0:00:00.399,0:00:09.720
32C3 preroll music
0:00:09.720,0:00:13.680
Herald: The next talk is going to be[br]“Beyond Your Cable Modem”
0:00:13.680,0:00:17.590
– how not to do DOCSIS networks.
0:00:17.590,0:00:21.760
Sorry, I’m not a hardware guy.[br]But Alexander Graf is going to
0:00:21.760,0:00:25.790
hold the talk and he has[br]done a lot of virtualization
0:00:25.790,0:00:29.299
and stuff other people[br]think is too complicated.
0:00:29.299,0:00:32.550
Now he is going to talk about
0:00:32.550,0:00:36.740
the outside of your apartment.[br]Give him a warm welcome.
0:00:36.740,0:00:43.740
applause
0:00:44.850,0:00:47.250
Alexander: Hi and welcome to my[br]talk “Beyond Your Cable Modem”.
0:00:47.250,0:00:50.390
This is going to look at what’s beyond[br]the stuff you usually see at home
0:00:50.390,0:00:54.420
where you just plug in a network cable[br]and you happen to have Internet available.
0:00:54.420,0:00:56.000
So, who am I?
0:00:56.000,0:00:58.600
I’m Alexander Graf – I’m usually[br]more of a virtualization developer.
0:00:58.600,0:01:00.690
I have nothing to do with[br]hacking in my day work,
0:01:00.690,0:01:04.610
I don’t usually go around and[br]hack embedded devices.
0:01:04.610,0:01:06.440
Usually, at least.
0:01:06.440,0:01:09.370
But, during the last year, I had[br]a lot of spare time at night
0:01:09.370,0:01:11.670
because the baby was[br]crying, so I figured:
0:01:11.670,0:01:17.010
I could as well spend that time[br]and do something useful.
0:01:17.010,0:01:19.930
So, what happened?[br]We moved to a new home.
0:01:19.930,0:01:22.790
I was living in a home[br]where I had DSL available,
0:01:22.790,0:01:26.540
I had a real phone line, everything[br]was great, things were just awesome.
0:01:26.540,0:01:32.400
But then we moved into[br]this new home where…
0:01:32.400,0:01:35.389
where there was no DSL available. Well,[br]there was DSL available but there were
0:01:35.389,0:01:39.890
different circumstances why I couldn’t use[br]it. So instead, I figured: You know what?
0:01:39.890,0:01:43.940
Try this cool new technology:[br]Internet over your cable TV.
0:01:43.940,0:01:46.100
Ehh, cable. TV cable.
0:01:46.100,0:01:48.870
So I got myself a cable[br]modem from the provider,
0:01:48.870,0:01:52.690
got myself registered and[br]now had Internet over cable TV.
0:01:52.690,0:01:56.650
Also, along the same lines, I figured:
0:01:56.650,0:01:59.820
Why not go and also do your phone[br]line over that cable provider
0:01:59.820,0:02:04.530
with your old phone number so that people[br]still can contact you when they want to.
0:02:04.530,0:02:08.199
Now, the thing is, when I finally[br]received the whole package,
0:02:08.199,0:02:12.219
I realized: Woh! Wait![br]Something’s wrong here!
0:02:12.219,0:02:18.950
That’s an analogue phone line![br]Are we, like, in 2015 or is it 1994?
0:02:18.950,0:02:21.660
So, instead of the usual digital[br]stuff that I am used to,
0:02:21.660,0:02:25.029
I just got myself an analogue phone line.
0:02:25.029,0:02:27.880
So I had to put myself[br]another box in there
0:02:27.880,0:02:30.599
that would convert the analogue phone[br]line back to a digital phone line,
0:02:30.599,0:02:33.249
so I could route it in my house to[br]another line, to another machine
0:02:33.249,0:02:36.269
that would then go and[br]route it to my phone.
0:02:36.269,0:02:38.349
You see the problem in there?
0:02:38.349,0:02:41.859
Yeah, that whole stuff over there[br]just doesn’t look right, right?
0:02:41.859,0:02:45.089
Why would you go and convert[br]something that is obviously digital?
0:02:45.089,0:02:48.200
I mean, the stuff that goes into[br]your cable is obviously digital, right?
0:02:48.200,0:02:50.149
Kind of obvious…
0:02:50.149,0:02:52.639
and convert it back to analogue[br]and then back to digital
0:02:52.639,0:02:55.209
just to be able to do a phone call.
0:02:55.209,0:02:59.989
So I called up the technicians, Support,[br]and said: “Hey guys, you know what?
0:02:59.989,0:03:02.519
Isn’t there a way I can,[br]like, directly access
0:03:02.519,0:03:07.719
whatever you have there and go[br]and use digital throughout?”
0:03:07.719,0:03:10.969
And the guy said: “Well, you know what?[br]Actually, behind the scenes,
0:03:10.969,0:03:14.389
we’re all just running SIP.[br]It’s just a normal SIP server.
0:03:14.389,0:03:17.360
Just normal voice-over-IP,[br]nothing special about it.
0:03:17.360,0:03:22.799
So, if you know what you’re doing,[br]just go ahead and connect to it.”
0:03:22.799,0:03:31.689
laughter and applause
0:03:31.689,0:03:34.580
Challenge accepted.
0:03:34.580,0:03:39.529
So, what we learned from[br]Felix earlier in his car talk:
0:03:39.529,0:03:42.220
It was: What do you do when you[br]don’t want to brick your own system?
0:03:42.220,0:03:45.670
Of course, you buy a new one[br]on ebay. They’re really cheap,
0:03:45.670,0:03:49.700
just go and get a cable modem[br]and then you can go away and
0:03:49.700,0:03:53.330
treat it with the kind of love that you[br]want a device to be treated with.
0:03:53.330,0:03:55.980
laughter
0:03:55.980,0:04:00.039
Turns out, my modem is actually[br]just running Linux. Hooh! Nice!
0:04:00.039,0:04:02.419
That fits me pretty well!
0:04:02.419,0:04:05.269
And it’s just a normal ARM system.
0:04:05.269,0:04:07.449
Well, the only special[br]thing is: It’s Big-Endian.
0:04:07.449,0:04:11.869
But then again, I’m kind of used to[br]ARM by now, why not just go away
0:04:11.869,0:04:14.659
and like go around and just[br]look at how this thing works.
0:04:14.659,0:04:18.340
And, well, we really just want to[br]get this voice-over-IP stuff working,
0:04:18.340,0:04:22.340
so take a look at how this[br]voice-over-IP stuff works on the device!
0:04:22.340,0:04:24.480
Turns out, there’s actually a normal SIP.
0:04:24.480,0:04:28.540
SIP works on port 5060 usually.
0:04:28.540,0:04:33.419
Normal SIP client running on[br]there, but this IP looks weird.
0:04:33.419,0:04:35.490
So, my external IP looks different.
0:04:35.490,0:04:40.920
And my internal IP is different, so[br]where does this IP come from?
0:04:40.920,0:04:44.130
So I looked at the IP list[br]of my device and figured:
0:04:44.130,0:04:47.729
Well, something’s weird here. I have[br]a lot of IPs in there and connections
0:04:47.729,0:04:52.960
that I really don’t know[br]anything about. Hm.
0:04:52.960,0:04:56.899
So down here, is obviously my phone line.
0:04:56.899,0:05:02.849
And up here, is something else[br]that I have no idea what this is about.
0:05:02.849,0:05:06.749
So I figured: Let’s go[br]and dig a bit deeper.
0:05:06.749,0:05:09.810
And see what’s actually happening there.
0:05:09.810,0:05:13.810
So how does DOCSIS work?[br]This is just a small introduction,
0:05:13.810,0:05:16.816
like high-level introduction,[br]on how the routing runs.
0:05:16.816,0:05:21.699
So basically, you have the cable modem[br]that is connected using your TV cable line
0:05:21.699,0:05:25.970
to a CMTS, just a translation service,
0:05:25.970,0:05:29.840
that then takes all of the DOCSIC-specific[br]stuff and just basically gives you
0:05:29.840,0:05:35.849
an IP routing over into something-[br]something-something behind it.
0:05:35.849,0:05:39.500
However, it doesn’t just give you one[br]line. It actually gives you three.
0:05:39.500,0:05:42.689
It gives you one line for your Internet.[br]Makes sense, right? You want
0:05:42.689,0:05:46.279
to get online. That’s the one you actually[br]see when you plug into the device.
0:05:46.279,0:05:49.299
It also gives you another line for VoIP.
0:05:49.299,0:05:51.690
And it gives you one more line[br]that I would call the “Admin” line.
0:05:51.690,0:05:55.710
It’s the provisioning line.
