[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.40,0:00:09.72,Default,,0000,0000,0000,,{\i1}32C3 preroll music{\i0}
Dialogue: 0,0:00:09.72,0:00:13.68,Default,,0000,0000,0000,,Herald: The next talk is going to be\N“Beyond Your Cable Modem”
Dialogue: 0,0:00:13.68,0:00:17.59,Default,,0000,0000,0000,,– how not to do DOCSIS networks.
Dialogue: 0,0:00:17.59,0:00:21.76,Default,,0000,0000,0000,,Sorry, I’m not a hardware guy.\NBut Alexander Graf is going to
Dialogue: 0,0:00:21.76,0:00:25.79,Default,,0000,0000,0000,,hold the talk and he has\Ndone a lot of virtualization
Dialogue: 0,0:00:25.79,0:00:29.30,Default,,0000,0000,0000,,and stuff other people\Nthink is too complicated.
Dialogue: 0,0:00:29.30,0:00:32.55,Default,,0000,0000,0000,,Now he is going to talk about
Dialogue: 0,0:00:32.55,0:00:36.74,Default,,0000,0000,0000,,the outside of your apartment.\NGive him a warm welcome.
Dialogue: 0,0:00:36.74,0:00:43.74,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:44.85,0:00:47.25,Default,,0000,0000,0000,,Alexander: Hi and welcome to my\Ntalk “Beyond Your Cable Modem”.
Dialogue: 0,0:00:47.25,0:00:50.39,Default,,0000,0000,0000,,This is going to look at what’s beyond\Nthe stuff you usually see at home
Dialogue: 0,0:00:50.39,0:00:54.42,Default,,0000,0000,0000,,where you just plug in a network cable\Nand you happen to have Internet available.
Dialogue: 0,0:00:54.42,0:00:56.00,Default,,0000,0000,0000,,So, who am I?
Dialogue: 0,0:00:56.00,0:00:58.60,Default,,0000,0000,0000,,I’m Alexander Graf – I’m usually\Nmore of a virtualization developer.
Dialogue: 0,0:00:58.60,0:01:00.69,Default,,0000,0000,0000,,I have nothing to do with\Nhacking in my day work,
Dialogue: 0,0:01:00.69,0:01:04.61,Default,,0000,0000,0000,,I don’t usually go around and\Nhack embedded devices.
Dialogue: 0,0:01:04.61,0:01:06.44,Default,,0000,0000,0000,,Usually, at least.
Dialogue: 0,0:01:06.44,0:01:09.37,Default,,0000,0000,0000,,But, during the last year, I had\Na lot of spare time at night
Dialogue: 0,0:01:09.37,0:01:11.67,Default,,0000,0000,0000,,because the baby was\Ncrying, so I figured:
Dialogue: 0,0:01:11.67,0:01:17.01,Default,,0000,0000,0000,,I could as well spend that time\Nand do something useful.
Dialogue: 0,0:01:17.01,0:01:19.93,Default,,0000,0000,0000,,So, what happened?\NWe moved to a new home.
Dialogue: 0,0:01:19.93,0:01:22.79,Default,,0000,0000,0000,,I was living in a home\Nwhere I had DSL available,
Dialogue: 0,0:01:22.79,0:01:26.54,Default,,0000,0000,0000,,I had a real phone line, everything\Nwas great, things were just awesome.
Dialogue: 0,0:01:26.54,0:01:32.40,Default,,0000,0000,0000,,But then we moved into\Nthis new home where…
Dialogue: 0,0:01:32.40,0:01:35.39,Default,,0000,0000,0000,,where there was no DSL available. Well,\Nthere was DSL available but there were
Dialogue: 0,0:01:35.39,0:01:39.89,Default,,0000,0000,0000,,different circumstances why I couldn’t use\Nit. So instead, I figured: You know what?
Dialogue: 0,0:01:39.89,0:01:43.94,Default,,0000,0000,0000,,Try this cool new technology:\NInternet over your cable TV.
Dialogue: 0,0:01:43.94,0:01:46.10,Default,,0000,0000,0000,,Ehh, cable. TV cable.
Dialogue: 0,0:01:46.10,0:01:48.87,Default,,0000,0000,0000,,So I got myself a cable\Nmodem from the provider,
Dialogue: 0,0:01:48.87,0:01:52.69,Default,,0000,0000,0000,,got myself registered and\Nnow had Internet over cable TV.
Dialogue: 0,0:01:52.69,0:01:56.65,Default,,0000,0000,0000,,Also, along the same lines, I figured:
Dialogue: 0,0:01:56.65,0:01:59.82,Default,,0000,0000,0000,,Why not go and also do your phone\Nline over that cable provider
Dialogue: 0,0:01:59.82,0:02:04.53,Default,,0000,0000,0000,,with your old phone number so that people\Nstill can contact you when they want to.
Dialogue: 0,0:02:04.53,0:02:08.20,Default,,0000,0000,0000,,Now, the thing is, when I finally\Nreceived the whole package,
Dialogue: 0,0:02:08.20,0:02:12.22,Default,,0000,0000,0000,,I realized: Woh! Wait!\NSomething’s wrong here!
Dialogue: 0,0:02:12.22,0:02:18.95,Default,,0000,0000,0000,,That’s an analogue phone line!\NAre we, like, in 2015 or is it 1994?
Dialogue: 0,0:02:18.95,0:02:21.66,Default,,0000,0000,0000,,So, instead of the usual digital\Nstuff that I am used to,
Dialogue: 0,0:02:21.66,0:02:25.03,Default,,0000,0000,0000,,I just got myself an analogue phone line.
Dialogue: 0,0:02:25.03,0:02:27.88,Default,,0000,0000,0000,,So I had to put myself\Nanother box in there
Dialogue: 0,0:02:27.88,0:02:30.60,Default,,0000,0000,0000,,that would convert the analogue phone\Nline back to a digital phone line,
Dialogue: 0,0:02:30.60,0:02:33.25,Default,,0000,0000,0000,,so I could route it in my house to\Nanother line, to another machine
Dialogue: 0,0:02:33.25,0:02:36.27,Default,,0000,0000,0000,,that would then go and\Nroute it to my phone.
Dialogue: 0,0:02:36.27,0:02:38.35,Default,,0000,0000,0000,,You see the problem in there?
Dialogue: 0,0:02:38.35,0:02:41.86,Default,,0000,0000,0000,,Yeah, that whole stuff over there\Njust doesn’t look right, right?
Dialogue: 0,0:02:41.86,0:02:45.09,Default,,0000,0000,0000,,Why would you go and convert\Nsomething that is obviously digital?
Dialogue: 0,0:02:45.09,0:02:48.20,Default,,0000,0000,0000,,I mean, the stuff that goes into\Nyour cable is obviously digital, right?
Dialogue: 0,0:02:48.20,0:02:50.15,Default,,0000,0000,0000,,Kind of obvious…
Dialogue: 0,0:02:50.15,0:02:52.64,Default,,0000,0000,0000,,and convert it back to analogue\Nand then back to digital
Dialogue: 0,0:02:52.64,0:02:55.21,Default,,0000,0000,0000,,just to be able to do a phone call.
Dialogue: 0,0:02:55.21,0:02:59.99,Default,,0000,0000,0000,,So I called up the technicians, Support,\Nand said: “Hey guys, you know what?
Dialogue: 0,0:02:59.99,0:03:02.52,Default,,0000,0000,0000,,Isn’t there a way I can,\Nlike, directly access
Dialogue: 0,0:03:02.52,0:03:07.72,Default,,0000,0000,0000,,whatever you have there and go\Nand use digital throughout?”
Dialogue: 0,0:03:07.72,0:03:10.97,Default,,0000,0000,0000,,And the guy said: “Well, you know what?\NActually, behind the scenes,
Dialogue: 0,0:03:10.97,0:03:14.39,Default,,0000,0000,0000,,we’re all just running SIP.\NIt’s just a normal SIP server.
Dialogue: 0,0:03:14.39,0:03:17.36,Default,,0000,0000,0000,,Just normal voice-over-IP,\Nnothing special about it.
Dialogue: 0,0:03:17.36,0:03:22.80,Default,,0000,0000,0000,,So, if you know what you’re doing,\Njust go ahead and connect to it.”
Dialogue: 0,0:03:22.80,0:03:31.69,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:03:31.69,0:03:34.58,Default,,0000,0000,0000,,Challenge accepted.
Dialogue: 0,0:03:34.58,0:03:39.53,Default,,0000,0000,0000,,So, what we learned from\NFelix earlier in his car talk:
Dialogue: 0,0:03:39.53,0:03:42.22,Default,,0000,0000,0000,,It was: What do you do when you\Ndon’t want to brick your own system?
Dialogue: 0,0:03:42.22,0:03:45.67,Default,,0000,0000,0000,,Of course, you buy a new one\Non ebay. They’re really cheap,
Dialogue: 0,0:03:45.67,0:03:49.70,Default,,0000,0000,0000,,just go and get a cable modem\Nand then you can go away and
Dialogue: 0,0:03:49.70,0:03:53.33,Default,,0000,0000,0000,,treat it with the kind of love that you\Nwant a device to be treated with.
