32C3 preroll music
Herald: The next talk is going to be
“Beyond Your Cable Modem”
– how not to do DOCSIS networks.
Sorry, I’m not a hardware guy.
But Alexander Graf is going to
hold the talk and he has
done a lot of virtualization
and stuff other people
think is too complicated.
Now he is going to talk about
the outside of your apartment.
Give him a warm welcome.
applause
Alexander: Hi and welcome to my
talk “Beyond Your Cable Modem”.
This is going to look at what’s beyond
the stuff you usually see at home
where you just plug in a network cable
and you happen to have Internet available.
So, who am I?
I’m Alexander Graf – I’m usually
more of a virtualization developer.
I have nothing to do with
hacking in my day work,
I don’t usually go around and
hack embedded devices.
Usually, at least.
But, during the last year, I had
a lot of spare time at night
because the baby was
crying, so I figured:
I could as well spend that time
and do something useful.
So, what happened?
We moved to a new home.
I was living in a home
where I had DSL available,
I had a real phone line, everything
was great, things were just awesome.
But then we moved into
this new home where…
where there was no DSL available. Well,
there was DSL available but there were
different circumstances why I couldn’t use
it. So instead, I figured: You know what?
Try this cool new technology:
Internet over your cable TV.
Ehh, cable. TV cable.
So I got myself a cable
modem from the provider,
got myself registered and
now had Internet over cable TV.
Also, along the same lines, I figured:
Why not go and also do your phone
line over that cable provider
with your old phone number so that people
still can contact you when they want to.
Now, the thing is, when I finally
received the whole package,
I realized: Woh! Wait!
Something’s wrong here!
That’s an analogue phone line!
Are we, like, in 2015 or is it 1994?
So, instead of the usual digital
stuff that I am used to,
I just got myself an analogue phone line.
So I had to put myself
another box in there
that would convert the analogue phone
line back to a digital phone line,
so I could route it in my house to
another line, to another machine
that would then go and
route it to my phone.
You see the problem in there?
Yeah, that whole stuff over there
just doesn’t look right, right?
Why would you go and convert
something that is obviously digital?
I mean, the stuff that goes into
your cable is obviously digital, right?
Kind of obvious…
and convert it back to analogue
and then back to digital
just to be able to do a phone call.
So I called up the technicians, Support,
and said: “Hey guys, you know what?
Isn’t there a way I can,
like, directly access
whatever you have there and go
and use digital throughout?”
And the guy said: “Well, you know what?
Actually, behind the scenes,
we’re all just running SIP.
It’s just a normal SIP server.
Just normal voice-over-IP,
nothing special about it.
So, if you know what you’re doing,
just go ahead and connect to it.”
laughter and applause
Challenge accepted.
So, what we learned from
Felix earlier in his car talk:
It was: What do you do when you
don’t want to brick your own system?
Of course, you buy a new one
on ebay. They’re really cheap,
just go and get a cable modem
and then you can go away and
treat it with the kind of love that you
want a device to be treated with.
laughter
Turns out, my modem is actually
just running Linux. Hooh! Nice!
That fits me pretty well!
And it’s just a normal ARM system.
Well, the only special
thing is: It’s Big-Endian.
But then again, I’m kind of used to
ARM by now, why not just go away
and like go around and just
look at how this thing works.
And, well, we really just want to
get this voice-over-IP stuff working,
so take a look at how this
voice-over-IP stuff works on the device!
Turns out, there’s actually a normal SIP.
SIP works on port 5060 usually.
Normal SIP client running on
there, but this IP looks weird.
So, my external IP looks different.
And my internal IP is different, so
where does this IP come from?
So I looked at the IP list
of my device and figured:
Well, something’s weird here. I have
a lot of IPs in there and connections
that I really don’t know
anything about. Hm.
So down here, is obviously my phone line.
And up here, is something else
that I have no idea what this is about.
So I figured: Let’s go
and dig a bit deeper.
And see what’s actually happening there.
So how does DOCSIS work?
This is just a small introduction,
like high-level introduction,
on how the routing runs.
So basically, you have the cable modem
that is connected using your TV cable line
to a CMTS, just a translation service,
that then takes all of the DOCSIC-specific
stuff and just basically gives you
an IP routing over into something-
something-something behind it.
However, it doesn’t just give you one
line. It actually gives you three.
It gives you one line for your Internet.
Makes sense, right? You want
to get online. That’s the one you actually
see when you plug into the device.
It also gives you another line for VoIP.
And it gives you one more line
that I would call the “Admin” line.