0:05:55.710,0:05:59.549
Now, let’s start with the Admin line.[br]That sounds the most interesting, right?
0:05:59.549,0:06:00.920
laughter
0:06:00.920,0:06:03.819
What does the Admin line do?
0:06:03.819,0:06:09.080
Well, in the end, a modem in the DOCSIS[br]network is just a normal client
0:06:09.080,0:06:11.159
like in your Ethernet network.
0:06:11.159,0:06:13.890
So the first thing it does[br]when it gets online is:
0:06:13.890,0:06:16.750
it does a DHCP request.[br]And on the DHCP request
0:06:16.750,0:06:20.229
it goes and gets an IP address[br]and gets all the information it needs.
0:06:20.229,0:06:25.340
And it also, well, it’s kind of sane,[br]it’s just a normal DHCP request.
0:06:25.340,0:06:28.949
It also, however, gets something[br]similar to PXE booting
0:06:28.949,0:06:32.960
where it gets usually… in PXE booting you[br]would get an executable that you’d run,
0:06:32.960,0:06:35.709
here, you get something different.[br]Here, you also get a file
0:06:35.709,0:06:39.159
that you need to download[br]using TFTP just like with PXE.
0:06:39.159,0:06:44.769
However, in this case,[br]it’s a configuration file…
0:06:44.769,0:06:46.900
– There you go –[br]…configuration file…
0:06:46.900,0:06:50.109
…that you just receive using[br]PXE to your cable modem;
0:06:50.109,0:06:52.989
and then, the cable modem is configured.
0:06:52.989,0:06:56.680
Now what is inside this Provisioning[br]File, that’s what I call it? Well,
0:06:56.680,0:07:01.360
there’s interesting information like: What[br]is your firmware update filename called?
0:07:01.360,0:07:04.530
If you want to update your firmware[br]or if the provider wants to have you
0:07:04.530,0:07:09.799
update your firmware.[br]How much bandwidth do I have?
0:07:09.799,0:07:14.189
laughter
0:07:14.189,0:07:17.370
I hear, people have been[br]playing with that one…
0:07:17.370,0:07:20.289
laughter
0:07:20.289,0:07:23.749
And, well, since it’s just a normal TFTP[br]request you can just do it yourself, too.
0:07:23.749,0:07:28.499
This is my configuration. You just go, get[br]it, and you have your configuration file.
0:07:28.499,0:07:34.219
Now, the interesting thing that I realied[br]when I first started doing this was:
0:07:34.219,0:07:36.999
Sure, this is my configuration file.[br]But what about configuration files
0:07:36.999,0:07:42.080
from other people? Well, you[br]go and get the MAC address,
0:07:42.080,0:07:44.560
if you have the MAC address you[br]just go and get it and there you go:
0:07:44.560,0:07:47.339
You have the other people’s[br]configuration file.
0:07:47.339,0:07:48.460
laughter
0:07:48.460,0:07:51.440
Easy as that, right? That’s the[br]way it’s supposed to work.
0:07:51.440,0:07:58.440
applause
0:07:59.690,0:08:03.099
The actual effects of that,[br]we’re going to come to that later.
0:08:03.099,0:08:05.909
Let’s just declare TFTP,[br]the whole access to that,
0:08:05.909,0:08:08.920
as “slightly insecure” for now.
0:08:08.920,0:08:11.840
laughter
0:08:11.840,0:08:16.329
But now, if you’re an ISP, you want to[br]monitor what your people do, right?
0:08:16.329,0:08:18.910
So imagine, you’re the admin there.
0:08:18.910,0:08:21.619
Just imagine, you’re one[br]of the good guys, right?
0:08:21.619,0:08:24.650
And you want to see what are those[br]people on your modem doing.
0:08:24.650,0:08:27.060
Are they, like, downloading[br]too much content?
0:08:27.060,0:08:32.410
Because you obviously cannot filter[br]or find that out from the other side.
0:08:32.410,0:08:35.890
So, what do you do? Well, you obviously[br]send the industry standard for that:
0:08:35.890,0:08:42.130
An SNMP request. Using a[br]password that only you know.
0:08:42.130,0:08:47.220
laughter
0:08:47.220,0:08:50.190
Send it over to the cable modem[br]and the cable modem then goes in
0:08:50.190,0:08:54.010
and replies with the respective[br]reply saying “Oh, yeah, sure,
0:08:54.010,0:08:57.250
I got that piece of information,[br]there you go, you have it.”
0:08:57.250,0:09:00.580
Oh, that was too quick!
0:09:00.580,0:09:07.580
But how does your modem[br]actually verify that password?
0:09:07.940,0:09:10.740
Yeah, you guessed right: Using[br]the Provisioning File, obviously!
0:09:10.740,0:09:12.810
laughter
0:09:12.810,0:09:17.010
Once you download the Provisioning File[br]from any random modem in there
0:09:17.010,0:09:22.640
– including yours – you end up[br]getting an interesting password.
0:09:22.640,0:09:27.800
laughter
0:09:27.800,0:09:30.480
However, they actually[br]did at least one thing:
0:09:30.480,0:09:35.150
They limited the address range you are[br]allowed to access those devices on.
0:09:35.150,0:09:39.540
laughter
0:09:39.540,0:09:46.540
Yeah…[br]applause
0:09:47.090,0:09:50.210
As a hint for those who did not clap:
0:09:50.210,0:09:54.740
This means, everybody[br]who is in that network.
0:09:54.740,0:09:57.250
But how big is this network?
0:09:57.250,0:10:01.520
I figured: Why not just give it a try[br]and ask some people in Hannover
0:10:01.520,0:10:03.930
whether I could just get[br]their MAC addresses
0:10:03.930,0:10:06.850
and see how far I could get.
0:10:06.850,0:10:10.920
Just send an SNMP request over,[br]I had the password now, right?
0:10:10.920,0:10:15.060
And ask that modem:
0:10:15.060,0:10:18.380
“Please tell me everything you know!”
0:10:18.380,0:10:22.770
And it replied![br]laughter
0:10:22.770,0:10:25.130
There’s a lot of interesting information,[br]SNMP, you wouldn’t believe it!
0:10:25.130,0:10:28.880
So this is obviously just stuff like[br]“Oh, yeah, I’m this and that modem!”
0:10:28.880,0:10:31.160
But there’s more in there.[br]There’s, for example…
0:10:31.160,0:10:34.280
this is my public IP address!
0:10:34.280,0:10:38.170
– in case you’re searching[br]for someone specific. Or…
0:10:38.170,0:10:41.250
these are my internal MAC[br]addresses and IP addresses.
0:10:41.250,0:10:43.790
In case you’re searching for some[br]specific notebook that someone
0:10:43.790,0:10:49.530
stole from you or so.[br]laughter
0:10:49.530,0:10:53.390
Or… this is my Provisioning File, in[br]case you just happened to port scan
0:10:53.390,0:10:56.110
all of the machines out there and[br]ask them using the same password
0:10:56.110,0:11:01.040
that they all share on what their[br]Provisioning Files could be called.
0:11:01.040,0:11:02.410
clears throat
0:11:02.410,0:11:04.596
Of course, I never did that. Right?
0:11:04.596,0:11:08.040
laughter
0:11:08.040,0:11:15.040
So, I would say, the whole SNMP story[br]isn’t “really” all that secure either.
0:11:15.970,0:11:19.610
But at a certain point in time, like when[br]the modem actually doesn’t work
0:11:19.610,0:11:22.310
like the way you would envision[br]it to be or if you just need to do
0:11:22.310,0:11:25.990
more administrative stuff, the admin wants[br]to have more access than just SNMP, right?
0:11:25.990,0:11:31.020
This is kind of isolated to a few[br]specific pieces of information.
0:11:31.020,0:11:36.940
You want some more hardcore access.[br]Like real go down into a real shell.
0:11:36.940,0:11:40.430
How do you do shells in 2015?[br]Audience: TELNET!
0:11:40.430,0:11:44.470
Alexander: Telnet. Exactly![br]laughter
0:11:44.470,0:11:51.470
applause
0:11:52.650,0:11:58.820
We’ll actually get to the point why[br]Telnet was a good idea later, but…
0:11:58.820,0:12:04.260
that’s 30 slides down or so.
0:12:04.260,0:12:07.420
We already managed to get an SNMP[br]connection working to a different modem,
0:12:07.420,0:12:12.660
let’s just try the same with Telnet[br]and see how far we can get.
0:12:12.660,0:12:19.090
We can go in and just Telnet in and it[br]replies and says “please give me a login”
0:12:19.090,0:12:23.930
Hm. Now where do I get this login from?
