Strange ID TAG!
CONFIDENTIAL
The strange Device
The device is approved by ANATEL (Brazilian National Telecomunication Agency)
CONFIDENTIAL
The strange Device
The device is approved by ANATEL (Brazilian National Telecomunication Agency)
CONFIDENTIAL
More strange stuff...
BayTech:
CONFIDENTIAL
BayTech:
18
CONFIDENTIAL
More strange stuff...
If you look for S&T Technology Shen Zhen .Co LTD:
CONFIDENTIAL
More strange stuff...
In the device manger you can see Observa Telecom but....
The vendor's website exists but it's a single branded blank page, without any other links to other areas such as manuals, support and firmware.
CONFIDENTIAL
More strange stuff...
Of course, he didn't reply (11)emails...
CONFIDENTIAL
More strange stuff..
This device is distributed by GVT (Global Village Telecom). According to GVT technical support and site, this modem/router is not supported by them.
Don’t belive? Take a look at:http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens
CONFIDENTIAL
More strange stuff..
Opening its firmware in hex viewer... Wow wait, it’s made by TPLINK??????
CONFIDENTIAL
More strange stuff..
The backdoor password: MAC Address last two octets + airocon string
CONFIDENTIAL
More strange stuff..
What is Airocon?
25
CONFIDENTIAL
More strange stuff..
What is Airocon?
CONFIDENTIAL
More strange stuff..
The last avaliable site (Mar. 2005)
CONFIDENTIAL
More strange stuff..
Do you remember the tag ID and Anatel seal?
28
Bingo! 41C3
CONFIDENTIAL
...and to finish this strange part...
Hadware vendor: Realtek
CONFIDENTIAL
Inside of backdoor...
Login with normal admin user ( admin:gtv12345)
The commands “sh” and "login show" are disabled.
CONFIDENTIAL
Inside of backdoor...When logged in with a backdoor account:
CONFIDENTIAL
Inside of backdoor...
The “login show” command shows the backdoor account (which is hidden on the web interface)
CONFIDENTIAL
Inside of backdoor...
Taking a closer look at the device’s memory it was possible to find some interesting information:
Redirection link to Chinese company:
Even after reset it was possible to retrieve the device’s previous user name:
The device saves neighbour network names:
CONFIDENTIAL
Inside of backdoor...
Sensitive data about GVT credential services:
CONFIDENTIAL
Inside of backdoor...
Furthermore, the admin page for the backdoor user is completely different from the common admin page.
CONFIDENTIAL
Inside of backdoor...
The factory default password is not admin:admin admin:12345 admin:
You can make the factory reset!The password stills: admin:gvt12345
CONFIDENTIAL
Outside of backdoor...
Shodan is your friend,or not...
Divice exposed in internet: Almost 5600
CONFIDENTIAL
Small shell script:
root@anubis:~# ./gvtfucker.shGVT RTN04 F*cker
Testing:177.206.29.204Backdoor password: airocon2533Testing:179.179.72.251Testing:189.113.134.199Backdoor password: airocon0E6BTesting:186.213.233.192Testing:186.215.19.197Testing:189.113.136.93Backdoor password: airoconCE4ATesting:189.113.138.111Testing:189.113.137.203Testing:189.26.50.164Testing:189.58.16.44Testing:191.248.83.225Testing:177.132.241.119Backdoor password: airocon02CCTesting:177.156.255.85Testing:177.156.36.116Backdoor password: airoconFA1ETesting:177.157.166.210Testing:187.59.45.9Testing:189.113.131.161Testing:189.113.131.197Testing:189.113.134.226Testing:189.113.137.32Testing:189.113.138.111Backdoor password: airoconDA32
CONFIDENTIAL
Outside of backdoor...
CONFIDENTIAL
Outside of backdoor...
CONFIDENTIAL
Inside again
CONFIDENTIAL
Updates....
After around 1 year later, the Observa site was updated.
CONFIDENTIAL
Updates....
After around 1 year later, the Observa site was updated.
CONFIDENTIAL
Updates....
I tryed another contact...
CONFIDENTIAL
How to fix
Change the backdoor flag,upload the file and neverreset to factory defaults.
OR / AND
Of course, disable the remote access.Hack the firmaware
CONFIDENTIAL
Considerations
AUDIT YOUR DECIVES!
BURN YOUR DEVICES!
FUZZ and F*CK YOUR DEVICES!
CONFIDENTIAL
And the golden question:
Who put the backdoor in my router?
CONFIDENTIAL
Questions?
Please, say your full name before to ask*.
* I have a Death Note.
CONFIDENTIAL
THANKS
49