It’s the provisioning line.
Now, let’s start with the Admin line.
That sounds the most interesting, right?
laughter
What does the Admin line do?
Well, in the end, a modem in the DOCSIS
network is just a normal client
like in your Ethernet network.
So the first thing it does
when it gets online is:
it does a DHCP request.
And on the DHCP request
it goes and gets an IP address
and gets all the information it needs.
And it also, well, it’s kind of sane,
it’s just a normal DHCP request.
It also, however, gets something
similar to PXE booting
where it gets usually… in PXE booting you
would get an executable that you’d run,
here, you get something different.
Here, you also get a file
that you need to download
using TFTP just like with PXE.
However, in this case,
it’s a configuration file…
– There you go –
…configuration file…
…that you just receive using
PXE to your cable modem;
and then, the cable modem is configured.
Now what is inside this Provisioning
File, that’s what I call it? Well,
there’s interesting information like: What
is your firmware update filename called?
If you want to update your firmware
or if the provider wants to have you
update your firmware.
How much bandwidth do I have?
laughter
I hear, people have been
playing with that one…
laughter
And, well, since it’s just a normal TFTP
request you can just do it yourself, too.
This is my configuration. You just go, get
it, and you have your configuration file.
Now, the interesting thing that I realied
when I first started doing this was:
Sure, this is my configuration file.
But what about configuration files
from other people? Well, you
go and get the MAC address,
if you have the MAC address you
just go and get it and there you go:
You have the other people’s
configuration file.
laughter
Easy as that, right? That’s the
way it’s supposed to work.
applause
The actual effects of that,
we’re going to come to that later.
Let’s just declare TFTP,
the whole access to that,
as “slightly insecure” for now.
laughter
But now, if you’re an ISP, you want to
monitor what your people do, right?
So imagine, you’re the admin there.
Just imagine, you’re one
of the good guys, right?
And you want to see what are those
people on your modem doing.
Are they, like, downloading
too much content?
Because you obviously cannot filter
or find that out from the other side.
So, what do you do? Well, you obviously
send the industry standard for that:
An SNMP request. Using a
password that only you know.
laughter
Send it over to the cable modem
and the cable modem then goes in
and replies with the respective
reply saying “Oh, yeah, sure,
I got that piece of information,
there you go, you have it.”
Oh, that was too quick!
But how does your modem
actually verify that password?
Yeah, you guessed right: Using
the Provisioning File, obviously!
laughter
Once you download the Provisioning File
from any random modem in there
– including yours – you end up
getting an interesting password.
laughter
However, they actually
did at least one thing:
They limited the address range you are
allowed to access those devices on.
laughter
Yeah…
applause
As a hint for those who did not clap:
This means, everybody
who is in that network.
But how big is this network?
I figured: Why not just give it a try
and ask some people in Hannover
whether I could just get
their MAC addresses
and see how far I could get.
Just send an SNMP request over,
I had the password now, right?
And ask that modem:
“Please tell me everything you know!”
And it replied!
laughter
There’s a lot of interesting information,
SNMP, you wouldn’t believe it!
So this is obviously just stuff like
“Oh, yeah, I’m this and that modem!”
But there’s more in there.
There’s, for example…
this is my public IP address!
– in case you’re searching
for someone specific. Or…
these are my internal MAC
addresses and IP addresses.
In case you’re searching for some
specific notebook that someone
stole from you or so.
laughter
Or… this is my Provisioning File, in
case you just happened to port scan
all of the machines out there and
ask them using the same password
that they all share on what their
Provisioning Files could be called.
clears throat
Of course, I never did that. Right?
laughter
So, I would say, the whole SNMP story
isn’t “really” all that secure either.
But at a certain point in time, like when
the modem actually doesn’t work
like the way you would envision
it to be or if you just need to do
more administrative stuff, the admin wants
to have more access than just SNMP, right?
This is kind of isolated to a few
specific pieces of information.
You want some more hardcore access.
Like real go down into a real shell.
How do you do shells in 2015?
Audience: TELNET!
Alexander: Telnet. Exactly!
laughter
applause
We’ll actually get to the point why
Telnet was a good idea later, but…
that’s 30 slides down or so.
We already managed to get an SNMP
connection working to a different modem,
let’s just try the same with Telnet
and see how far we can get.
We can go in and just Telnet in and it
replies and says “please give me a login”
Hm. Now where do I get this login from?
laughter
Turns out, the administrator needs to
provide that password just the same
to the modem, which needs to verify it.