Dialogue: 0,0:03:53.33,0:03:55.98,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:03:55.98,0:04:00.04,Default,,0000,0000,0000,,Turns out, my modem is actually\Njust running Linux. Hooh! Nice!
Dialogue: 0,0:04:00.04,0:04:02.42,Default,,0000,0000,0000,,That fits me pretty well!
Dialogue: 0,0:04:02.42,0:04:05.27,Default,,0000,0000,0000,,And it’s just a normal ARM system.
Dialogue: 0,0:04:05.27,0:04:07.45,Default,,0000,0000,0000,,Well, the only special\Nthing is: It’s Big-Endian.
Dialogue: 0,0:04:07.45,0:04:11.87,Default,,0000,0000,0000,,But then again, I’m kind of used to\NARM by now, why not just go away
Dialogue: 0,0:04:11.87,0:04:14.66,Default,,0000,0000,0000,,and like go around and just\Nlook at how this thing works.
Dialogue: 0,0:04:14.66,0:04:18.34,Default,,0000,0000,0000,,And, well, we really just want to\Nget this voice-over-IP stuff working,
Dialogue: 0,0:04:18.34,0:04:22.34,Default,,0000,0000,0000,,so take a look at how this\Nvoice-over-IP stuff works on the device!
Dialogue: 0,0:04:22.34,0:04:24.48,Default,,0000,0000,0000,,Turns out, there’s actually a normal SIP.
Dialogue: 0,0:04:24.48,0:04:28.54,Default,,0000,0000,0000,,SIP works on port 5060 usually.
Dialogue: 0,0:04:28.54,0:04:33.42,Default,,0000,0000,0000,,Normal SIP client running on\Nthere, but this IP looks weird.
Dialogue: 0,0:04:33.42,0:04:35.49,Default,,0000,0000,0000,,So, my external IP looks different.
Dialogue: 0,0:04:35.49,0:04:40.92,Default,,0000,0000,0000,,And my internal IP is different, so\Nwhere does this IP come from?
Dialogue: 0,0:04:40.92,0:04:44.13,Default,,0000,0000,0000,,So I looked at the IP list\Nof my device and figured:
Dialogue: 0,0:04:44.13,0:04:47.73,Default,,0000,0000,0000,,Well, something’s weird here. I have\Na lot of IPs in there and connections
Dialogue: 0,0:04:47.73,0:04:52.96,Default,,0000,0000,0000,,that I really don’t know\Nanything about. Hm.
Dialogue: 0,0:04:52.96,0:04:56.90,Default,,0000,0000,0000,,So down here, is obviously my phone line.
Dialogue: 0,0:04:56.90,0:05:02.85,Default,,0000,0000,0000,,And up here, is something else\Nthat I have no idea what this is about.
Dialogue: 0,0:05:02.85,0:05:06.75,Default,,0000,0000,0000,,So I figured: Let’s go\Nand dig a bit deeper.
Dialogue: 0,0:05:06.75,0:05:09.81,Default,,0000,0000,0000,,And see what’s actually happening there.
Dialogue: 0,0:05:09.81,0:05:13.81,Default,,0000,0000,0000,,So how does DOCSIS work?\NThis is just a small introduction,
Dialogue: 0,0:05:13.81,0:05:16.82,Default,,0000,0000,0000,,like high-level introduction,\Non how the routing runs.
Dialogue: 0,0:05:16.82,0:05:21.70,Default,,0000,0000,0000,,So basically, you have the cable modem\Nthat is connected using your TV cable line
Dialogue: 0,0:05:21.70,0:05:25.97,Default,,0000,0000,0000,,to a CMTS, just a translation service,
Dialogue: 0,0:05:25.97,0:05:29.84,Default,,0000,0000,0000,,that then takes all of the DOCSIC-specific\Nstuff and just basically gives you
Dialogue: 0,0:05:29.84,0:05:35.85,Default,,0000,0000,0000,,an IP routing over into something-\Nsomething-something behind it.
Dialogue: 0,0:05:35.85,0:05:39.50,Default,,0000,0000,0000,,However, it doesn’t just give you one\Nline. It actually gives you three.
Dialogue: 0,0:05:39.50,0:05:42.69,Default,,0000,0000,0000,,It gives you one line for your Internet.\NMakes sense, right? You want
Dialogue: 0,0:05:42.69,0:05:46.28,Default,,0000,0000,0000,,to get online. That’s the one you actually\Nsee when you plug into the device.
Dialogue: 0,0:05:46.28,0:05:49.30,Default,,0000,0000,0000,,It also gives you another line for VoIP.
Dialogue: 0,0:05:49.30,0:05:51.69,Default,,0000,0000,0000,,And it gives you one more line\Nthat I would call the “Admin” line.
Dialogue: 0,0:05:51.69,0:05:55.71,Default,,0000,0000,0000,,It’s the provisioning line.
Dialogue: 0,0:05:55.71,0:05:59.55,Default,,0000,0000,0000,,Now, let’s start with the Admin line.\NThat sounds the most interesting, right?
Dialogue: 0,0:05:59.55,0:06:00.92,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:06:00.92,0:06:03.82,Default,,0000,0000,0000,,What does the Admin line do?
Dialogue: 0,0:06:03.82,0:06:09.08,Default,,0000,0000,0000,,Well, in the end, a modem in the DOCSIS\Nnetwork is just a normal client
Dialogue: 0,0:06:09.08,0:06:11.16,Default,,0000,0000,0000,,like in your Ethernet network.
Dialogue: 0,0:06:11.16,0:06:13.89,Default,,0000,0000,0000,,So the first thing it does\Nwhen it gets online is:
Dialogue: 0,0:06:13.89,0:06:16.75,Default,,0000,0000,0000,,it does a DHCP request.\NAnd on the DHCP request
Dialogue: 0,0:06:16.75,0:06:20.23,Default,,0000,0000,0000,,it goes and gets an IP address\Nand gets all the information it needs.
Dialogue: 0,0:06:20.23,0:06:25.34,Default,,0000,0000,0000,,And it also, well, it’s kind of sane,\Nit’s just a normal DHCP request.
Dialogue: 0,0:06:25.34,0:06:28.95,Default,,0000,0000,0000,,It also, however, gets something\Nsimilar to PXE booting
Dialogue: 0,0:06:28.95,0:06:32.96,Default,,0000,0000,0000,,where it gets usually… in PXE booting you\Nwould get an executable that you’d run,
Dialogue: 0,0:06:32.96,0:06:35.71,Default,,0000,0000,0000,,here, you get something different.\NHere, you also get a file
Dialogue: 0,0:06:35.71,0:06:39.16,Default,,0000,0000,0000,,that you need to download\Nusing TFTP just like with PXE.
Dialogue: 0,0:06:39.16,0:06:44.77,Default,,0000,0000,0000,,However, in this case,\Nit’s a configuration file…
Dialogue: 0,0:06:44.77,0:06:46.90,Default,,0000,0000,0000,,– There you go –\N…configuration file…
Dialogue: 0,0:06:46.90,0:06:50.11,Default,,0000,0000,0000,,…that you just receive using\NPXE to your cable modem;
Dialogue: 0,0:06:50.11,0:06:52.99,Default,,0000,0000,0000,,and then, the cable modem is configured.
Dialogue: 0,0:06:52.99,0:06:56.68,Default,,0000,0000,0000,,Now what is inside this Provisioning\NFile, that’s what I call it? Well,
Dialogue: 0,0:06:56.68,0:07:01.36,Default,,0000,0000,0000,,there’s interesting information like: What\Nis your firmware update filename called?
Dialogue: 0,0:07:01.36,0:07:04.53,Default,,0000,0000,0000,,If you want to update your firmware\Nor if the provider wants to have you
Dialogue: 0,0:07:04.53,0:07:09.80,Default,,0000,0000,0000,,update your firmware.\NHow much bandwidth do I have?
Dialogue: 0,0:07:09.80,0:07:14.19,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:07:14.19,0:07:17.37,Default,,0000,0000,0000,,I hear, people have been\Nplaying with that one…
Dialogue: 0,0:07:17.37,0:07:20.29,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:07:20.29,0:07:23.75,Default,,0000,0000,0000,,And, well, since it’s just a normal TFTP\Nrequest you can just do it yourself, too.
Dialogue: 0,0:07:23.75,0:07:28.50,Default,,0000,0000,0000,,This is my configuration. You just go, get\Nit, and you have your configuration file.
Dialogue: 0,0:07:28.50,0:07:34.22,Default,,0000,0000,0000,,Now, the interesting thing that I realied\Nwhen I first started doing this was:
Dialogue: 0,0:07:34.22,0:07:36.100,Default,,0000,0000,0000,,Sure, this is my configuration file.\NBut what about configuration files
Dialogue: 0,0:07:36.100,0:07:42.08,Default,,0000,0000,0000,,from other people? Well, you\Ngo and get the MAC address,
Dialogue: 0,0:07:42.08,0:07:44.56,Default,,0000,0000,0000,,if you have the MAC address you\Njust go and get it and there you go:
Dialogue: 0,0:07:44.56,0:07:47.34,Default,,0000,0000,0000,,You have the other people’s\Nconfiguration file.