0:12:23.930,0:12:26.160
laughter
0:12:26.160,0:12:29.900
Turns out, the administrator needs to[br]provide that password just the same
0:12:29.900,0:12:33.100
to the modem, which needs to verify it.
0:12:33.100,0:12:37.550
Based on configuration. Which it gets[br]from the Provisioning File. That…
0:12:37.550,0:12:41.490
I think you see the point.
0:12:41.490,0:12:44.680
So in the same Provisioning File that you[br]can obviously again download for every
0:12:44.680,0:12:49.880
single user in the network[br]you also have the password.
0:12:49.880,0:12:52.980
In plaintext.
0:12:52.980,0:12:56.250
That’s the part that actually took[br]me the longest in this whole thing.
0:12:56.250,0:12:59.980
I spent weeks trying to[br]figure out what hash this is.
0:12:59.980,0:13:05.210
raging laughter
0:13:05.210,0:13:11.550
big applause
0:13:11.550,0:13:15.880
So if we try to log in to the server[br]using those credentials we got,
0:13:15.880,0:13:18.200
we get greeted with a nice[br]command line interface
0:13:18.200,0:13:22.180
for poor Mr. Admin at our provider’s side.
0:13:22.180,0:13:26.540
But I don’t really like those,[br]like, boiled-down interfaces.
0:13:26.540,0:13:29.210
I want a real shell.[br]I want to load kernel modules.
0:13:29.210,0:13:31.730
I want to filter all my network traffic.
0:13:31.730,0:13:35.730
I want to reroute everything that[br]modem does to a different machine.
0:13:35.730,0:13:41.110
I want to rewrite the VoIP[br]client to instead do… either way!
0:13:41.110,0:13:44.520
So I want to do something real.[br]Let’s do the help command
0:13:44.520,0:13:47.480
and it tells us that there’s a[br]cool command called “shell”.
0:13:47.480,0:13:49.550
laughter
0:13:49.550,0:13:52.890
Ah yeah, there you go, got a shell!
0:13:52.890,0:13:57.070
By now, at that point, I can actually[br]go and do anything I want to that modem.
0:13:57.070,0:14:01.760
I got full root access. By the way,[br]all the modems run every single
0:14:01.760,0:14:05.390
piece of software running on there,[br]including your web server and your
0:14:05.390,0:14:11.280
SIP server and anything as UID 0.[br]Which is a good idea, right?
0:14:11.280,0:14:14.680
So, I now got shell access so[br]I can do anything I want.
0:14:14.680,0:14:18.510
I can re-route all your traffic,[br]I don’t, obviously, but
0:14:18.510,0:14:21.980
this is basically where we[br]went half a year ago.
0:14:21.980,0:14:25.390
Another thing to note is that[br]– since it’s so annoying to generate
0:14:25.390,0:14:29.660
different passwords for different devices…
0:14:29.660,0:14:31.780
Yeah, yeah, I know.
0:14:31.780,0:14:36.080
You just use one password[br]for all, right? It’s good enough.
0:14:36.080,0:14:42.620
So you don’t even have to read your[br]other person’s Provisioning File,
0:14:42.620,0:14:45.040
you can just use your own password[br]that is in your own Provisioning File
0:14:45.040,0:14:50.330
which you already have on your modem[br]because you’re provisioned yourself.
0:14:50.330,0:14:54.300
The only notable exception that[br]I found to this whole scheme
0:14:54.300,0:14:57.690
– I mean, you could basically go[br]and log in to any modem out there,
0:14:57.690,0:15:02.140
except for Fritz!Boxes.[br]applause
0:15:02.140,0:15:07.920
Yeah, congratulations everyone! Kudos!
0:15:07.920,0:15:11.570
So, apparently, AVM are the only ones[br]who did not follow the standard scheme
0:15:11.570,0:15:15.480
from my provider and instead said: “No[br]no no, guys! You don’t do the firmware.
0:15:15.480,0:15:20.170
WE do the firmware”, and they just[br]don’t like to enable Telnet. Apparently
0:15:20.170,0:15:25.430
there are people in that company that[br]actually know what they’re doing.
0:15:25.430,0:15:31.010
So, I would say the whole Telnet[br]access thing isn’t exactly…
0:15:31.010,0:15:36.660
I wouldn’t mark it “secure”[br]either. Naahhh… naaah…
0:15:36.660,0:15:39.240
But we didn’t really come here[br]for the Admin network, right?
0:15:39.240,0:15:45.020
I was just… it happened to be around.[br]I just looked at it and… njeeeeeh.
0:15:45.020,0:15:48.420
We wanted to go and do[br]voice-over-IP! Hah!
0:15:48.420,0:15:52.030
Yeah, so how does VoIP look[br]like? It’s kind of similar.
0:15:52.030,0:15:54.130
It also does a DHCP[br]request in the beginning.
0:15:54.130,0:15:59.600
DHCP is usually fine, I mark[br]it with a green tick here.
0:15:59.600,0:16:04.770
I’ll leave it to others to further[br]dig down into that part.
0:16:04.770,0:16:09.690
It does the same TFTP bit so if you just[br]go and – instead of downloading your
0:16:09.690,0:16:16.660
Provisioning File from your own modem,[br]from the RAN, from the admin network –
0:16:16.660,0:16:23.200
you just go and get it from the other MAC[br]address and there you go, you have it.
0:16:23.200,0:16:29.250
Nicely enough, all those cable providers[br]registered consecutive MAC addresses,
0:16:29.250,0:16:35.770
so if you have one,[br]you also have the others.
0:16:35.770,0:16:40.070
Just… You basically just ask a friend:[br]“Give me your MAC address that’s
0:16:40.070,0:16:44.090
written on the box” and you basically[br]have everything you need.
0:16:44.090,0:16:46.760
SNMP is the same thing.[br]You can access it using SNMP.
0:16:46.760,0:16:49.280
The really nice thing about[br]SNMP here is that the box also
0:16:49.280,0:16:53.980
tells you the other accesses it has, so[br]if you only have one IP address, or…
0:16:53.980,0:16:57.950
I also have a nice DNS service internally[br]that tells you what the IP address is
0:16:57.950,0:17:01.210
to a certain MAC address, so you just[br]ask the DNS for the MAC address of
0:17:01.210,0:17:09.409
the VoIP access, then you go and[br]SNMP, ask it for the IP address
0:17:09.409,0:17:14.169
of the admin network, and[br]there you go. You’re in the box.
0:17:14.169,0:17:17.940
However, the really interesting bit[br]on the voice-over-IP network is SIP.
0:17:17.940,0:17:22.330
Since… you want to do VoIP, right?[br]That’s what the whole thing is about.
0:17:22.330,0:17:28.330
So VoIP basically works… the way that your[br]modem wants to go and do a phone call.
0:17:28.330,0:17:30.730
So how do you do a phone call with SIP?
0:17:30.730,0:17:38.690
You need to provide data like credentials,[br]like, tell the other side, the server,
0:17:38.690,0:17:40.470
how you authenticate yourself.
0:17:40.470,0:17:43.890
Which, obviously, is written[br]in your Provisioning File.
0:17:43.890,0:17:47.640
So, you use those and tell the[br]server: “I want to do a phone call”
0:17:47.640,0:17:49.580
and there you go: You do a phone call.
0:17:49.580,0:17:54.000
Now if we look at this Provisioning File,[br]you can see that it contains your server
0:17:54.000,0:17:57.560
and your user name and your phone number
0:17:57.560,0:18:03.870
and your… well, basically everything[br]you’d need to log in into an SIP server.
0:18:03.870,0:18:10.310
Now, since I can read, anybody[br]else’s Provisioning Files, …
0:18:10.310,0:18:11.590
laughter
0:18:11.590,0:18:16.440
So, imagine I’m this user up there. Right?
0:18:16.440,0:18:21.400
And I’m just doing a normal call[br]as this phone number up there.
0:18:21.400,0:18:24.330
Well, maybe there’s this[br]other guy in the network
0:18:24.330,0:18:27.700
who just goes in and downloads[br]your Provisioning File
0:18:27.700,0:18:31.070
and, well, he gets all the credentials[br]he would need, so he gets
0:18:31.070,0:18:35.870
the same phone number and[br]then he can just go and do a call.
0:18:35.870,0:18:46.800
Hm. Yeah. Maybe I should have[br]registered a few 0900 numbers.
0:18:46.800,0:18:50.500
Now the really interesting part here is –[br]it also works the other way!