Based on configuration. Which it gets
from the Provisioning File. That…
I think you see the point.
So in the same Provisioning File that you
can obviously again download for every
single user in the network
you also have the password.
In plaintext.
That’s the part that actually took
me the longest in this whole thing.
I spent weeks trying to
figure out what hash this is.
raging laughter
big applause
So if we try to log in to the server
using those credentials we got,
we get greeted with a nice
command line interface
for poor Mr. Admin at our provider’s side.
But I don’t really like those,
like, boiled-down interfaces.
I want a real shell.
I want to load kernel modules.
I want to filter all my network traffic.
I want to reroute everything that
modem does to a different machine.
I want to rewrite the VoIP
client to instead do… either way!
So I want to do something real.
Let’s do the help command
and it tells us that there’s a
cool command called “shell”.
laughter
Ah yeah, there you go, got a shell!
By now, at that point, I can actually
go and do anything I want to that modem.
I got full root access. By the way,
all the modems run every single
piece of software running on there,
including your web server and your
SIP server and anything as UID 0.
Which is a good idea, right?
So, I now got shell access so
I can do anything I want.
I can re-route all your traffic,
I don’t, obviously, but
this is basically where we
went half a year ago.
Another thing to note is that
– since it’s so annoying to generate
different passwords for different devices…
Yeah, yeah, I know.
You just use one password
for all, right? It’s good enough.
So you don’t even have to read your
other person’s Provisioning File,
you can just use your own password
that is in your own Provisioning File
which you already have on your modem
because you’re provisioned yourself.
The only notable exception that
I found to this whole scheme
– I mean, you could basically go
and log in to any modem out there,
except for Fritz!Boxes.
applause
Yeah, congratulations everyone! Kudos!
So, apparently, AVM are the only ones
who did not follow the standard scheme
from my provider and instead said: “No
no no, guys! You don’t do the firmware.
WE do the firmware”, and they just
don’t like to enable Telnet. Apparently
there are people in that company that
actually know what they’re doing.
So, I would say the whole Telnet
access thing isn’t exactly…
I wouldn’t mark it “secure”
either. Naahhh… naaah…
But we didn’t really come here
for the Admin network, right?
I was just… it happened to be around.
I just looked at it and… njeeeeeh.
We wanted to go and do
voice-over-IP! Hah!
Yeah, so how does VoIP look
like? It’s kind of similar.
It also does a DHCP
request in the beginning.
DHCP is usually fine, I mark
it with a green tick here.
I’ll leave it to others to further
dig down into that part.
It does the same TFTP bit so if you just
go and – instead of downloading your
Provisioning File from your own modem,
from the RAN, from the admin network –
you just go and get it from the other MAC
address and there you go, you have it.
Nicely enough, all those cable providers
registered consecutive MAC addresses,
so if you have one,
you also have the others.
Just… You basically just ask a friend:
“Give me your MAC address that’s
written on the box” and you basically
have everything you need.
SNMP is the same thing.
You can access it using SNMP.
The really nice thing about
SNMP here is that the box also
tells you the other accesses it has, so
if you only have one IP address, or…
I also have a nice DNS service internally
that tells you what the IP address is
to a certain MAC address, so you just
ask the DNS for the MAC address of
the VoIP access, then you go and
SNMP, ask it for the IP address
of the admin network, and
there you go. You’re in the box.
However, the really interesting bit
on the voice-over-IP network is SIP.
Since… you want to do VoIP, right?
That’s what the whole thing is about.
So VoIP basically works… the way that your
modem wants to go and do a phone call.
So how do you do a phone call with SIP?
You need to provide data like credentials,
like, tell the other side, the server,
how you authenticate yourself.
Which, obviously, is written
in your Provisioning File.
So, you use those and tell the
server: “I want to do a phone call”
and there you go: You do a phone call.
Now if we look at this Provisioning File,
you can see that it contains your server
and your user name and your phone number
and your… well, basically everything
you’d need to log in into an SIP server.
Now, since I can read, anybody
else’s Provisioning Files, …
laughter
So, imagine I’m this user up there. Right?
And I’m just doing a normal call
as this phone number up there.
Well, maybe there’s this
other guy in the network
who just goes in and downloads
your Provisioning File
and, well, he gets all the credentials
he would need, so he gets
the same phone number and
then he can just go and do a call.
Hm. Yeah. Maybe I should have
registered a few 0900 numbers.
Now the really interesting part here is –
it also works the other way!