Dialogue: 0,0:07:47.34,0:07:48.46,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:07:48.46,0:07:51.44,Default,,0000,0000,0000,,Easy as that, right? That’s the\Nway it’s supposed to work.
Dialogue: 0,0:07:51.44,0:07:58.44,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:07:59.69,0:08:03.10,Default,,0000,0000,0000,,The actual effects of that,\Nwe’re going to come to that later.
Dialogue: 0,0:08:03.10,0:08:05.91,Default,,0000,0000,0000,,Let’s just declare TFTP,\Nthe whole access to that,
Dialogue: 0,0:08:05.91,0:08:08.92,Default,,0000,0000,0000,,as “slightly insecure” for now.
Dialogue: 0,0:08:08.92,0:08:11.84,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:08:11.84,0:08:16.33,Default,,0000,0000,0000,,But now, if you’re an ISP, you want to\Nmonitor what your people do, right?
Dialogue: 0,0:08:16.33,0:08:18.91,Default,,0000,0000,0000,,So imagine, you’re the admin there.
Dialogue: 0,0:08:18.91,0:08:21.62,Default,,0000,0000,0000,,Just imagine, you’re one\Nof the good guys, right?
Dialogue: 0,0:08:21.62,0:08:24.65,Default,,0000,0000,0000,,And you want to see what are those\Npeople on your modem doing.
Dialogue: 0,0:08:24.65,0:08:27.06,Default,,0000,0000,0000,,Are they, like, downloading\Ntoo much content?
Dialogue: 0,0:08:27.06,0:08:32.41,Default,,0000,0000,0000,,Because you obviously cannot filter\Nor find that out from the other side.
Dialogue: 0,0:08:32.41,0:08:35.89,Default,,0000,0000,0000,,So, what do you do? Well, you obviously\Nsend the industry standard for that:
Dialogue: 0,0:08:35.89,0:08:42.13,Default,,0000,0000,0000,,An SNMP request. Using a\Npassword that only you know.
Dialogue: 0,0:08:42.13,0:08:47.22,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:08:47.22,0:08:50.19,Default,,0000,0000,0000,,Send it over to the cable modem\Nand the cable modem then goes in
Dialogue: 0,0:08:50.19,0:08:54.01,Default,,0000,0000,0000,,and replies with the respective\Nreply saying “Oh, yeah, sure,
Dialogue: 0,0:08:54.01,0:08:57.25,Default,,0000,0000,0000,,I got that piece of information,\Nthere you go, you have it.”
Dialogue: 0,0:08:57.25,0:09:00.58,Default,,0000,0000,0000,,Oh, that was too quick!
Dialogue: 0,0:09:00.58,0:09:07.58,Default,,0000,0000,0000,,But how does your modem\Nactually verify that password?
Dialogue: 0,0:09:07.94,0:09:10.74,Default,,0000,0000,0000,,Yeah, you guessed right: Using\Nthe Provisioning File, obviously!
Dialogue: 0,0:09:10.74,0:09:12.81,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:09:12.81,0:09:17.01,Default,,0000,0000,0000,,Once you download the Provisioning File\Nfrom any random modem in there
Dialogue: 0,0:09:17.01,0:09:22.64,Default,,0000,0000,0000,,– including yours – you end up\Ngetting an interesting password.
Dialogue: 0,0:09:22.64,0:09:27.80,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:09:27.80,0:09:30.48,Default,,0000,0000,0000,,However, they actually\Ndid at least one thing:
Dialogue: 0,0:09:30.48,0:09:35.15,Default,,0000,0000,0000,,They limited the address range you are\Nallowed to access those devices on.
Dialogue: 0,0:09:35.15,0:09:39.54,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:09:39.54,0:09:46.54,Default,,0000,0000,0000,,Yeah…\N{\i1}applause{\i0}
Dialogue: 0,0:09:47.09,0:09:50.21,Default,,0000,0000,0000,,As a hint for those who did not clap:
Dialogue: 0,0:09:50.21,0:09:54.74,Default,,0000,0000,0000,,This means, everybody\Nwho is in that network.
Dialogue: 0,0:09:54.74,0:09:57.25,Default,,0000,0000,0000,,But how big is this network?
Dialogue: 0,0:09:57.25,0:10:01.52,Default,,0000,0000,0000,,I figured: Why not just give it a try\Nand ask some people in Hannover
Dialogue: 0,0:10:01.52,0:10:03.93,Default,,0000,0000,0000,,whether I could just get\Ntheir MAC addresses
Dialogue: 0,0:10:03.93,0:10:06.85,Default,,0000,0000,0000,,and see how far I could get.
Dialogue: 0,0:10:06.85,0:10:10.92,Default,,0000,0000,0000,,Just send an SNMP request over,\NI had the password now, right?
Dialogue: 0,0:10:10.92,0:10:15.06,Default,,0000,0000,0000,,And ask that modem:
Dialogue: 0,0:10:15.06,0:10:18.38,Default,,0000,0000,0000,,“Please tell me everything you know!”
Dialogue: 0,0:10:18.38,0:10:22.77,Default,,0000,0000,0000,,And it replied!\N{\i1}laughter{\i0}
Dialogue: 0,0:10:22.77,0:10:25.13,Default,,0000,0000,0000,,There’s a lot of interesting information,\NSNMP, you wouldn’t believe it!
Dialogue: 0,0:10:25.13,0:10:28.88,Default,,0000,0000,0000,,So this is obviously just stuff like\N“Oh, yeah, I’m this and that modem!”
Dialogue: 0,0:10:28.88,0:10:31.16,Default,,0000,0000,0000,,But there’s more in there.\NThere’s, for example…
Dialogue: 0,0:10:31.16,0:10:34.28,Default,,0000,0000,0000,,this is my public IP address!
Dialogue: 0,0:10:34.28,0:10:38.17,Default,,0000,0000,0000,,– in case you’re searching\Nfor someone specific. Or…
Dialogue: 0,0:10:38.17,0:10:41.25,Default,,0000,0000,0000,,these are my internal MAC\Naddresses and IP addresses.
Dialogue: 0,0:10:41.25,0:10:43.79,Default,,0000,0000,0000,,In case you’re searching for some\Nspecific notebook that someone
Dialogue: 0,0:10:43.79,0:10:49.53,Default,,0000,0000,0000,,stole from you or so.\N{\i1}laughter{\i0}
Dialogue: 0,0:10:49.53,0:10:53.39,Default,,0000,0000,0000,,Or… this is my Provisioning File, in\Ncase you just happened to port scan
Dialogue: 0,0:10:53.39,0:10:56.11,Default,,0000,0000,0000,,all of the machines out there and\Nask them using the same password
Dialogue: 0,0:10:56.11,0:11:01.04,Default,,0000,0000,0000,,that they all share on what their\NProvisioning Files could be called.
Dialogue: 0,0:11:01.04,0:11:02.41,Default,,0000,0000,0000,,{\i1}clears throat{\i0}
Dialogue: 0,0:11:02.41,0:11:04.60,Default,,0000,0000,0000,,Of course, I never did that. Right?
Dialogue: 0,0:11:04.60,0:11:08.04,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:11:08.04,0:11:15.04,Default,,0000,0000,0000,,So, I would say, the whole SNMP story\Nisn’t “really” all that secure either.
Dialogue: 0,0:11:15.97,0:11:19.61,Default,,0000,0000,0000,,But at a certain point in time, like when\Nthe modem actually doesn’t work
Dialogue: 0,0:11:19.61,0:11:22.31,Default,,0000,0000,0000,,like the way you would envision\Nit to be or if you just need to do
Dialogue: 0,0:11:22.31,0:11:25.99,Default,,0000,0000,0000,,more administrative stuff, the admin wants\Nto have more access than just SNMP, right?
Dialogue: 0,0:11:25.99,0:11:31.02,Default,,0000,0000,0000,,This is kind of isolated to a few\Nspecific pieces of information.
Dialogue: 0,0:11:31.02,0:11:36.94,Default,,0000,0000,0000,,You want some more hardcore access.\NLike real go down into a real shell.
Dialogue: 0,0:11:36.94,0:11:40.43,Default,,0000,0000,0000,,How do you do shells in 2015?\NAudience: TELNET!
Dialogue: 0,0:11:40.43,0:11:44.47,Default,,0000,0000,0000,,Alexander: Telnet. Exactly!\N{\i1}laughter{\i0}
Dialogue: 0,0:11:44.47,0:11:51.47,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:11:52.65,0:11:58.82,Default,,0000,0000,0000,,We’ll actually get to the point why\NTelnet was a good idea later, but…
Dialogue: 0,0:11:58.82,0:12:04.26,Default,,0000,0000,0000,,that’s 30 slides down or so.
Dialogue: 0,0:12:04.26,0:12:07.42,Default,,0000,0000,0000,,We already managed to get an SNMP\Nconnection working to a different modem,
Dialogue: 0,0:12:07.42,0:12:12.66,Default,,0000,0000,0000,,let’s just try the same with Telnet\Nand see how far we can get.