0:18:50.500,0:18:53.900
You register for it and if you’re[br]the fastest one registering it,
0:18:53.900,0:18:58.580
the other modem doesn’t get the[br]chance to receive calls which means
0:18:58.580,0:19:02.360
now you receive the calls and then you can[br]just tell the other modem that there was
0:19:02.360,0:19:06.910
a call, just that, by now, you actually[br]route all the traffic through your modem
0:19:06.910,0:19:13.000
and you can listen to all the voice data[br]that there is on the line. Yay!
0:19:14.450,0:19:18.260
Yeah…[br]laughter
0:19:18.260,0:19:22.160
Not sure it’d be a good idea to[br]talk to your lawyer around…
0:19:22.160,0:19:27.030
Using this line for secure stuff[br]is probably not the best.
0:19:27.030,0:19:33.080
I wouldn’t mark SIP as secure[br]on this thing, either.
0:19:33.080,0:19:38.240
But at this point, so on the Telnet[br]access and on all the other parts,
0:19:38.240,0:19:40.870
I was, like, sure,[br]I can fix it for myself.
0:19:40.870,0:19:44.230
I’m an egoist, right?[br]I can fix it for myself.
0:19:44.230,0:19:46.650
I don’t care about the rest of mankind…
0:19:46.650,0:19:51.270
I do, but I can claim that!
0:19:51.270,0:19:54.490
I can just as well ignore all the[br]others and say: I fix it for myself.
0:19:54.490,0:19:58.420
But for voice-over-IP, I can’t.[br]Because I’m completely out of the loop.
0:19:58.420,0:20:05.090
This other guy, he could just go and[br]steal my credentials, because he can…
0:20:05.090,0:20:07.050
and there’s nothing I can do about it.
0:20:07.050,0:20:12.080
So at that point, I was kind of scared[br]that someone would be able to hack me.
0:20:12.080,0:20:17.120
So I started to think about[br]how to fix this thing.
0:20:17.120,0:20:22.540
Now, the first thing that comes to[br]mind is obviously: You as a user
0:20:22.540,0:20:28.910
go and pick up the phone and call[br]the service line from your provider.
0:20:28.910,0:20:31.540
laughter
0:20:31.540,0:20:34.410
Yeah, I don’t think, that’s a good idea.[br]laughter
0:20:34.410,0:20:38.590
Nah, no I didn’t want to go down that[br]road, nah… So, instead, I figured,
0:20:38.590,0:20:41.730
I’m going to call someone else.[br]I’m going to call a couple friends.
0:20:41.730,0:20:44.250
laughter and applause
0:20:44.250,0:20:50.960
applause
0:20:50.960,0:20:54.430
Gonna call a couple of friends from[br]Heise, thanks to my Linux work, I knew
0:20:54.430,0:20:59.640
a few of those, and they also tend to[br]do security, which kind of falls into
0:20:59.640,0:21:02.160
this whole thing and used them as a proxy.
0:21:02.160,0:21:09.160
So that nobody could actually go and[br]sue me until things were public.
0:21:11.690,0:21:15.100
So, imagine what the provider[br]would do when he hears
0:21:15.100,0:21:19.229
that I hacked into their Telnet account.
0:21:19.229,0:21:23.670
Sure, you’d do the obvious thing:[br]You’d replace Telnet with SSH, right?
0:21:23.670,0:21:26.350
It’s what everybody would do. It’s the[br]first thing. You look at this and think,
0:21:26.350,0:21:29.610
like, “Oh my god, this is 2015,[br]why would you be doing Telnet?”
0:21:29.610,0:21:35.720
Well, the answer is pretty simple. Emm…[br]laughter
0:21:35.720,0:21:38.989
Take a look again. It’s not as simple[br]as you think. Take a look at it again,
0:21:38.989,0:21:43.060
there’s this Provisioning File. SSH[br]actually gets different credentials!
0:21:43.060,0:21:46.790
So, the SSH credentials[br]are actually down here.
0:21:46.790,0:21:49.530
And the password is different[br]from the one on the top.
0:21:49.530,0:21:51.410
I don’t know what the password is.
0:21:51.410,0:21:56.310
But I can tell you that the[br]password hash is really cool!
0:21:56.310,0:21:59.890
So, the password hash is something[br]that comes from VxWorks, so I’m pretty
0:21:59.890,0:22:04.390
sure that there are more devices out there[br]that might be interesting to look at.
0:22:04.390,0:22:06.970
The VxWorks hash actually[br]works in a really simple way:
0:22:06.970,0:22:12.850
It creates a checksum of your input that[br]lies somewhere between those 2 numbers
0:22:12.850,0:22:16.940
and then creates a fancy String out[br]of them based on some heuristics.
0:22:16.940,0:22:21.860
But essentially, the whole password down[br]there boils down to just a single number
0:22:21.860,0:22:26.740
that is basically, in a realistic case,[br]the upper limit is 40 characters,
0:22:26.740,0:22:28.980
so you’re not going to see[br]a password that long,
0:22:28.980,0:22:33.280
realistically you basically check around[br]100 passwords and any hash out there,
0:22:33.280,0:22:37.460
any password that’s available, you[br]already cracked it. Which means,
0:22:37.460,0:22:41.580
there are so many collisions in this[br]hash, which I wouldn’t even call a hash,
0:22:41.580,0:22:44.390
that I don’t know what the original[br]password is like… I don’t know.
0:22:44.390,0:22:47.380
But this one works pretty well!
0:22:47.380,0:22:50.730
laughter and applause
0:22:50.730,0:22:56.940
applause
0:22:56.940,0:23:00.750
So we go ahead and we log into this[br]machine and we type in our collision
0:23:00.750,0:23:04.080
and… there you go! We got[br]the same thing as before!
0:23:04.080,0:23:07.900
So we told them again: “Guys,[br]look, it’s not as easy as that.
0:23:07.900,0:23:10.860
You should probably take a bit[br]deeper breath and take a look
0:23:10.860,0:23:14.390
at how things actually are broken.”
0:23:14.390,0:23:18.030
Which, turns out, they did![br]So what happened next?
0:23:18.030,0:23:24.010
We had this whole huge mess with[br]lots of services that are all attackable
0:23:24.010,0:23:27.210
and everything’s just wholly broken.
0:23:27.210,0:23:31.960
That was two months ago.
0:23:31.960,0:23:35.530
There were some circumstances[br]why we just couldn’t tell them earlier.
0:23:35.530,0:23:39.780
And we basically told them: “Guys, you[br]know, in 2 months’ time we’re going to do
0:23:39.780,0:23:43.050
a talk here and everything’s going to[br]be public so you might want to fix
0:23:43.050,0:23:46.840
your network until then.”[br]laughter
0:23:46.840,0:23:51.660
So the first thing that they did is: They[br]added a check to their TFTP server
0:23:51.660,0:23:56.630
to verify whether you’re actually eligible[br]to download this Provisioning File.
0:23:56.630,0:24:01.770
applause
0:24:01.770,0:24:04.720
So now, you can only download your[br]own Provisioning File. Which is great…
0:24:04.720,0:24:09.330
finally! I mean, this is the obvious[br]thing to do. So that one’s fixed.
0:24:09.330,0:24:13.180
Then, they went ahead and said: Well,[br]there’s no real reason why one modem
0:24:13.180,0:24:16.280
should do SNMP traffic with another.[br]So they just added a firewall, saying,
0:24:16.280,0:24:19.570
we’re blocking SNMP traffic[br]between different machines
0:24:19.570,0:24:22.610
– problem solved!
0:24:22.610,0:24:26.780
applause
0:24:26.780,0:24:30.439
The same for SSH – they went ahead and[br]said: There’s no reason why you should
0:24:30.439,0:24:34.120
be doing TCP between[br]one modem and another.
0:24:34.120,0:24:36.360
Problem solved!
0:24:36.360,0:24:39.610
applause
0:24:39.610,0:24:44.610
And because the VoIP access credentials
0:24:44.610,0:24:47.910
are actually part of your Provisioning[br]File which you can now
0:24:47.910,0:24:51.140
no longer download from somebody[br]else, that one is fixed too.
0:24:51.140,0:24:56.689
Awesome! shy applause[br]Go ahead, go ahead, clap! It’s awesome!
0:24:56.689,0:25:00.210
applause
0:25:00.210,0:25:04.809
Thank you, ISPs. So after two months,[br]you actually managed to limit me
0:25:04.809,0:25:07.900
into the borders that I was supposed[br]to be in, in the beginning.
0:25:07.900,0:25:11.800
It’s cool![br]So what do we have…
0:25:11.800,0:25:16.110
Please guard your networks even if you[br]believe that somebody couldn’t go in
0:25:16.110,0:25:17.970
– they probably will.