You register for it and if you’re
the fastest one registering it,
the other modem doesn’t get the
chance to receive calls which means
now you receive the calls and then you can
just tell the other modem that there was
a call, just that, by now, you actually
route all the traffic through your modem
and you can listen to all the voice data
that there is on the line. Yay!
Yeah…
laughter
Not sure it’d be a good idea to
talk to your lawyer around…
Using this line for secure stuff
is probably not the best.
I wouldn’t mark SIP as secure
on this thing, either.
But at this point, so on the Telnet
access and on all the other parts,
I was, like, sure,
I can fix it for myself.
I’m an egoist, right?
I can fix it for myself.
I don’t care about the rest of mankind…
I do, but I can claim that!
I can just as well ignore all the
others and say: I fix it for myself.
But for voice-over-IP, I can’t.
Because I’m completely out of the loop.
This other guy, he could just go and
steal my credentials, because he can…
and there’s nothing I can do about it.
So at that point, I was kind of scared
that someone would be able to hack me.
So I started to think about
how to fix this thing.
Now, the first thing that comes to
mind is obviously: You as a user
go and pick up the phone and call
the service line from your provider.
laughter
Yeah, I don’t think, that’s a good idea.
laughter
Nah, no I didn’t want to go down that
road, nah… So, instead, I figured,
I’m going to call someone else.
I’m going to call a couple friends.
laughter and applause
applause
Gonna call a couple of friends from
Heise, thanks to my Linux work, I knew
a few of those, and they also tend to
do security, which kind of falls into
this whole thing and used them as a proxy.
So that nobody could actually go and
sue me until things were public.
So, imagine what the provider
would do when he hears
that I hacked into their Telnet account.
Sure, you’d do the obvious thing:
You’d replace Telnet with SSH, right?
It’s what everybody would do. It’s the
first thing. You look at this and think,
like, “Oh my god, this is 2015,
why would you be doing Telnet?”
Well, the answer is pretty simple. Emm…
laughter
Take a look again. It’s not as simple
as you think. Take a look at it again,
there’s this Provisioning File. SSH
actually gets different credentials!
So, the SSH credentials
are actually down here.
And the password is different
from the one on the top.
I don’t know what the password is.
But I can tell you that the
password hash is really cool!
So, the password hash is something
that comes from VxWorks, so I’m pretty
sure that there are more devices out there
that might be interesting to look at.
The VxWorks hash actually
works in a really simple way:
It creates a checksum of your input that
lies somewhere between those 2 numbers
and then creates a fancy String out
of them based on some heuristics.
But essentially, the whole password down
there boils down to just a single number
that is basically, in a realistic case,
the upper limit is 40 characters,
so you’re not going to see
a password that long,
realistically you basically check around
100 passwords and any hash out there,
any password that’s available, you
already cracked it. Which means,
there are so many collisions in this
hash, which I wouldn’t even call a hash,
that I don’t know what the original
password is like… I don’t know.
But this one works pretty well!
laughter and applause
applause
So we go ahead and we log into this
machine and we type in our collision
and… there you go! We got
the same thing as before!
So we told them again: “Guys,
look, it’s not as easy as that.
You should probably take a bit
deeper breath and take a look
at how things actually are broken.”
Which, turns out, they did!
So what happened next?
We had this whole huge mess with
lots of services that are all attackable
and everything’s just wholly broken.
That was two months ago.
There were some circumstances
why we just couldn’t tell them earlier.
And we basically told them: “Guys, you
know, in 2 months’ time we’re going to do
a talk here and everything’s going to
be public so you might want to fix
your network until then.”
laughter
So the first thing that they did is: They
added a check to their TFTP server
to verify whether you’re actually eligible
to download this Provisioning File.
applause
So now, you can only download your
own Provisioning File. Which is great…
finally! I mean, this is the obvious
thing to do. So that one’s fixed.
Then, they went ahead and said: Well,
there’s no real reason why one modem
should do SNMP traffic with another.
So they just added a firewall, saying,
we’re blocking SNMP traffic
between different machines
– problem solved!
applause
The same for SSH – they went ahead and
said: There’s no reason why you should
be doing TCP between
one modem and another.
Problem solved!
applause
And because the VoIP access credentials
are actually part of your Provisioning
File which you can now
no longer download from somebody
else, that one is fixed too.
Awesome! shy applause
Go ahead, go ahead, clap! It’s awesome!
applause
Thank you, ISPs. So after two months,
you actually managed to limit me
into the borders that I was supposed
to be in, in the beginning.
It’s cool!
So what do we have…
Please guard your networks even if you
believe that somebody couldn’t go in
– they probably will.