Dialogue: 0,0:12:12.66,0:12:19.09,Default,,0000,0000,0000,,We can go in and just Telnet in and it\Nreplies and says “please give me a login”
Dialogue: 0,0:12:19.09,0:12:23.93,Default,,0000,0000,0000,,Hm. Now where do I get this login from?
Dialogue: 0,0:12:23.93,0:12:26.16,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:12:26.16,0:12:29.90,Default,,0000,0000,0000,,Turns out, the administrator needs to\Nprovide that password just the same
Dialogue: 0,0:12:29.90,0:12:33.10,Default,,0000,0000,0000,,to the modem, which needs to verify it.
Dialogue: 0,0:12:33.10,0:12:37.55,Default,,0000,0000,0000,,Based on configuration. Which it gets\Nfrom the Provisioning File. That…
Dialogue: 0,0:12:37.55,0:12:41.49,Default,,0000,0000,0000,,I think you see the point.
Dialogue: 0,0:12:41.49,0:12:44.68,Default,,0000,0000,0000,,So in the same Provisioning File that you\Ncan obviously again download for every
Dialogue: 0,0:12:44.68,0:12:49.88,Default,,0000,0000,0000,,single user in the network\Nyou also have the password.
Dialogue: 0,0:12:49.88,0:12:52.98,Default,,0000,0000,0000,,In plaintext.
Dialogue: 0,0:12:52.98,0:12:56.25,Default,,0000,0000,0000,,That’s the part that actually took\Nme the longest in this whole thing.
Dialogue: 0,0:12:56.25,0:12:59.98,Default,,0000,0000,0000,,I spent weeks trying to\Nfigure out what hash this is.
Dialogue: 0,0:12:59.98,0:13:05.21,Default,,0000,0000,0000,,{\i1}raging laughter{\i0}
Dialogue: 0,0:13:05.21,0:13:11.55,Default,,0000,0000,0000,,{\i1}big applause{\i0}
Dialogue: 0,0:13:11.55,0:13:15.88,Default,,0000,0000,0000,,So if we try to log in to the server\Nusing those credentials we got,
Dialogue: 0,0:13:15.88,0:13:18.20,Default,,0000,0000,0000,,we get greeted with a nice\Ncommand line interface
Dialogue: 0,0:13:18.20,0:13:22.18,Default,,0000,0000,0000,,for poor Mr. Admin at our provider’s side.
Dialogue: 0,0:13:22.18,0:13:26.54,Default,,0000,0000,0000,,But I don’t really like those,\Nlike, boiled-down interfaces.
Dialogue: 0,0:13:26.54,0:13:29.21,Default,,0000,0000,0000,,I want a real shell.\NI want to load kernel modules.
Dialogue: 0,0:13:29.21,0:13:31.73,Default,,0000,0000,0000,,I want to filter all my network traffic.
Dialogue: 0,0:13:31.73,0:13:35.73,Default,,0000,0000,0000,,I want to reroute everything that\Nmodem does to a different machine.
Dialogue: 0,0:13:35.73,0:13:41.11,Default,,0000,0000,0000,,I want to rewrite the VoIP\Nclient to instead do… either way!
Dialogue: 0,0:13:41.11,0:13:44.52,Default,,0000,0000,0000,,So I want to do something real.\NLet’s do the help command
Dialogue: 0,0:13:44.52,0:13:47.48,Default,,0000,0000,0000,,and it tells us that there’s a\Ncool command called “shell”.
Dialogue: 0,0:13:47.48,0:13:49.55,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:13:49.55,0:13:52.89,Default,,0000,0000,0000,,Ah yeah, there you go, got a shell!
Dialogue: 0,0:13:52.89,0:13:57.07,Default,,0000,0000,0000,,By now, at that point, I can actually\Ngo and do anything I want to that modem.
Dialogue: 0,0:13:57.07,0:14:01.76,Default,,0000,0000,0000,,I got full root access. By the way,\Nall the modems run every single
Dialogue: 0,0:14:01.76,0:14:05.39,Default,,0000,0000,0000,,piece of software running on there,\Nincluding your web server and your
Dialogue: 0,0:14:05.39,0:14:11.28,Default,,0000,0000,0000,,SIP server and anything as UID 0.\NWhich is a good idea, right?
Dialogue: 0,0:14:11.28,0:14:14.68,Default,,0000,0000,0000,,So, I now got shell access so\NI can do anything I want.
Dialogue: 0,0:14:14.68,0:14:18.51,Default,,0000,0000,0000,,I can re-route all your traffic,\NI don’t, obviously, but
Dialogue: 0,0:14:18.51,0:14:21.98,Default,,0000,0000,0000,,this is basically where we\Nwent half a year ago.
Dialogue: 0,0:14:21.98,0:14:25.39,Default,,0000,0000,0000,,Another thing to note is that\N– since it’s so annoying to generate
Dialogue: 0,0:14:25.39,0:14:29.66,Default,,0000,0000,0000,,different passwords for different devices…
Dialogue: 0,0:14:29.66,0:14:31.78,Default,,0000,0000,0000,,Yeah, yeah, I know.
Dialogue: 0,0:14:31.78,0:14:36.08,Default,,0000,0000,0000,,You just use one password\Nfor all, right? It’s good enough.
Dialogue: 0,0:14:36.08,0:14:42.62,Default,,0000,0000,0000,,So you don’t even have to read your\Nother person’s Provisioning File,
Dialogue: 0,0:14:42.62,0:14:45.04,Default,,0000,0000,0000,,you can just use your own password\Nthat is in your own Provisioning File
Dialogue: 0,0:14:45.04,0:14:50.33,Default,,0000,0000,0000,,which you already have on your modem\Nbecause you’re provisioned yourself.
Dialogue: 0,0:14:50.33,0:14:54.30,Default,,0000,0000,0000,,The only notable exception that\NI found to this whole scheme
Dialogue: 0,0:14:54.30,0:14:57.69,Default,,0000,0000,0000,,– I mean, you could basically go\Nand log in to any modem out there,
Dialogue: 0,0:14:57.69,0:15:02.14,Default,,0000,0000,0000,,except for Fritz!Boxes.\N{\i1}applause{\i0}
Dialogue: 0,0:15:02.14,0:15:07.92,Default,,0000,0000,0000,,Yeah, congratulations everyone! Kudos!
Dialogue: 0,0:15:07.92,0:15:11.57,Default,,0000,0000,0000,,So, apparently, AVM are the only ones\Nwho did not follow the standard scheme
Dialogue: 0,0:15:11.57,0:15:15.48,Default,,0000,0000,0000,,from my provider and instead said: “No\Nno no, guys! You don’t do the firmware.
Dialogue: 0,0:15:15.48,0:15:20.17,Default,,0000,0000,0000,,WE do the firmware”, and they just\Ndon’t like to enable Telnet. Apparently
Dialogue: 0,0:15:20.17,0:15:25.43,Default,,0000,0000,0000,,there are people in that company that\Nactually know what they’re doing.
Dialogue: 0,0:15:25.43,0:15:31.01,Default,,0000,0000,0000,,So, I would say the whole Telnet\Naccess thing isn’t exactly…
Dialogue: 0,0:15:31.01,0:15:36.66,Default,,0000,0000,0000,,I wouldn’t mark it “secure”\Neither. Naahhh… naaah…
Dialogue: 0,0:15:36.66,0:15:39.24,Default,,0000,0000,0000,,But we didn’t really come here\Nfor the Admin network, right?
Dialogue: 0,0:15:39.24,0:15:45.02,Default,,0000,0000,0000,,I was just… it happened to be around.\NI just looked at it and… njeeeeeh.
Dialogue: 0,0:15:45.02,0:15:48.42,Default,,0000,0000,0000,,We wanted to go and do\Nvoice-over-IP! Hah!
Dialogue: 0,0:15:48.42,0:15:52.03,Default,,0000,0000,0000,,Yeah, so how does VoIP look\Nlike? It’s kind of similar.
Dialogue: 0,0:15:52.03,0:15:54.13,Default,,0000,0000,0000,,It also does a DHCP\Nrequest in the beginning.
Dialogue: 0,0:15:54.13,0:15:59.60,Default,,0000,0000,0000,,DHCP is usually fine, I mark\Nit with a green tick here.
Dialogue: 0,0:15:59.60,0:16:04.77,Default,,0000,0000,0000,,I’ll leave it to others to further\Ndig down into that part.
Dialogue: 0,0:16:04.77,0:16:09.69,Default,,0000,0000,0000,,It does the same TFTP bit so if you just\Ngo and – instead of downloading your
Dialogue: 0,0:16:09.69,0:16:16.66,Default,,0000,0000,0000,,Provisioning File from your own modem,\Nfrom the RAN, from the admin network –
Dialogue: 0,0:16:16.66,0:16:23.20,Default,,0000,0000,0000,,you just go and get it from the other MAC\Naddress and there you go, you have it.
Dialogue: 0,0:16:23.20,0:16:29.25,Default,,0000,0000,0000,,Nicely enough, all those cable providers\Nregistered consecutive MAC addresses,
Dialogue: 0,0:16:29.25,0:16:35.77,Default,,0000,0000,0000,,so if you have one,\Nyou also have the others.