0:25:17.970,0:25:22.930
Because, as soon as a customer[br]can access your device physically,
0:25:22.930,0:25:26.290
which kind of happens to be the[br]case with a modem that’s sitting
0:25:26.290,0:25:31.920
in your apartment,
0:25:31.920,0:25:35.020
that guy can access your network.[br]There’s no way you can prevent it.
0:25:35.020,0:25:38.950
So don’t believe that the border[br]of your network is the home.
0:25:38.950,0:25:43.980
The border of your network is[br]the cable going into that home.
0:25:43.980,0:25:46.640
The same way goes the other way[br]around: If an ISP gives you a device,
0:25:46.640,0:25:48.590
don’t trust that thing.
0:25:48.590,0:25:51.030
Seriously. They can do anything they like.
0:25:51.030,0:25:55.230
And sometimes, somebody else can, too.
0:25:55.230,0:26:02.510
In this case, according to my provider, I[br]was able to access 3 million devices.
0:26:02.510,0:26:05.405
applause[br]That’s quite some number.
0:26:05.405,0:26:10.590
applause
0:26:10.590,0:26:16.730
Also, the press is your friend. If you[br]are afraid of revealing something,
0:26:16.730,0:26:18.680
tell someone who can do it for you
0:26:18.680,0:26:25.130
and usually, things go out well.[br]Let’s hope for the best.
0:26:25.130,0:26:29.110
And then, this whole thing went[br]online in the beginning of the week
0:26:29.110,0:26:32.640
and there were a couple of questions[br]on the forums that I read
0:26:32.640,0:26:35.880
and I just wanted to take[br]the time to reply to those.
0:26:35.880,0:26:38.200
First thing that always comes[br]up is: “Is this a conspiracy?”
0:26:38.200,0:26:41.270
Like “Oh my god, this[br]is the NSA backdoor!”
0:26:41.270,0:26:44.710
No way. I mean, seriously,[br]those guys are not that stupid.
0:26:44.710,0:26:47.990
They have their own front doors,[br]they don’t need backdoors.
0:26:47.990,0:26:50.080
laughter
0:26:50.080,0:26:54.549
This really is just a case of “If we don’t[br]secure things, it’s going to be easier
0:26:54.549,0:26:59.630
for us.” Njee, it was[br]easier for everybody,
0:26:59.630,0:27:03.070
including the ones who[br]shouldn’t have access.
0:27:03.070,0:27:07.930
So, no, this is not a conspiracy. This is[br]not some backdoor from some agency.
0:27:07.930,0:27:13.110
This is really just a matter of a[br]company not doing their homework.
0:27:13.110,0:27:15.970
The same thing goes for other providers.
0:27:15.970,0:27:20.360
My cable just wasn’t long enough[br]to connect to some other country
0:27:20.360,0:27:24.310
so I don’t know whether other[br]DOCSIS networks are affected.
0:27:24.310,0:27:30.540
From the best of my knowledge:[br]Yes, they are.
0:27:30.540,0:27:33.639
I’m not allowed to tell you to check.
0:27:33.639,0:27:37.049
But if you happen to have[br]that idea on your own…
0:27:37.049,0:27:40.480
laughter and applause
0:27:40.480,0:27:47.480
applause
0:27:47.480,0:27:50.269
No animals were hurt during[br]the production of this movie.
0:27:50.269,0:27:51.320
laughter
0:27:51.320,0:27:55.330
All the passwords were changed, so if you[br]happen to know the real passwords,
0:27:55.330,0:27:58.049
you probably had a good laugh[br]during the presentation.
0:27:58.049,0:28:03.660
If you don’t know the real passwords,[br]njeeee, they are different.
0:28:03.660,0:28:07.130
To the best of my knowledge, all of that[br]knowledge that I just gave you is
0:28:07.130,0:28:13.810
completely useless to you,[br]because all the issues are fixed.
0:28:13.810,0:28:16.630
Thank you.
0:28:16.630,0:28:32.020
applause
0:28:32.020,0:28:33.690
Herald [to Alexander]: Q&A?[br][Alexander nodding]
0:28:33.690,0:28:36.009
Alexander: So now we can[br]go for questions if you like.
0:28:36.009,0:28:39.399
So please… or… you go[br]ahead and announce it.
0:28:39.399,0:28:43.650
Herald: So if you have questions,[br]run towards a microphone and
0:28:43.650,0:28:49.020
stand behind it visibly.[br]The first one was on number 4.
0:28:49.020,0:28:54.430
Q: You were talking about taking[br]a couple of weeks to get to know
0:28:54.430,0:28:57.990
that the password wasn’t[br]hashed but plaintext.
0:28:57.990,0:29:02.500
So how long did this whole[br]exchange in total go on?
0:29:02.500,0:29:07.010
How much facepalming and[br]how many hours did it take for you?
0:29:07.010,0:29:10.070
A: So I didn’t spend full time on it,[br]I really literally just whenever
0:29:10.070,0:29:14.250
the baby was crying I just went up[br]and figured “I can do something”.
0:29:14.250,0:29:21.550
It’s not… I basically got[br]cable access two years ago.
0:29:21.550,0:29:25.210
I first got into the modem[br]about one year ago, I think.
0:29:25.210,0:29:31.610
That’s when I started looking for real.
0:29:31.610,0:29:34.670
I basically ended up digging[br]deeper and deeper, right? It’s not…
0:29:34.670,0:29:38.840
VoIP, for example, I only realized the[br]whole voice-over-IP story in August.
0:29:38.840,0:29:42.650
Since I just didn’t look before. I was[br]like so excited to see all the other bits.
0:29:42.650,0:29:44.250
shy laughter
0:29:44.250,0:29:46.350
Just didn’t look.
0:29:46.350,0:29:48.900
Herald: Now number 1, please.
0:29:48.900,0:29:54.220
Q: Are you really sure that the TFTP[br]Provisioning File fetching is secure now?
0:29:54.220,0:30:01.429
Because… do they do some MAC[br]integrity tests for MAC spoofing?
0:30:01.429,0:30:04.670
A: Yeaaaaah…
0:30:04.670,0:30:09.259
laughter
0:30:09.259,0:30:13.870
The problem is the law, right? I’m not[br]allowed to tell you to try it yourself,
0:30:13.870,0:30:18.580
I’m not allowed to tell you that I don’t[br]think that anything on the physical layer
0:30:18.580,0:30:23.089
is insecure. I’m not allowed to tell you[br]that… I mean there’s so many things
0:30:23.089,0:30:29.109
I’m not allowed to tell you about[br]this whole network… I haven’t tried.
0:30:29.109,0:30:36.109
I really just went in and said “TFTP[br]Fetch and see whether I can get it.”
0:30:36.109,0:30:41.080
laughter and applause
0:30:41.080,0:30:45.760
applause
0:30:45.760,0:30:48.690
Herald: Number 7 up[br]there on the balcony.
0:30:48.690,0:30:52.309
Q: Hello. My question is, in the[br]beginning in your config files,
0:30:52.309,0:30:56.870
I think there was something about traffic[br]priority or network priority as well.
0:30:56.870,0:31:00.760
Did you play around with that one as well?[br]Is that something about Net Neutrality,
0:31:00.760,0:31:03.180
maybe?[br]A: Ahh, that’s an interesting…
0:31:03.180,0:31:05.390
OK, so, it’s not about[br]Net Neutrality at all.
0:31:05.390,0:31:11.240
It’s about QoS of different services,[br]so they basically say that
0:31:11.240,0:31:15.110
VoIP traffic gets higher[br]priority than the other bits
0:31:15.110,0:31:18.200
since you want to have low latency[br]on voice-over-IP traffic, obviously.
0:31:18.200,0:31:20.860
So that has nothing to do with[br]Net Neutrality in this thing at all.
0:31:20.860,0:31:28.210
I did play around with[br]those settings, just because…
0:31:28.210,0:31:31.410
coincidentally, right the day after[br]the Fahrplan got released,
0:31:31.410,0:31:35.230
my account got throttled to 80 kBit/s.
0:31:35.230,0:31:38.130
I don’t know why.[br]Could be related, could be not.
0:31:38.130,0:31:43.400
But I figured, “I’m paying for 100 MBit/s”[br]so I should probably get 100 MBit/s
0:31:43.400,0:31:46.330
and started to look at those things.
0:31:46.330,0:31:50.280
I did not manage to actually convince[br]my modem to get me more.
0:31:50.280,0:31:52.820
Q: Did you change the[br]bandwidth in the settings?
0:31:52.820,0:31:55.140
Herald: No dialogues, please.
0:31:55.140,0:31:59.670
A: Yes, I did change the bandwidth.[br]It’s not… my guess is,
0:31:59.670,0:32:02.359
they’re also QoS’ing on the[br]other side. But if you want to
0:32:02.359,0:32:05.260
verify it, I’m not telling you not to.