Because, as soon as a customer
can access your device physically,
which kind of happens to be the
case with a modem that’s sitting
in your apartment,
that guy can access your network.
There’s no way you can prevent it.
So don’t believe that the border
of your network is the home.
The border of your network is
the cable going into that home.
The same way goes the other way
around: If an ISP gives you a device,
don’t trust that thing.
Seriously. They can do anything they like.
And sometimes, somebody else can, too.
In this case, according to my provider, I
was able to access 3 million devices.
applause
That’s quite some number.
applause
Also, the press is your friend. If you
are afraid of revealing something,
tell someone who can do it for you
and usually, things go out well.
Let’s hope for the best.
And then, this whole thing went
online in the beginning of the week
and there were a couple of questions
on the forums that I read
and I just wanted to take
the time to reply to those.
First thing that always comes
up is: “Is this a conspiracy?”
Like “Oh my god, this
is the NSA backdoor!”
No way. I mean, seriously,
those guys are not that stupid.
They have their own front doors,
they don’t need backdoors.
laughter
This really is just a case of “If we don’t
secure things, it’s going to be easier
for us.” Njee, it was
easier for everybody,
including the ones who
shouldn’t have access.
So, no, this is not a conspiracy. This is
not some backdoor from some agency.
This is really just a matter of a
company not doing their homework.
The same thing goes for other providers.
My cable just wasn’t long enough
to connect to some other country
so I don’t know whether other
DOCSIS networks are affected.
From the best of my knowledge:
Yes, they are.
I’m not allowed to tell you to check.
But if you happen to have
that idea on your own…
laughter and applause
applause
No animals were hurt during
the production of this movie.
laughter
All the passwords were changed, so if you
happen to know the real passwords,
you probably had a good laugh
during the presentation.
If you don’t know the real passwords,
njeeee, they are different.
To the best of my knowledge, all of that
knowledge that I just gave you is
completely useless to you,
because all the issues are fixed.
Thank you.
applause
Herald [to Alexander]: Q&A?
[Alexander nodding]
Alexander: So now we can
go for questions if you like.
So please… or… you go
ahead and announce it.
Herald: So if you have questions,
run towards a microphone and
stand behind it visibly.
The first one was on number 4.
Q: You were talking about taking
a couple of weeks to get to know
that the password wasn’t
hashed but plaintext.
So how long did this whole
exchange in total go on?
How much facepalming and
how many hours did it take for you?
A: So I didn’t spend full time on it,
I really literally just whenever
the baby was crying I just went up
and figured “I can do something”.
It’s not… I basically got
cable access two years ago.
I first got into the modem
about one year ago, I think.
That’s when I started looking for real.
I basically ended up digging
deeper and deeper, right? It’s not…
VoIP, for example, I only realized the
whole voice-over-IP story in August.
Since I just didn’t look before. I was
like so excited to see all the other bits.
shy laughter
Just didn’t look.
Herald: Now number 1, please.
Q: Are you really sure that the TFTP
Provisioning File fetching is secure now?
Because… do they do some MAC
integrity tests for MAC spoofing?
A: Yeaaaaah…
laughter
The problem is the law, right? I’m not
allowed to tell you to try it yourself,
I’m not allowed to tell you that I don’t
think that anything on the physical layer
is insecure. I’m not allowed to tell you
that… I mean there’s so many things
I’m not allowed to tell you about
this whole network… I haven’t tried.
I really just went in and said “TFTP
Fetch and see whether I can get it.”
laughter and applause
applause
Herald: Number 7 up
there on the balcony.
Q: Hello. My question is, in the
beginning in your config files,
I think there was something about traffic
priority or network priority as well.
Did you play around with that one as well?
Is that something about Net Neutrality,
maybe?
A: Ahh, that’s an interesting…
OK, so, it’s not about
Net Neutrality at all.
It’s about QoS of different services,
so they basically say that
VoIP traffic gets higher
priority than the other bits
since you want to have low latency
on voice-over-IP traffic, obviously.
So that has nothing to do with
Net Neutrality in this thing at all.
I did play around with
those settings, just because…
coincidentally, right the day after
the Fahrplan got released,
my account got throttled to 80 kBit/s.
I don’t know why.
Could be related, could be not.
But I figured, “I’m paying for 100 MBit/s”
so I should probably get 100 MBit/s
and started to look at those things.
I did not manage to actually convince
my modem to get me more.
Q: Did you change the
bandwidth in the settings?
Herald: No dialogues, please.