Dialogue: 0,0:16:35.77,0:16:40.07,Default,,0000,0000,0000,,Just… You basically just ask a friend:\N“Give me your MAC address that’s
Dialogue: 0,0:16:40.07,0:16:44.09,Default,,0000,0000,0000,,written on the box” and you basically\Nhave everything you need.
Dialogue: 0,0:16:44.09,0:16:46.76,Default,,0000,0000,0000,,SNMP is the same thing.\NYou can access it using SNMP.
Dialogue: 0,0:16:46.76,0:16:49.28,Default,,0000,0000,0000,,The really nice thing about\NSNMP here is that the box also
Dialogue: 0,0:16:49.28,0:16:53.98,Default,,0000,0000,0000,,tells you the other accesses it has, so\Nif you only have one IP address, or…
Dialogue: 0,0:16:53.98,0:16:57.95,Default,,0000,0000,0000,,I also have a nice DNS service internally\Nthat tells you what the IP address is
Dialogue: 0,0:16:57.95,0:17:01.21,Default,,0000,0000,0000,,to a certain MAC address, so you just\Nask the DNS for the MAC address of
Dialogue: 0,0:17:01.21,0:17:09.41,Default,,0000,0000,0000,,the VoIP access, then you go and\NSNMP, ask it for the IP address
Dialogue: 0,0:17:09.41,0:17:14.17,Default,,0000,0000,0000,,of the admin network, and\Nthere you go. You’re in the box.
Dialogue: 0,0:17:14.17,0:17:17.94,Default,,0000,0000,0000,,However, the really interesting bit\Non the voice-over-IP network is SIP.
Dialogue: 0,0:17:17.94,0:17:22.33,Default,,0000,0000,0000,,Since… you want to do VoIP, right?\NThat’s what the whole thing is about.
Dialogue: 0,0:17:22.33,0:17:28.33,Default,,0000,0000,0000,,So VoIP basically works… the way that your\Nmodem wants to go and do a phone call.
Dialogue: 0,0:17:28.33,0:17:30.73,Default,,0000,0000,0000,,So how do you do a phone call with SIP?
Dialogue: 0,0:17:30.73,0:17:38.69,Default,,0000,0000,0000,,You need to provide data like credentials,\Nlike, tell the other side, the server,
Dialogue: 0,0:17:38.69,0:17:40.47,Default,,0000,0000,0000,,how you authenticate yourself.
Dialogue: 0,0:17:40.47,0:17:43.89,Default,,0000,0000,0000,,Which, obviously, is written\Nin your Provisioning File.
Dialogue: 0,0:17:43.89,0:17:47.64,Default,,0000,0000,0000,,So, you use those and tell the\Nserver: “I want to do a phone call”
Dialogue: 0,0:17:47.64,0:17:49.58,Default,,0000,0000,0000,,and there you go: You do a phone call.
Dialogue: 0,0:17:49.58,0:17:54.00,Default,,0000,0000,0000,,Now if we look at this Provisioning File,\Nyou can see that it contains your server
Dialogue: 0,0:17:54.00,0:17:57.56,Default,,0000,0000,0000,,and your user name and your phone number
Dialogue: 0,0:17:57.56,0:18:03.87,Default,,0000,0000,0000,,and your… well, basically everything\Nyou’d need to log in into an SIP server.
Dialogue: 0,0:18:03.87,0:18:10.31,Default,,0000,0000,0000,,Now, since I can read, anybody\Nelse’s Provisioning Files, …
Dialogue: 0,0:18:10.31,0:18:11.59,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:18:11.59,0:18:16.44,Default,,0000,0000,0000,,So, imagine I’m this user up there. Right?
Dialogue: 0,0:18:16.44,0:18:21.40,Default,,0000,0000,0000,,And I’m just doing a normal call\Nas this phone number up there.
Dialogue: 0,0:18:21.40,0:18:24.33,Default,,0000,0000,0000,,Well, maybe there’s this\Nother guy in the network
Dialogue: 0,0:18:24.33,0:18:27.70,Default,,0000,0000,0000,,who just goes in and downloads\Nyour Provisioning File
Dialogue: 0,0:18:27.70,0:18:31.07,Default,,0000,0000,0000,,and, well, he gets all the credentials\Nhe would need, so he gets
Dialogue: 0,0:18:31.07,0:18:35.87,Default,,0000,0000,0000,,the same phone number and\Nthen he can just go and do a call.
Dialogue: 0,0:18:35.87,0:18:46.80,Default,,0000,0000,0000,,Hm. Yeah. Maybe I should have\Nregistered a few 0900 numbers.
Dialogue: 0,0:18:46.80,0:18:50.50,Default,,0000,0000,0000,,Now the really interesting part here is –\Nit also works the other way!
Dialogue: 0,0:18:50.50,0:18:53.90,Default,,0000,0000,0000,,You register for it and if you’re\Nthe fastest one registering it,
Dialogue: 0,0:18:53.90,0:18:58.58,Default,,0000,0000,0000,,the other modem doesn’t get the\Nchance to receive calls which means
Dialogue: 0,0:18:58.58,0:19:02.36,Default,,0000,0000,0000,,now you receive the calls and then you can\Njust tell the other modem that there was
Dialogue: 0,0:19:02.36,0:19:06.91,Default,,0000,0000,0000,,a call, just that, by now, you actually\Nroute all the traffic through your modem
Dialogue: 0,0:19:06.91,0:19:13.00,Default,,0000,0000,0000,,and you can listen to all the voice data\Nthat there is on the line. Yay!
Dialogue: 0,0:19:14.45,0:19:18.26,Default,,0000,0000,0000,,Yeah…\N{\i1}laughter{\i0}
Dialogue: 0,0:19:18.26,0:19:22.16,Default,,0000,0000,0000,,Not sure it’d be a good idea to\Ntalk to your lawyer around…
Dialogue: 0,0:19:22.16,0:19:27.03,Default,,0000,0000,0000,,Using this line for secure stuff\Nis probably not the best.
Dialogue: 0,0:19:27.03,0:19:33.08,Default,,0000,0000,0000,,I wouldn’t mark SIP as secure\Non this thing, either.
Dialogue: 0,0:19:33.08,0:19:38.24,Default,,0000,0000,0000,,But at this point, so on the Telnet\Naccess and on all the other parts,
Dialogue: 0,0:19:38.24,0:19:40.87,Default,,0000,0000,0000,,I was, like, sure,\NI can fix it for myself.
Dialogue: 0,0:19:40.87,0:19:44.23,Default,,0000,0000,0000,,I’m an egoist, right?\NI can fix it for myself.
Dialogue: 0,0:19:44.23,0:19:46.65,Default,,0000,0000,0000,,I don’t care about the rest of mankind…
Dialogue: 0,0:19:46.65,0:19:51.27,Default,,0000,0000,0000,,I do, but I can claim that!
Dialogue: 0,0:19:51.27,0:19:54.49,Default,,0000,0000,0000,,I can just as well ignore all the\Nothers and say: I fix it for myself.
Dialogue: 0,0:19:54.49,0:19:58.42,Default,,0000,0000,0000,,But for voice-over-IP, I can’t.\NBecause I’m completely out of the loop.
Dialogue: 0,0:19:58.42,0:20:05.09,Default,,0000,0000,0000,,This other guy, he could just go and\Nsteal my credentials, because he can…
Dialogue: 0,0:20:05.09,0:20:07.05,Default,,0000,0000,0000,,and there’s nothing I can do about it.
Dialogue: 0,0:20:07.05,0:20:12.08,Default,,0000,0000,0000,,So at that point, I was kind of scared\Nthat someone would be able to hack me.
Dialogue: 0,0:20:12.08,0:20:17.12,Default,,0000,0000,0000,,So I started to think about\Nhow to fix this thing.
Dialogue: 0,0:20:17.12,0:20:22.54,Default,,0000,0000,0000,,Now, the first thing that comes to\Nmind is obviously: You as a user
Dialogue: 0,0:20:22.54,0:20:28.91,Default,,0000,0000,0000,,go and pick up the phone and call\Nthe service line from your provider.
Dialogue: 0,0:20:28.91,0:20:31.54,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:20:31.54,0:20:34.41,Default,,0000,0000,0000,,Yeah, I don’t think, that’s a good idea.\N{\i1}laughter{\i0}
Dialogue: 0,0:20:34.41,0:20:38.59,Default,,0000,0000,0000,,Nah, no I didn’t want to go down that\Nroad, nah… So, instead, I figured,
Dialogue: 0,0:20:38.59,0:20:41.73,Default,,0000,0000,0000,,I’m going to call someone else.\NI’m going to call a couple friends.
Dialogue: 0,0:20:41.73,0:20:44.25,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:20:44.25,0:20:50.96,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:20:50.96,0:20:54.43,Default,,0000,0000,0000,,Gonna call a couple of friends from\NHeise, thanks to my Linux work, I knew
Dialogue: 0,0:20:54.43,0:20:59.64,Default,,0000,0000,0000,,a few of those, and they also tend to\Ndo security, which kind of falls into
Dialogue: 0,0:20:59.64,0:21:02.16,Default,,0000,0000,0000,,this whole thing and used them as a proxy.