0:32:05.260,0:32:07.600
laughter
0:32:07.600,0:32:09.309
Herald: Number 2, please.
0:32:09.309,0:32:12.370
Q: Yes. So at first, thank[br]you for the nice insights.
0:32:12.370,0:32:15.140
I’m a cable user, so I’m interested here.
0:32:15.140,0:32:19.219
And I want to, again, make a[br]statement on the Provisioning File.
0:32:19.219,0:32:23.940
You should have told them that the[br]Provisioning File fetching in this way
0:32:23.940,0:32:26.210
isn’t a good idea anyway.
0:32:26.210,0:32:30.460
And I personally would believe[br]if they do not can transfer it
0:32:30.460,0:32:36.490
via a completely different channel,[br]it will not get really secure.
0:32:36.490,0:32:39.869
A: They can not do it differently[br]because it’s part of a standard.
0:32:39.869,0:32:42.849
There’s a DOCSIS standard which[br]all the modems have to adhere to
0:32:42.849,0:32:46.259
and that’s part of the standard.[br]They cannot do it differently.
0:32:46.259,0:32:48.350
If you want to have it done[br]differently, you have to tell
0:32:48.350,0:32:53.310
the DOCSIS standardization[br]committee which is in India.
0:32:53.310,0:32:56.910
Q: Yes, so I’ll talk to them. Thanks!
0:32:56.910,0:33:00.159
Herald: Now, we’ll have a[br]question from the Internet.
0:33:00.159,0:33:03.650
Q: Could two modems be[br]programmed to talk among
0:33:03.650,0:33:07.169
themselves directly,[br]bypassing the ISP firewall?
0:33:07.169,0:33:09.109
A: Say it again.
0:33:09.109,0:33:15.270
Signal Angel repeats question more slowly
0:33:15.270,0:33:17.110
A: You mean with the new scheme[br]or with the old scheme?
0:33:17.110,0:33:21.150
With the old scheme, it was…[br]you could just go and route through it.
0:33:21.150,0:33:29.200
With the new scheme… you…[br]not with the official modems.
0:33:29.200,0:33:33.450
laughter and applause
0:33:33.450,0:33:39.060
applause
0:33:39.060,0:33:42.860
Herald: And number 8 on the balcony.
0:33:42.860,0:33:47.199
Q: Did you find any traces[br]of TR-069 in this thing?
0:33:47.199,0:33:52.450
A: I did on the AVM boxes[br]that were secure, yeah.
0:33:52.450,0:33:55.939
So that was the only bit that actually[br]ended up making a lot of sense.
0:33:55.939,0:33:59.470
TR-069 is a pretty nice standard.[br]You basically have authenticated
0:33:59.470,0:34:03.090
– I think it was even HTTPS – traffic that[br]basically goes and pokes the server
0:34:03.090,0:34:07.899
to get you a firmware update. It’s a[br]perfectly nice way of provisioning
0:34:07.899,0:34:10.728
such a system. It’s definitely a[br]lot different from the usual way
0:34:10.728,0:34:15.409
so on those DOCSIS modems, the usual[br]way to tell it to get a new “firmware” is
0:34:15.409,0:34:19.469
either to tell it to reboot and get a new[br]file from the provisioning server or
0:34:19.469,0:34:24.679
to just poke directly through SNMP to tell[br]it: “Go to this TFTP server over there
0:34:24.679,0:34:27.879
with this file name and[br]flash it onto your Flash.”
0:34:27.879,0:34:29.179
laughter
0:34:29.179,0:34:35.039
No, I have not tried to spoof the[br]privileged IP address range.
0:34:35.039,0:34:38.610
laughter
0:34:38.610,0:34:41.099
Herald: Now it’s number 4 again.
0:34:41.099,0:34:45.328
Q: The question I have is:
0:34:45.328,0:34:49.259
When you tried to first[br]contact them via Heise,
0:34:49.259,0:34:54.339
was there any way they[br]might have tried to
0:34:54.339,0:34:58.470
convince you to not[br]do the talk and if so,
0:34:58.470,0:35:02.460
would there be an itch on your head?
0:35:02.460,0:35:07.229
A: They did not try in any[br]way whatsoever. Zero.
0:35:07.229,0:35:10.319
Q: Do you think that was due to[br]the credibility or do you think
0:35:10.319,0:35:13.580
they thought “Oh, we screwed up”?
0:35:13.580,0:35:20.190
A: I don’t know. I don’t think they[br]thought any other way would work at that
0:35:20.190,0:35:24.009
point in time. Since the press was already[br]involved, they are not gonna pull back
0:35:24.009,0:35:28.099
their story, there’s nothing[br]else they can do.
0:35:28.099,0:35:29.470
Q: Thank you again.
0:35:29.470,0:35:34.339
Herald: Before I hand the microphone,[br]do you want to do the entire 24
0:35:34.339,0:35:38.009
remaining minutes Q&A or[br]do you want to put a limit?
0:35:38.009,0:35:41.660
Graf: No, I think 24 minutes Q&A is fine.[br]We can always cap it later on, right?
0:35:41.660,0:35:44.399
Just go and ask. Ask as much as you like.
0:35:44.399,0:35:50.749
applause
0:35:50.749,0:35:53.570
Herald: The Internet, again.
0:35:53.570,0:35:57.499
Q: How much of this would have been[br]possible if the modem had been
0:35:57.499,0:36:01.729
in bridge mode?[br]A: My modem was in bridge mode.
0:36:01.729,0:36:04.529
laughter
0:36:04.529,0:36:07.060
Herald: And number 6.
0:36:07.060,0:36:12.049
Q: Do you have an idea how[br]long this has been that way?
0:36:12.049,0:36:16.180
And do you have any[br]specific reasons to believe
0:36:16.180,0:36:20.759
what group of people
0:36:20.759,0:36:25.499
might have abused these problems?
0:36:25.499,0:36:29.289
A: I don’t know. I did not see anybody[br]else on the network but it’s really hard
0:36:29.289,0:36:33.819
to see someone in a[br]sea of 3 million devices.
0:36:33.819,0:36:38.329
I am not aware of anybody exploiting this,
0:36:38.329,0:36:41.940
so I can only state what Vodafone said.
0:36:41.940,0:36:45.880
And they said that nobody else[br]did exploit those problems.
0:36:45.880,0:36:49.660
According… as far as time… and[br]I believe that one actually… it’s…
0:36:49.660,0:36:51.709
I don’t think that anybody[br]did. Which is surprising
0:36:51.709,0:36:55.169
since this whole stuff was kind of obvious
0:36:55.169,0:36:59.209
but apparently nobody thought of[br]digging into their modem before.
0:36:59.209,0:37:03.149
The one thing about the timing is:
0:37:03.149,0:37:05.489
Apparently, they already,[br]Kabel Deutschland,
0:37:05.489,0:37:08.649
basically already does[br]Internet for 10 years by now
0:37:08.649,0:37:13.690
and there’s very little reason to believe[br]it’s been different in the beginning.
0:37:13.690,0:37:18.740
So it was probably vulnerable [br]for about ten years.
0:37:18.740,0:37:22.330
That said, in the beginning, they[br]were not even using DOCSIS 3.0,
0:37:22.330,0:37:25.619
which did not really do real encryption,[br]so at the end of the day you could
0:37:25.619,0:37:29.640
just do whatever, any ways on the network.
0:37:29.640,0:37:35.440
Back in the day. By now,[br]it’s only halfway complicated.
0:37:35.440,0:37:37.999
Herald: Now number 1.
0:37:37.999,0:37:40.779
Q: Yes, thank you for the talk, too.
0:37:40.779,0:37:47.040
So it’s completely possible that they may[br]have not found out that somebody else
0:37:47.040,0:37:52.189
accessed this before and maybe already[br]flashed a lot of devices with another
0:37:52.189,0:37:55.760
firmware which is still[br]listening to his commands?
0:37:55.760,0:37:59.270
With the new setup. Because[br]he changed the firmware.
0:37:59.270,0:38:03.769
A: They did not… okay, they did update[br]the firmware at that one point in time
0:38:03.769,0:38:06.210
when I showed that they switched to SSH.
0:38:06.210,0:38:08.949
They did not change the[br]firmware ever since. So
0:38:08.949,0:38:13.679
all the services that I was talking about,[br]they are still running on your modem.
0:38:13.679,0:38:17.789
Q: Okay, but they can’t be sure that there[br]is another firmware by somebody else
0:38:17.789,0:38:23.190
on routers running. If somebody else[br]maybe thought of making a bot net,
0:38:23.190,0:38:26.239
before all of this came up,[br]in the last 5 years or 10 years,
0:38:26.239,0:38:28.459
and already controls some devices
0:38:28.459,0:38:32.170
and they can’t be sure that their firmware[br]is not running on those devices.