A: Yes, I did change the bandwidth.
It’s not… my guess is,
they’re also QoS’ing on the
other side. But if you want to
verify it, I’m not telling you not to.
laughter
Herald: Number 2, please.
Q: Yes. So at first, thank
you for the nice insights.
I’m a cable user, so I’m interested here.
And I want to, again, make a
statement on the Provisioning File.
You should have told them that the
Provisioning File fetching in this way
isn’t a good idea anyway.
And I personally would believe
if they do not can transfer it
via a completely different channel,
it will not get really secure.
A: They can not do it differently
because it’s part of a standard.
There’s a DOCSIS standard which
all the modems have to adhere to
and that’s part of the standard.
They cannot do it differently.
If you want to have it done
differently, you have to tell
the DOCSIS standardization
committee which is in India.
Q: Yes, so I’ll talk to them. Thanks!
Herald: Now, we’ll have a
question from the Internet.
Q: Could two modems be
programmed to talk among
themselves directly,
bypassing the ISP firewall?
A: Say it again.
Signal Angel repeats question more slowly
A: You mean with the new scheme
or with the old scheme?
With the old scheme, it was…
you could just go and route through it.
With the new scheme… you…
not with the official modems.
laughter and applause
applause
Herald: And number 8 on the balcony.
Q: Did you find any traces
of TR-069 in this thing?
A: I did on the AVM boxes
that were secure, yeah.
So that was the only bit that actually
ended up making a lot of sense.
TR-069 is a pretty nice standard.
You basically have authenticated
– I think it was even HTTPS – traffic that
basically goes and pokes the server
to get you a firmware update. It’s a
perfectly nice way of provisioning
such a system. It’s definitely a
lot different from the usual way
so on those DOCSIS modems, the usual
way to tell it to get a new “firmware” is
either to tell it to reboot and get a new
file from the provisioning server or
to just poke directly through SNMP to tell
it: “Go to this TFTP server over there
with this file name and
flash it onto your Flash.”
laughter
No, I have not tried to spoof the
privileged IP address range.
laughter
Herald: Now it’s number 4 again.
Q: The question I have is:
When you tried to first
contact them via Heise,
was there any way they
might have tried to
convince you to not
do the talk and if so,
would there be an itch on your head?
A: They did not try in any
way whatsoever. Zero.
Q: Do you think that was due to
the credibility or do you think
they thought “Oh, we screwed up”?
A: I don’t know. I don’t think they
thought any other way would work at that
point in time. Since the press was already
involved, they are not gonna pull back
their story, there’s nothing
else they can do.
Q: Thank you again.
Herald: Before I hand the microphone,
do you want to do the entire 24
remaining minutes Q&A or
do you want to put a limit?
Graf: No, I think 24 minutes Q&A is fine.
We can always cap it later on, right?
Just go and ask. Ask as much as you like.
applause
Herald: The Internet, again.
Q: How much of this would have been
possible if the modem had been
in bridge mode?
A: My modem was in bridge mode.
laughter
Herald: And number 6.
Q: Do you have an idea how
long this has been that way?
And do you have any
specific reasons to believe
what group of people
might have abused these problems?
A: I don’t know. I did not see anybody
else on the network but it’s really hard
to see someone in a
sea of 3 million devices.
I am not aware of anybody exploiting this,
so I can only state what Vodafone said.
And they said that nobody else
did exploit those problems.
According… as far as time… and
I believe that one actually… it’s…
I don’t think that anybody
did. Which is surprising
since this whole stuff was kind of obvious
but apparently nobody thought of
digging into their modem before.
The one thing about the timing is:
Apparently, they already,
Kabel Deutschland,
basically already does
Internet for 10 years by now
and there’s very little reason to believe
it’s been different in the beginning.
So it was probably vulnerable
for about ten years.
That said, in the beginning, they
were not even using DOCSIS 3.0,
which did not really do real encryption,
so at the end of the day you could
just do whatever, any ways on the network.
Back in the day. By now,
it’s only halfway complicated.
Herald: Now number 1.
Q: Yes, thank you for the talk, too.
So it’s completely possible that they may
have not found out that somebody else
accessed this before and maybe already
flashed a lot of devices with another
firmware which is still
listening to his commands?
With the new setup. Because
he changed the firmware.
A: They did not… okay, they did update
the firmware at that one point in time
when I showed that they switched to SSH.
They did not change the
firmware ever since. So
all the services that I was talking about,
they are still running on your modem.