Dialogue: 0,0:21:02.16,0:21:09.16,Default,,0000,0000,0000,,So that nobody could actually go and\Nsue me until things were public.
Dialogue: 0,0:21:11.69,0:21:15.10,Default,,0000,0000,0000,,So, imagine what the provider\Nwould do when he hears
Dialogue: 0,0:21:15.10,0:21:19.23,Default,,0000,0000,0000,,that I hacked into their Telnet account.
Dialogue: 0,0:21:19.23,0:21:23.67,Default,,0000,0000,0000,,Sure, you’d do the obvious thing:\NYou’d replace Telnet with SSH, right?
Dialogue: 0,0:21:23.67,0:21:26.35,Default,,0000,0000,0000,,It’s what everybody would do. It’s the\Nfirst thing. You look at this and think,
Dialogue: 0,0:21:26.35,0:21:29.61,Default,,0000,0000,0000,,like, “Oh my god, this is 2015,\Nwhy would you be doing Telnet?”
Dialogue: 0,0:21:29.61,0:21:35.72,Default,,0000,0000,0000,,Well, the answer is pretty simple. Emm…\N{\i1}laughter{\i0}
Dialogue: 0,0:21:35.72,0:21:38.99,Default,,0000,0000,0000,,Take a look again. It’s not as simple\Nas you think. Take a look at it again,
Dialogue: 0,0:21:38.99,0:21:43.06,Default,,0000,0000,0000,,there’s this Provisioning File. SSH\Nactually gets different credentials!
Dialogue: 0,0:21:43.06,0:21:46.79,Default,,0000,0000,0000,,So, the SSH credentials\Nare actually down here.
Dialogue: 0,0:21:46.79,0:21:49.53,Default,,0000,0000,0000,,And the password is different\Nfrom the one on the top.
Dialogue: 0,0:21:49.53,0:21:51.41,Default,,0000,0000,0000,,I don’t know what the password is.
Dialogue: 0,0:21:51.41,0:21:56.31,Default,,0000,0000,0000,,But I can tell you that the\Npassword hash is really cool!
Dialogue: 0,0:21:56.31,0:21:59.89,Default,,0000,0000,0000,,So, the password hash is something\Nthat comes from VxWorks, so I’m pretty
Dialogue: 0,0:21:59.89,0:22:04.39,Default,,0000,0000,0000,,sure that there are more devices out there\Nthat might be interesting to look at.
Dialogue: 0,0:22:04.39,0:22:06.97,Default,,0000,0000,0000,,The VxWorks hash actually\Nworks in a really simple way:
Dialogue: 0,0:22:06.97,0:22:12.85,Default,,0000,0000,0000,,It creates a checksum of your input that\Nlies somewhere between those 2 numbers
Dialogue: 0,0:22:12.85,0:22:16.94,Default,,0000,0000,0000,,and then creates a fancy String out\Nof them based on some heuristics.
Dialogue: 0,0:22:16.94,0:22:21.86,Default,,0000,0000,0000,,But essentially, the whole password down\Nthere boils down to just a single number
Dialogue: 0,0:22:21.86,0:22:26.74,Default,,0000,0000,0000,,that is basically, in a realistic case,\Nthe upper limit is 40 characters,
Dialogue: 0,0:22:26.74,0:22:28.98,Default,,0000,0000,0000,,so you’re not going to see\Na password that long,
Dialogue: 0,0:22:28.98,0:22:33.28,Default,,0000,0000,0000,,realistically you basically check around\N100 passwords and any hash out there,
Dialogue: 0,0:22:33.28,0:22:37.46,Default,,0000,0000,0000,,any password that’s available, you\Nalready cracked it. Which means,
Dialogue: 0,0:22:37.46,0:22:41.58,Default,,0000,0000,0000,,there are so many collisions in this\Nhash, which I wouldn’t even call a hash,
Dialogue: 0,0:22:41.58,0:22:44.39,Default,,0000,0000,0000,,that I don’t know what the original\Npassword is like… I don’t know.
Dialogue: 0,0:22:44.39,0:22:47.38,Default,,0000,0000,0000,,But this one works pretty well!
Dialogue: 0,0:22:47.38,0:22:50.73,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:22:50.73,0:22:56.94,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:22:56.94,0:23:00.75,Default,,0000,0000,0000,,So we go ahead and we log into this\Nmachine and we type in our collision
Dialogue: 0,0:23:00.75,0:23:04.08,Default,,0000,0000,0000,,and… there you go! We got\Nthe same thing as before!
Dialogue: 0,0:23:04.08,0:23:07.90,Default,,0000,0000,0000,,So we told them again: “Guys,\Nlook, it’s not as easy as that.
Dialogue: 0,0:23:07.90,0:23:10.86,Default,,0000,0000,0000,,You should probably take a bit\Ndeeper breath and take a look
Dialogue: 0,0:23:10.86,0:23:14.39,Default,,0000,0000,0000,,at how things actually are broken.”
Dialogue: 0,0:23:14.39,0:23:18.03,Default,,0000,0000,0000,,Which, turns out, they did!\NSo what happened next?
Dialogue: 0,0:23:18.03,0:23:24.01,Default,,0000,0000,0000,,We had this whole huge mess with\Nlots of services that are all attackable
Dialogue: 0,0:23:24.01,0:23:27.21,Default,,0000,0000,0000,,and everything’s just wholly broken.
Dialogue: 0,0:23:27.21,0:23:31.96,Default,,0000,0000,0000,,That was two months ago.
Dialogue: 0,0:23:31.96,0:23:35.53,Default,,0000,0000,0000,,There were some circumstances\Nwhy we just couldn’t tell them earlier.
Dialogue: 0,0:23:35.53,0:23:39.78,Default,,0000,0000,0000,,And we basically told them: “Guys, you\Nknow, in 2 months’ time we’re going to do
Dialogue: 0,0:23:39.78,0:23:43.05,Default,,0000,0000,0000,,a talk here and everything’s going to\Nbe public so you might want to fix
Dialogue: 0,0:23:43.05,0:23:46.84,Default,,0000,0000,0000,,your network until then.”\N{\i1}laughter{\i0}
Dialogue: 0,0:23:46.84,0:23:51.66,Default,,0000,0000,0000,,So the first thing that they did is: They\Nadded a check to their TFTP server
Dialogue: 0,0:23:51.66,0:23:56.63,Default,,0000,0000,0000,,to verify whether you’re actually eligible\Nto download this Provisioning File.
Dialogue: 0,0:23:56.63,0:24:01.77,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:24:01.77,0:24:04.72,Default,,0000,0000,0000,,So now, you can only download your\Nown Provisioning File. Which is great…
Dialogue: 0,0:24:04.72,0:24:09.33,Default,,0000,0000,0000,,finally! I mean, this is the obvious\Nthing to do. So that one’s fixed.
Dialogue: 0,0:24:09.33,0:24:13.18,Default,,0000,0000,0000,,Then, they went ahead and said: Well,\Nthere’s no real reason why one modem
Dialogue: 0,0:24:13.18,0:24:16.28,Default,,0000,0000,0000,,should do SNMP traffic with another.\NSo they just added a firewall, saying,
Dialogue: 0,0:24:16.28,0:24:19.57,Default,,0000,0000,0000,,we’re blocking SNMP traffic\Nbetween different machines
Dialogue: 0,0:24:19.57,0:24:22.61,Default,,0000,0000,0000,,– problem solved!
Dialogue: 0,0:24:22.61,0:24:26.78,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:24:26.78,0:24:30.44,Default,,0000,0000,0000,,The same for SSH – they went ahead and\Nsaid: There’s no reason why you should
Dialogue: 0,0:24:30.44,0:24:34.12,Default,,0000,0000,0000,,be doing TCP between\None modem and another.
Dialogue: 0,0:24:34.12,0:24:36.36,Default,,0000,0000,0000,,Problem solved!
Dialogue: 0,0:24:36.36,0:24:39.61,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:24:39.61,0:24:44.61,Default,,0000,0000,0000,,And because the VoIP access credentials
Dialogue: 0,0:24:44.61,0:24:47.91,Default,,0000,0000,0000,,are actually part of your Provisioning\NFile which you can now
Dialogue: 0,0:24:47.91,0:24:51.14,Default,,0000,0000,0000,,no longer download from somebody\Nelse, that one is fixed too.
Dialogue: 0,0:24:51.14,0:24:56.69,Default,,0000,0000,0000,,Awesome! {\i1}shy applause{\i0}\NGo ahead, go ahead, clap! It’s awesome!
Dialogue: 0,0:24:56.69,0:25:00.21,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:25:00.21,0:25:04.81,Default,,0000,0000,0000,,Thank you, ISPs. So after two months,\Nyou actually managed to limit me
Dialogue: 0,0:25:04.81,0:25:07.90,Default,,0000,0000,0000,,into the borders that I was supposed\Nto be in, in the beginning.