0:38:32.170,0:38:35.739
There can be still devices somewhere[br]controlled by somebody else.
0:38:35.739,0:38:38.439
A: Sure. You have to, obviously, fake[br]all the information they receive
0:38:38.439,0:38:40.999
from the modem pretty well,[br]otherwise they get you onto the
0:38:40.999,0:38:46.450
security block that I am on.[br]But if you do that correctly,
0:38:46.450,0:38:49.089
you can probably just replace[br]all the pieces of firmware,
0:38:49.089,0:38:53.459
just ignore all the updates and try to[br]behave the same way as they’d expect
0:38:53.459,0:38:55.570
and then hope that nobody finds out.
0:38:55.570,0:38:58.360
It’s entirely possible –[br]I don’t think it’s very likely
0:38:58.360,0:38:59.869
but it is definitely entirely possible.
0:38:59.869,0:39:03.269
Q: Let’s hope there are no more[br]networks like this out there.
0:39:03.269,0:39:07.099
Herald: Usually, there[br]are no 2nd questions,
0:39:07.099,0:39:11.139
so… we still got comfortable time
0:39:11.139,0:39:15.089
but try to limit yourself to one question.
0:39:15.089,0:39:17.179
Now it’s number 2.
0:39:17.179,0:39:21.029
Q: Have you tried to change your[br]MAC address on the DOCSIS level
0:39:21.029,0:39:22.710
or also for the DHCP request
0:39:22.710,0:39:25.999
or how do they do authentication[br]of the modem over the network?
0:39:25.999,0:39:30.279
A: So, the authentication[br]works using certificates.
0:39:30.279,0:39:34.389
I’m actually not sure, I haven’t[br]read the standard on that side
0:39:34.389,0:39:38.039
whether the MAC address is part[br]of the certificate. I don’t know.
0:39:38.039,0:39:42.539
If it’s not, you can easily just[br]change it. I haven’t tried.
0:39:42.539,0:39:49.289
But then again, the modems[br]are – what? – 8 Euros?
0:39:49.289,0:39:51.219
Herald: Number 7.
0:39:51.219,0:39:55.529
Q: What other recommendations[br]do you have
0:39:55.529,0:40:00.309
– if someone were to have a[br]suspicion about a vulnerability –
0:40:00.309,0:40:05.729
for the research part and[br]for the disclosure part?
0:40:05.729,0:40:09.669
A: What do you have to do… I can’t give[br]you any legal or any advice on that one.
0:40:09.669,0:40:13.089
I can tell you that getting[br]somebody involved
0:40:13.089,0:40:16.129
that has done this before[br]is a really smart idea.
0:40:16.129,0:40:18.909
Because they’ve gone[br]through a lot of pain points.
0:40:18.909,0:40:22.430
The press is even better because[br]they have a really, really big lever
0:40:22.430,0:40:25.780
nobody wants to be in the press[br]for 2 months or whatever
0:40:25.780,0:40:31.169
just on negative news that there was[br]somebody who was legitimately trying
0:40:31.169,0:40:35.360
to tell them to improve their[br]network and they sued them.
0:40:35.360,0:40:39.729
So there’s a really good chance that[br]going via the press is going to keep
0:40:39.729,0:40:43.959
problems away from you,[br]but there’s no guarantee.
0:40:43.959,0:40:50.049
I cannot give you real – I mean legal[br]or any coherent – advice on that one.
0:40:50.049,0:40:53.589
I would… I mean, if I would find such[br]a thing again, I would definitely go
0:40:53.589,0:40:57.139
the same route. I would just call[br]up Heise and tell them and…
0:40:57.139,0:41:00.259
That went pretty smoothly.
0:41:00.259,0:41:03.609
And if… I mean, the really cool thing[br]is, they actually listen to the press.
0:41:03.609,0:41:05.630
If I had gone to the service,[br]they would have just said
0:41:05.630,0:41:10.800
“Sorry, wrong number,[br]I can’t help you.”
0:41:10.800,0:41:13.519
Herald: Now the Internet.
0:41:13.519,0:41:17.199
Q: How did you obtain the[br]original data? Did you use JTAG
0:41:17.199,0:41:22.470
or dump the device’s firmware[br]and run it virtualized?
0:41:22.470,0:41:27.779
A: Ahhhhh. Not sure how much of[br]that I should actually tell everybody.
0:41:27.779,0:41:30.909
Let’s say, I replaced…
0:41:30.909,0:41:34.150
You can actually see[br]this on the slide, wait.
0:41:34.150,0:41:39.049
makes “Tchtchtchtchtch” sound
0:41:39.049,0:41:42.250
Oh my god, this is going to take forever.
0:41:42.250,0:41:46.980
Okay, dududum, where’s my[br]mouse cursor? There it is.
0:41:46.980,0:41:50.960
Okay… So, I got a[br]picture of the modem…
0:41:50.960,0:41:55.820
…here. There you go. So…
0:41:55.820,0:41:59.799
…what you can see here, down there,[br]the white and the yellow cables,
0:41:59.799,0:42:02.250
those are the serial port.
0:42:02.250,0:42:06.130
And the IDE cable up there[br]that’s where the flash chip was
0:42:06.130,0:42:09.499
before I started fiddling with the modem.[br]laughter
0:42:09.499,0:42:12.039
Now, the flash chip is actually[br]in that socket up there.
0:42:12.039,0:42:15.569
Which means I could swap the[br]flash chip between a device I own
0:42:15.569,0:42:18.050
– BeagleBone Black, for example,[br]that’s a really nice spy interface
0:42:18.050,0:42:20.479
that you could just use to write those
0:42:20.479,0:42:22.170
– and then plug it back into the modem.
0:42:22.170,0:42:28.049
So I could replace the firmware[br]and get myself an initial shell.
0:42:28.049,0:42:32.989
As I mentioned earlier, I really[br]do not like to lose Internet access.
0:42:32.989,0:42:37.790
So this is not the modem that[br]I was actually using at home.
0:42:37.790,0:42:40.769
Instead, I just used that modem[br]to fetch a firmware image
0:42:40.769,0:42:44.719
so I could then look and see[br]whether there might be other bugs
0:42:44.719,0:42:48.829
that you could use.
0:42:48.829,0:42:51.520
Herald: Now number 8.
0:42:51.520,0:42:54.789
Q: Earlier, you’ve said that[br]– who was it… –
0:42:54.789,0:42:59.469
Fritz!Box was more secure and they[br]didn’t have the same vulnerabilities.
0:42:59.469,0:43:03.079
Do you think they simply didn’t use[br]hardcoded passwords and stuff.
0:43:03.079,0:43:07.099
So do you think they’ll be vulnerable[br]to similar attacks and that someone
0:43:07.099,0:43:10.670
probably, like you wouldn’t tell them,[br]but maybe they should look into it
0:43:10.670,0:43:14.499
or do you think that it isn’t possible[br]and someone should, like, prove you wrong.
0:43:14.499,0:43:17.999
A: From all I can tell, but this is…[br]I mean, just a gut feeling that I get
0:43:17.999,0:43:20.469
from looking at different firmware files,
0:43:20.469,0:43:22.789
the usual way, at least[br]the Linux based firmware
0:43:22.789,0:43:28.629
works on those systems is[br]that there’s TI creating a BSP
0:43:28.629,0:43:31.920
then they give it out to Motorola.[br]Then Motorola gives it out to CBN.
0:43:31.920,0:43:35.729
Then CBN gives it out[br]to Kabel Deutschland.
0:43:35.729,0:43:40.829
And then, each party of those[br]adds a few pieces of stuff.
0:43:40.829,0:43:44.519
That’s the usual way it[br]works in those devices.
0:43:44.519,0:43:47.559
Whereas in the AVM boxes,[br]things looked vastly different.
0:43:47.559,0:43:49.559
There was one firmware image[br]that even contained information
0:43:49.559,0:43:51.970
for some Austrian provider.
0:43:51.970,0:43:58.040
So instead of giving full[br]control to the cable provider,
0:43:58.040,0:44:04.860
AVM kept control on their own and actually[br]audited the stuff they were doing.
0:44:04.860,0:44:07.639
That’s the major difference.
0:44:07.639,0:44:13.420
applause
0:44:13.420,0:44:16.620
Herald: One more question[br]from the Internet.
0:44:16.620,0:44:20.499
Q: Do you know if they[br]still use unencrypted SIP?