Q: Okay, but they can’t be sure that there
is another firmware by somebody else
on routers running. If somebody else
maybe thought of making a bot net,
before all of this came up,
in the last 5 years or 10 years,
and already controls some devices
and they can’t be sure that their firmware
is not running on those devices.
There can be still devices somewhere
controlled by somebody else.
A: Sure. You have to, obviously, fake
all the information they receive
from the modem pretty well,
otherwise they get you onto the
security block that I am on.
But if you do that correctly,
you can probably just replace
all the pieces of firmware,
just ignore all the updates and try to
behave the same way as they’d expect
and then hope that nobody finds out.
It’s entirely possible –
I don’t think it’s very likely
but it is definitely entirely possible.
Q: Let’s hope there are no more
networks like this out there.
Herald: Usually, there
are no 2nd questions,
so… we still got comfortable time
but try to limit yourself to one question.
Now it’s number 2.
Q: Have you tried to change your
MAC address on the DOCSIS level
or also for the DHCP request
or how do they do authentication
of the modem over the network?
A: So, the authentication
works using certificates.
I’m actually not sure, I haven’t
read the standard on that side
whether the MAC address is part
of the certificate. I don’t know.
If it’s not, you can easily just
change it. I haven’t tried.
But then again, the modems
are – what? – 8 Euros?
Herald: Number 7.
Q: What other recommendations
do you have
– if someone were to have a
suspicion about a vulnerability –
for the research part and
for the disclosure part?
A: What do you have to do… I can’t give
you any legal or any advice on that one.
I can tell you that getting
somebody involved
that has done this before
is a really smart idea.
Because they’ve gone
through a lot of pain points.
The press is even better because
they have a really, really big lever
nobody wants to be in the press
for 2 months or whatever
just on negative news that there was
somebody who was legitimately trying
to tell them to improve their
network and they sued them.
So there’s a really good chance that
going via the press is going to keep
problems away from you,
but there’s no guarantee.
I cannot give you real – I mean legal
or any coherent – advice on that one.
I would… I mean, if I would find such
a thing again, I would definitely go
the same route. I would just call
up Heise and tell them and…
That went pretty smoothly.
And if… I mean, the really cool thing
is, they actually listen to the press.
If I had gone to the service,
they would have just said
“Sorry, wrong number,
I can’t help you.”
Herald: Now the Internet.
Q: How did you obtain the
original data? Did you use JTAG
or dump the device’s firmware
and run it virtualized?
A: Ahhhhh. Not sure how much of
that I should actually tell everybody.
Let’s say, I replaced…
You can actually see
this on the slide, wait.
makes “Tchtchtchtchtch” sound
Oh my god, this is going to take forever.
Okay, dududum, where’s my
mouse cursor? There it is.
Okay… So, I got a
picture of the modem…
…here. There you go. So…
…what you can see here, down there,
the white and the yellow cables,
those are the serial port.
And the IDE cable up there
that’s where the flash chip was
before I started fiddling with the modem.
laughter
Now, the flash chip is actually
in that socket up there.
Which means I could swap the
flash chip between a device I own
– BeagleBone Black, for example,
that’s a really nice spy interface
that you could just use to write those
– and then plug it back into the modem.
So I could replace the firmware
and get myself an initial shell.
As I mentioned earlier, I really
do not like to lose Internet access.
So this is not the modem that
I was actually using at home.
Instead, I just used that modem
to fetch a firmware image
so I could then look and see
whether there might be other bugs
that you could use.
Herald: Now number 8.
Q: Earlier, you’ve said that
– who was it… –
Fritz!Box was more secure and they
didn’t have the same vulnerabilities.
Do you think they simply didn’t use
hardcoded passwords and stuff.
So do you think they’ll be vulnerable
to similar attacks and that someone
probably, like you wouldn’t tell them,
but maybe they should look into it
or do you think that it isn’t possible
and someone should, like, prove you wrong.
A: From all I can tell, but this is…
I mean, just a gut feeling that I get
from looking at different firmware files,
the usual way, at least
the Linux based firmware
works on those systems is
that there’s TI creating a BSP
then they give it out to Motorola.
Then Motorola gives it out to CBN.
Then CBN gives it out
to Kabel Deutschland.
And then, each party of those
adds a few pieces of stuff.
That’s the usual way it
works in those devices.
Whereas in the AVM boxes,
things looked vastly different.
There was one firmware image
that even contained information
for some Austrian provider.
So instead of giving full
control to the cable provider,
AVM kept control on their own and actually
audited the stuff they were doing.
That’s the major difference.
applause
Herald: One more question
from the Internet.