Dialogue: 0,0:25:07.90,0:25:11.80,Default,,0000,0000,0000,,It’s cool!\NSo what do we have…
Dialogue: 0,0:25:11.80,0:25:16.11,Default,,0000,0000,0000,,Please guard your networks even if you\Nbelieve that somebody couldn’t go in
Dialogue: 0,0:25:16.11,0:25:17.97,Default,,0000,0000,0000,,– they probably will.
Dialogue: 0,0:25:17.97,0:25:22.93,Default,,0000,0000,0000,,Because, as soon as a customer\Ncan access your device physically,
Dialogue: 0,0:25:22.93,0:25:26.29,Default,,0000,0000,0000,,which kind of happens to be the\Ncase with a modem that’s sitting
Dialogue: 0,0:25:26.29,0:25:31.92,Default,,0000,0000,0000,,in your apartment,
Dialogue: 0,0:25:31.92,0:25:35.02,Default,,0000,0000,0000,,that guy can access your network.\NThere’s no way you can prevent it.
Dialogue: 0,0:25:35.02,0:25:38.95,Default,,0000,0000,0000,,So don’t believe that the border\Nof your network is the home.
Dialogue: 0,0:25:38.95,0:25:43.98,Default,,0000,0000,0000,,The border of your network is\Nthe cable going into that home.
Dialogue: 0,0:25:43.98,0:25:46.64,Default,,0000,0000,0000,,The same way goes the other way\Naround: If an ISP gives you a device,
Dialogue: 0,0:25:46.64,0:25:48.59,Default,,0000,0000,0000,,don’t trust that thing.
Dialogue: 0,0:25:48.59,0:25:51.03,Default,,0000,0000,0000,,Seriously. They can do anything they like.
Dialogue: 0,0:25:51.03,0:25:55.23,Default,,0000,0000,0000,,And sometimes, somebody else can, too.
Dialogue: 0,0:25:55.23,0:26:02.51,Default,,0000,0000,0000,,In this case, according to my provider, I\Nwas able to access 3 million devices.
Dialogue: 0,0:26:02.51,0:26:05.40,Default,,0000,0000,0000,,{\i1}applause{\i0}\NThat’s quite some number.
Dialogue: 0,0:26:05.40,0:26:10.59,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:26:10.59,0:26:16.73,Default,,0000,0000,0000,,Also, the press is your friend. If you\Nare afraid of revealing something,
Dialogue: 0,0:26:16.73,0:26:18.68,Default,,0000,0000,0000,,tell someone who can do it for you
Dialogue: 0,0:26:18.68,0:26:25.13,Default,,0000,0000,0000,,and usually, things go out well.\NLet’s hope for the best.
Dialogue: 0,0:26:25.13,0:26:29.11,Default,,0000,0000,0000,,And then, this whole thing went\Nonline in the beginning of the week
Dialogue: 0,0:26:29.11,0:26:32.64,Default,,0000,0000,0000,,and there were a couple of questions\Non the forums that I read
Dialogue: 0,0:26:32.64,0:26:35.88,Default,,0000,0000,0000,,and I just wanted to take\Nthe time to reply to those.
Dialogue: 0,0:26:35.88,0:26:38.20,Default,,0000,0000,0000,,First thing that always comes\Nup is: “Is this a conspiracy?”
Dialogue: 0,0:26:38.20,0:26:41.27,Default,,0000,0000,0000,,Like “Oh my god, this\Nis the NSA backdoor!”
Dialogue: 0,0:26:41.27,0:26:44.71,Default,,0000,0000,0000,,No way. I mean, seriously,\Nthose guys are not that stupid.
Dialogue: 0,0:26:44.71,0:26:47.99,Default,,0000,0000,0000,,They have their own front doors,\Nthey don’t need backdoors.
Dialogue: 0,0:26:47.99,0:26:50.08,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:26:50.08,0:26:54.55,Default,,0000,0000,0000,,This really is just a case of “If we don’t\Nsecure things, it’s going to be easier
Dialogue: 0,0:26:54.55,0:26:59.63,Default,,0000,0000,0000,,for us.” Njee, it was\Neasier for everybody,
Dialogue: 0,0:26:59.63,0:27:03.07,Default,,0000,0000,0000,,including the ones who\Nshouldn’t have access.
Dialogue: 0,0:27:03.07,0:27:07.93,Default,,0000,0000,0000,,So, no, this is not a conspiracy. This is\Nnot some backdoor from some agency.
Dialogue: 0,0:27:07.93,0:27:13.11,Default,,0000,0000,0000,,This is really just a matter of a\Ncompany not doing their homework.
Dialogue: 0,0:27:13.11,0:27:15.97,Default,,0000,0000,0000,,The same thing goes for other providers.
Dialogue: 0,0:27:15.97,0:27:20.36,Default,,0000,0000,0000,,My cable just wasn’t long enough\Nto connect to some other country
Dialogue: 0,0:27:20.36,0:27:24.31,Default,,0000,0000,0000,,so I don’t know whether other\NDOCSIS networks are affected.
Dialogue: 0,0:27:24.31,0:27:30.54,Default,,0000,0000,0000,,From the best of my knowledge:\NYes, they are.
Dialogue: 0,0:27:30.54,0:27:33.64,Default,,0000,0000,0000,,I’m not allowed to tell you to check.
Dialogue: 0,0:27:33.64,0:27:37.05,Default,,0000,0000,0000,,But if you happen to have\Nthat idea on your own…
Dialogue: 0,0:27:37.05,0:27:40.48,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:27:40.48,0:27:47.48,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:27:47.48,0:27:50.27,Default,,0000,0000,0000,,No animals were hurt during\Nthe production of this movie.
Dialogue: 0,0:27:50.27,0:27:51.32,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:27:51.32,0:27:55.33,Default,,0000,0000,0000,,All the passwords were changed, so if you\Nhappen to know the real passwords,
Dialogue: 0,0:27:55.33,0:27:58.05,Default,,0000,0000,0000,,you probably had a good laugh\Nduring the presentation.
Dialogue: 0,0:27:58.05,0:28:03.66,Default,,0000,0000,0000,,If you don’t know the real passwords,\Nnjeeee, they are different.
Dialogue: 0,0:28:03.66,0:28:07.13,Default,,0000,0000,0000,,To the best of my knowledge, all of that\Nknowledge that I just gave you is
Dialogue: 0,0:28:07.13,0:28:13.81,Default,,0000,0000,0000,,completely useless to you,\Nbecause all the issues are fixed.
Dialogue: 0,0:28:13.81,0:28:16.63,Default,,0000,0000,0000,,Thank you.
Dialogue: 0,0:28:16.63,0:28:32.02,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:28:32.02,0:28:33.69,Default,,0000,0000,0000,,Herald [to Alexander]: Q&A?\N[Alexander nodding]
Dialogue: 0,0:28:33.69,0:28:36.01,Default,,0000,0000,0000,,Alexander: So now we can\Ngo for questions if you like.
Dialogue: 0,0:28:36.01,0:28:39.40,Default,,0000,0000,0000,,So please… or… you go\Nahead and announce it.
Dialogue: 0,0:28:39.40,0:28:43.65,Default,,0000,0000,0000,,Herald: So if you have questions,\Nrun towards a microphone and
Dialogue: 0,0:28:43.65,0:28:49.02,Default,,0000,0000,0000,,stand behind it visibly.\NThe first one was on number 4.
Dialogue: 0,0:28:49.02,0:28:54.43,Default,,0000,0000,0000,,Q: You were talking about taking\Na couple of weeks to get to know
Dialogue: 0,0:28:54.43,0:28:57.99,Default,,0000,0000,0000,,that the password wasn’t\Nhashed but plaintext.
Dialogue: 0,0:28:57.99,0:29:02.50,Default,,0000,0000,0000,,So how long did this whole\Nexchange in total go on?
Dialogue: 0,0:29:02.50,0:29:07.01,Default,,0000,0000,0000,,How much facepalming and\Nhow many hours did it take for you?
Dialogue: 0,0:29:07.01,0:29:10.07,Default,,0000,0000,0000,,A: So I didn’t spend full time on it,\NI really literally just whenever
Dialogue: 0,0:29:10.07,0:29:14.25,Default,,0000,0000,0000,,the baby was crying I just went up\Nand figured “I can do something”.
Dialogue: 0,0:29:14.25,0:29:21.55,Default,,0000,0000,0000,,It’s not… I basically got\Ncable access two years ago.
Dialogue: 0,0:29:21.55,0:29:25.21,Default,,0000,0000,0000,,I first got into the modem\Nabout one year ago, I think.
Dialogue: 0,0:29:25.21,0:29:31.61,Default,,0000,0000,0000,,That’s when I started looking for real.
Dialogue: 0,0:29:31.61,0:29:34.67,Default,,0000,0000,0000,,I basically ended up digging\Ndeeper and deeper, right? It’s not…
Dialogue: 0,0:29:34.67,0:29:38.84,Default,,0000,0000,0000,,VoIP, for example, I only realized the\Nwhole voice-over-IP story in August.
Dialogue: 0,0:29:38.84,0:29:42.65,Default,,0000,0000,0000,,Since I just didn’t look before. I was\Nlike so excited to see all the other bits.