0:44:20.499,0:44:24.119
A: Oh yeah. chuckles[br]slight laughter
0:44:24.119,0:44:27.320
A: Oh yeah.[br]loud laughter
0:44:27.320,0:44:29.519
A: Nothing in the protocols[br]changed at all, whatsoever.
0:44:29.519,0:44:32.329
They really just added a few firewalls.
0:44:32.329,0:44:37.759
So once you are on the physical layer,[br]you can read everything you like, yes.
0:44:37.759,0:44:42.189
Well, and you break through[br]the DOCSIS encryption, obviously.
0:44:42.189,0:44:45.019
Herald: Now the newly adjusted number 2.
0:44:45.019,0:44:47.889
Q: Thank you. Mine is[br]not so much a question
0:44:47.889,0:44:51.149
as I’d like to add some insight[br]and perspective to this.
0:44:51.149,0:44:54.549
I, myself, worked for several ISPs
0:44:54.549,0:44:57.500
and the… we… actually[br]I worked for an ISP
0:44:57.500,0:45:01.350
that had not this particular[br]issue, but a similar issue.
0:45:01.350,0:45:04.159
The way that it was fixed and
0:45:04.159,0:45:07.030
– you can look me up, I’ve worked[br]for several ISPs, you won’t know
0:45:07.030,0:45:08.679
which one had this problem –
0:45:08.679,0:45:13.709
but what was actually the fix[br]was a simple IP check.
0:45:13.709,0:45:17.820
So once you downloaded[br]from the TFTP server,
0:45:17.820,0:45:21.519
it was just checked if you did it[br]from the IP that was suspected.
0:45:21.519,0:45:26.910
So this issue may actually be[br]reproducible if you can somehow
0:45:26.910,0:45:30.429
get hold of an IP [address][br]you weren’t supposed to have.
0:45:30.429,0:45:34.580
Like, say, spoof MAC address[br]or something like that.
0:45:34.580,0:45:39.860
That being said, I’d like to attach[br]a comment to the whole SIP thing, too.
0:45:39.860,0:45:45.439
You indicated that it’d be possible[br]to silently intercept the conversations
0:45:45.439,0:45:50.039
which is not necessarily the issue[br]because many SIP servers
0:45:50.039,0:45:52.860
can be configured[br]to allow multiple endpoints
0:45:52.860,0:45:55.879
so as the[br]– what’d you call it? –
0:45:55.879,0:45:58.419
the bad guy would be able[br]to pick up your calls,
0:45:58.419,0:46:01.209
you would also hear you[br]phone calling yourself.
0:46:01.209,0:46:04.500
A: Right, and if your phone picks[br]up within 0.01 microseconds,
0:46:04.500,0:46:06.970
then, yeah, there’s nothing[br]you can do about it.
0:46:06.970,0:46:10.070
It just rings again.[br]That’s the point about it.
0:46:10.070,0:46:13.609
Also, the other bit that[br]you have on the SIP server
0:46:13.609,0:46:17.309
is that that particular server actually[br]only allowed one endpoint
0:46:17.309,0:46:20.690
to be registered at a time.[br]At least from what I could tell.
0:46:20.690,0:46:25.170
It was some Huawei[br]box. I don’t know.
0:46:25.170,0:46:28.630
Herald: Number 3, please.
0:46:28.630,0:46:30.669
Q: Yeah, I attended this talk today
0:46:30.669,0:46:36.720
because I know that at the beginning,[br]when DOCSIS was introduced,
0:46:36.720,0:46:39.960
the modem were asking[br]for the configuration file
0:46:39.960,0:46:44.899
also over the Ethernet[br]port which is great.
0:46:44.899,0:46:48.339
And my question is:
0:46:48.339,0:46:54.479
Is there a way within the DOCSIS standard[br]so that the ISP can verify their hardware?
0:46:54.479,0:47:00.209
I mean, you… I have seen[br]the type and the vendor name
0:47:00.209,0:47:06.349
and the SNMP but you can[br]obviously spoof that.
0:47:06.349,0:47:11.490
Of course, firmware[br]binaries won’t run on the
0:47:11.490,0:47:15.360
wrong hardware, but…
0:47:15.360,0:47:17.349
A: I’m not quite sure[br]I’m getting what you’re…
0:47:17.349,0:47:21.889
Q: The question is: Is there[br]a way to control for the ISP
0:47:21.889,0:47:25.639
which hardware there is they’re using?
0:47:25.639,0:47:27.929
A: So I come from a[br]virtualization background.
0:47:27.929,0:47:31.629
And in my world, there is[br]no such thing. It doesn’t exist.
0:47:31.629,0:47:33.159
slight laughter
0:47:33.159,0:47:38.940
Sorry. If you can somehow[br]abstract it, you can abstract it.
0:47:38.940,0:47:42.839
Q:OK.[br]Herald: 8, please.
0:47:42.839,0:47:48.189
Q: Hi. I wanted to add on the[br]part with the MAC spoofing.
0:47:48.189,0:47:52.129
Because I had a modem[br]like that, like 5 years ago,
0:47:52.129,0:47:55.709
and actually I never went[br]inside the modem,
0:47:55.709,0:47:59.959
but I had some applications where[br]I needed a new IP address
0:47:59.959,0:48:02.639
in a short period of time…
0:48:02.639,0:48:06.779
loud laughter
0:48:06.779,0:48:10.339
And I remember that actually… the thing…
0:48:10.339,0:48:16.830
if you told the modem your MAC[br]address, a different MAC address,
0:48:16.830,0:48:20.979
you got different external[br]IP addresses back then.
0:48:20.979,0:48:24.359
I don’t know if things have changed[br]because it was 5 years ago
0:48:24.359,0:48:28.180
but… yeah… after what[br]I’ve heard from you,
0:48:28.180,0:48:30.619
I’m kind of unsure that things changed.
0:48:30.619,0:48:33.579
A: No, I’m fairly sure this is actually[br]accurate. From what I understand,
0:48:33.579,0:48:37.670
I never did that myself but I[br]heard from people who did,
0:48:37.670,0:48:42.789
the MAC address check and the[br]certificate check are actually separate.
0:48:42.789,0:48:47.910
So that if you own a valid certificate[br]from some random dude who happens to
0:48:47.910,0:48:52.529
actually pay for the service,[br]and you get that certificate,
0:48:52.529,0:48:55.609
and you’re not on the[br]same CMTS as that guy,
0:48:55.609,0:48:59.219
then you can actually go and, well,
0:48:59.219,0:49:03.269
basically say that you’re him even if[br]you have a different MAC address.
0:49:03.269,0:49:06.260
Which then, again, implies that if you[br]change the MAC address, you can just
0:49:06.260,0:49:09.060
be somebody else. Which[br]then again implies that…
0:49:09.060,0:49:13.609
maybe you can actually go and get[br]somebody else’s Provisioning Files, yeah.
0:49:13.609,0:49:15.449
slight laughter
0:49:15.449,0:49:18.409
Q: Well, yeah… not up to you.
0:49:18.409,0:49:20.459
A: Not going to try out.
0:49:20.459,0:49:22.319
Herald: Number 2, please.
0:49:22.319,0:49:28.009
Q: Yeah, you had this one[br]with one particular provider
0:49:28.009,0:49:30.389
and I happen to know that[br]there’s a second provider
0:49:30.389,0:49:36.019
using the same technology in Germany:[br]were they somehow involved in this loop?
0:49:36.019,0:49:40.260
I mean, it took Kabel Deutschland[br]two months to fix this and…
0:49:40.260,0:49:42.109
A: No, but they better hurry up!
0:49:42.109,0:49:45.870
laughter and applause
0:49:45.870,0:49:48.130
Q: Thanks![br]applause
0:49:48.130,0:49:53.689
A: And, quite frankly, I do not believe
0:49:53.689,0:49:58.489
that this is limited to Germany[br]at all, whatsoever.
0:49:58.489,0:50:06.949
So… Yeah. Let’s see who’s faster.
0:50:06.949,0:50:08.950
Alright, end of questions, right?[br]Or is there any…?
0:50:08.950,0:50:11.359
Herald: It looks like we’re[br]at the end of questions.
0:50:11.359,0:50:13.279
The Internet maybe…?
0:50:13.279,0:50:15.520
No, the Internet doesn’t[br]have any questions.
0:50:15.520,0:50:17.730
There are 8 empty microphones.
0:50:17.730,0:50:24.800
So thank you very much for your talk[br]and thank you very much for the Q&A.
0:50:24.800,0:50:30.954
applause
0:50:30.954,0:50:34.904
postroll music
0:50:34.904,0:50:41.841
Subtitles created by c3subtitles.de[br]in 2016. Join and help us!