Q: Do you know if they
still use unencrypted SIP?
A: Oh yeah. chuckles
slight laughter
A: Oh yeah.
loud laughter
A: Nothing in the protocols
changed at all, whatsoever.
They really just added a few firewalls.
So once you are on the physical layer,
you can read everything you like, yes.
Well, and you break through
the DOCSIS encryption, obviously.
Herald: Now the newly adjusted number 2.
Q: Thank you. Mine is
not so much a question
as I’d like to add some insight
and perspective to this.
I, myself, worked for several ISPs
and the… we… actually
I worked for an ISP
that had not this particular
issue, but a similar issue.
The way that it was fixed and
– you can look me up, I’ve worked
for several ISPs, you won’t know
which one had this problem –
but what was actually the fix
was a simple IP check.
So once you downloaded
from the TFTP server,
it was just checked if you did it
from the IP that was suspected.
So this issue may actually be
reproducible if you can somehow
get hold of an IP [address]
you weren’t supposed to have.
Like, say, spoof MAC address
or something like that.
That being said, I’d like to attach
a comment to the whole SIP thing, too.
You indicated that it’d be possible
to silently intercept the conversations
which is not necessarily the issue
because many SIP servers
can be configured
to allow multiple endpoints
so as the
– what’d you call it? –
the bad guy would be able
to pick up your calls,
you would also hear you
phone calling yourself.
A: Right, and if your phone picks
up within 0.01 microseconds,
then, yeah, there’s nothing
you can do about it.
It just rings again.
That’s the point about it.
Also, the other bit that
you have on the SIP server
is that that particular server actually
only allowed one endpoint
to be registered at a time.
At least from what I could tell.
It was some Huawei
box. I don’t know.
Herald: Number 3, please.
Q: Yeah, I attended this talk today
because I know that at the beginning,
when DOCSIS was introduced,
the modem were asking
for the configuration file
also over the Ethernet
port which is great.
And my question is:
Is there a way within the DOCSIS standard
so that the ISP can verify their hardware?
I mean, you… I have seen
the type and the vendor name
and the SNMP but you can
obviously spoof that.
Of course, firmware
binaries won’t run on the
wrong hardware, but…
A: I’m not quite sure
I’m getting what you’re…
Q: The question is: Is there
a way to control for the ISP
which hardware there is they’re using?
A: So I come from a
virtualization background.
And in my world, there is
no such thing. It doesn’t exist.
slight laughter
Sorry. If you can somehow
abstract it, you can abstract it.
Q:OK.
Herald: 8, please.
Q: Hi. I wanted to add on the
part with the MAC spoofing.
Because I had a modem
like that, like 5 years ago,
and actually I never went
inside the modem,
but I had some applications where
I needed a new IP address
in a short period of time…
loud laughter
And I remember that actually… the thing…
if you told the modem your MAC
address, a different MAC address,
you got different external
IP addresses back then.
I don’t know if things have changed
because it was 5 years ago
but… yeah… after what
I’ve heard from you,
I’m kind of unsure that things changed.
A: No, I’m fairly sure this is actually
accurate. From what I understand,
I never did that myself but I
heard from people who did,
the MAC address check and the
certificate check are actually separate.
So that if you own a valid certificate
from some random dude who happens to
actually pay for the service,
and you get that certificate,
and you’re not on the
same CMTS as that guy,
then you can actually go and, well,
basically say that you’re him even if
you have a different MAC address.
Which then, again, implies that if you
change the MAC address, you can just
be somebody else. Which
then again implies that…
maybe you can actually go and get
somebody else’s Provisioning Files, yeah.
slight laughter
Q: Well, yeah… not up to you.
A: Not going to try out.
Herald: Number 2, please.
Q: Yeah, you had this one
with one particular provider
and I happen to know that
there’s a second provider
using the same technology in Germany:
were they somehow involved in this loop?
I mean, it took Kabel Deutschland
two months to fix this and…
A: No, but they better hurry up!
laughter and applause
Q: Thanks!
applause
A: And, quite frankly, I do not believe
that this is limited to Germany
at all, whatsoever.
So… Yeah. Let’s see who’s faster.
Alright, end of questions, right?
Or is there any…?
Herald: It looks like we’re
at the end of questions.
The Internet maybe…?
No, the Internet doesn’t
have any questions.
There are 8 empty microphones.
So thank you very much for your talk
and thank you very much for the Q&A.
applause
postroll music
Subtitles created by c3subtitles.de
in 2016. Join and help us!