Dialogue: 0,0:29:42.65,0:29:44.25,Default,,0000,0000,0000,,{\i1}shy laughter{\i0}
Dialogue: 0,0:29:44.25,0:29:46.35,Default,,0000,0000,0000,,Just didn’t look.
Dialogue: 0,0:29:46.35,0:29:48.90,Default,,0000,0000,0000,,Herald: Now number 1, please.
Dialogue: 0,0:29:48.90,0:29:54.22,Default,,0000,0000,0000,,Q: Are you really sure that the TFTP\NProvisioning File fetching is secure now?
Dialogue: 0,0:29:54.22,0:30:01.43,Default,,0000,0000,0000,,Because… do they do some MAC\Nintegrity tests for MAC spoofing?
Dialogue: 0,0:30:01.43,0:30:04.67,Default,,0000,0000,0000,,A: Yeaaaaah…
Dialogue: 0,0:30:04.67,0:30:09.26,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:30:09.26,0:30:13.87,Default,,0000,0000,0000,,The problem is the law, right? I’m not\Nallowed to tell you to try it yourself,
Dialogue: 0,0:30:13.87,0:30:18.58,Default,,0000,0000,0000,,I’m not allowed to tell you that I don’t\Nthink that anything on the physical layer
Dialogue: 0,0:30:18.58,0:30:23.09,Default,,0000,0000,0000,,is insecure. I’m not allowed to tell you\Nthat… I mean there’s so many things
Dialogue: 0,0:30:23.09,0:30:29.11,Default,,0000,0000,0000,,I’m not allowed to tell you about\Nthis whole network… I haven’t tried.
Dialogue: 0,0:30:29.11,0:30:36.11,Default,,0000,0000,0000,,I really just went in and said “TFTP\NFetch and see whether I can get it.”
Dialogue: 0,0:30:36.11,0:30:41.08,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:30:41.08,0:30:45.76,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:30:45.76,0:30:48.69,Default,,0000,0000,0000,,Herald: Number 7 up\Nthere on the balcony.
Dialogue: 0,0:30:48.69,0:30:52.31,Default,,0000,0000,0000,,Q: Hello. My question is, in the\Nbeginning in your config files,
Dialogue: 0,0:30:52.31,0:30:56.87,Default,,0000,0000,0000,,I think there was something about traffic\Npriority or network priority as well.
Dialogue: 0,0:30:56.87,0:31:00.76,Default,,0000,0000,0000,,Did you play around with that one as well?\NIs that something about Net Neutrality,
Dialogue: 0,0:31:00.76,0:31:03.18,Default,,0000,0000,0000,,maybe?\NA: Ahh, that’s an interesting…
Dialogue: 0,0:31:03.18,0:31:05.39,Default,,0000,0000,0000,,OK, so, it’s not about\NNet Neutrality at all.
Dialogue: 0,0:31:05.39,0:31:11.24,Default,,0000,0000,0000,,It’s about QoS of different services,\Nso they basically say that
Dialogue: 0,0:31:11.24,0:31:15.11,Default,,0000,0000,0000,,VoIP traffic gets higher\Npriority than the other bits
Dialogue: 0,0:31:15.11,0:31:18.20,Default,,0000,0000,0000,,since you want to have low latency\Non voice-over-IP traffic, obviously.
Dialogue: 0,0:31:18.20,0:31:20.86,Default,,0000,0000,0000,,So that has nothing to do with\NNet Neutrality in this thing at all.
Dialogue: 0,0:31:20.86,0:31:28.21,Default,,0000,0000,0000,,I did play around with\Nthose settings, just because…
Dialogue: 0,0:31:28.21,0:31:31.41,Default,,0000,0000,0000,,coincidentally, right the day after\Nthe Fahrplan got released,
Dialogue: 0,0:31:31.41,0:31:35.23,Default,,0000,0000,0000,,my account got throttled to 80 kBit/s.
Dialogue: 0,0:31:35.23,0:31:38.13,Default,,0000,0000,0000,,I don’t know why.\NCould be related, could be not.
Dialogue: 0,0:31:38.13,0:31:43.40,Default,,0000,0000,0000,,But I figured, “I’m paying for 100 MBit/s”\Nso I should probably get 100 MBit/s
Dialogue: 0,0:31:43.40,0:31:46.33,Default,,0000,0000,0000,,and started to look at those things.
Dialogue: 0,0:31:46.33,0:31:50.28,Default,,0000,0000,0000,,I did not manage to actually convince\Nmy modem to get me more.
Dialogue: 0,0:31:50.28,0:31:52.82,Default,,0000,0000,0000,,Q: Did you change the\Nbandwidth in the settings?
Dialogue: 0,0:31:52.82,0:31:55.14,Default,,0000,0000,0000,,Herald: No dialogues, please.
Dialogue: 0,0:31:55.14,0:31:59.67,Default,,0000,0000,0000,,A: Yes, I did change the bandwidth.\NIt’s not… my guess is,
Dialogue: 0,0:31:59.67,0:32:02.36,Default,,0000,0000,0000,,they’re also QoS’ing on the\Nother side. But if you want to
Dialogue: 0,0:32:02.36,0:32:05.26,Default,,0000,0000,0000,,verify it, I’m not telling you not to.
Dialogue: 0,0:32:05.26,0:32:07.60,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:32:07.60,0:32:09.31,Default,,0000,0000,0000,,Herald: Number 2, please.
Dialogue: 0,0:32:09.31,0:32:12.37,Default,,0000,0000,0000,,Q: Yes. So at first, thank\Nyou for the nice insights.
Dialogue: 0,0:32:12.37,0:32:15.14,Default,,0000,0000,0000,,I’m a cable user, so I’m interested here.
Dialogue: 0,0:32:15.14,0:32:19.22,Default,,0000,0000,0000,,And I want to, again, make a\Nstatement on the Provisioning File.
Dialogue: 0,0:32:19.22,0:32:23.94,Default,,0000,0000,0000,,You should have told them that the\NProvisioning File fetching in this way
Dialogue: 0,0:32:23.94,0:32:26.21,Default,,0000,0000,0000,,isn’t a good idea anyway.
Dialogue: 0,0:32:26.21,0:32:30.46,Default,,0000,0000,0000,,And I personally would believe\Nif they do not can transfer it
Dialogue: 0,0:32:30.46,0:32:36.49,Default,,0000,0000,0000,,via a completely different channel,\Nit will not get really secure.
Dialogue: 0,0:32:36.49,0:32:39.87,Default,,0000,0000,0000,,A: They can not do it differently\Nbecause it’s part of a standard.
Dialogue: 0,0:32:39.87,0:32:42.85,Default,,0000,0000,0000,,There’s a DOCSIS standard which\Nall the modems have to adhere to
Dialogue: 0,0:32:42.85,0:32:46.26,Default,,0000,0000,0000,,and that’s part of the standard.\NThey cannot do it differently.
Dialogue: 0,0:32:46.26,0:32:48.35,Default,,0000,0000,0000,,If you want to have it done\Ndifferently, you have to tell
Dialogue: 0,0:32:48.35,0:32:53.31,Default,,0000,0000,0000,,the DOCSIS standardization\Ncommittee which is in India.
Dialogue: 0,0:32:53.31,0:32:56.91,Default,,0000,0000,0000,,Q: Yes, so I’ll talk to them. Thanks!
Dialogue: 0,0:32:56.91,0:33:00.16,Default,,0000,0000,0000,,Herald: Now, we’ll have a\Nquestion from the Internet.
Dialogue: 0,0:33:00.16,0:33:03.65,Default,,0000,0000,0000,,Q: Could two modems be\Nprogrammed to talk among
Dialogue: 0,0:33:03.65,0:33:07.17,Default,,0000,0000,0000,,themselves directly,\Nbypassing the ISP firewall?
Dialogue: 0,0:33:07.17,0:33:09.11,Default,,0000,0000,0000,,A: Say it again.
Dialogue: 0,0:33:09.11,0:33:15.27,Default,,0000,0000,0000,,{\i1}Signal Angel repeats question more slowly{\i0}
Dialogue: 0,0:33:15.27,0:33:17.11,Default,,0000,0000,0000,,A: You mean with the new scheme\Nor with the old scheme?
Dialogue: 0,0:33:17.11,0:33:21.15,Default,,0000,0000,0000,,With the old scheme, it was…\Nyou could just go and route through it.
Dialogue: 0,0:33:21.15,0:33:29.20,Default,,0000,0000,0000,,With the new scheme… you…\Nnot with the official modems.
Dialogue: 0,0:33:29.20,0:33:33.45,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:33:33.45,0:33:39.06,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:33:39.06,0:33:42.86,Default,,0000,0000,0000,,Herald: And number 8 on the balcony.
Dialogue: 0,0:33:42.86,0:33:47.20,Default,,0000,0000,0000,,Q: Did you find any traces\Nof TR-069 in this thing?
Dialogue: 0,0:33:47.20,0:33:52.45,Default,,0000,0000,0000,,A: I did on the AVM boxes\Nthat were secure, yeah.
Dialogue: 0,0:33:52.45,0:33:55.94,Default,,0000,0000,0000,,So that was the only bit that actually\Nended up making a lot of sense.
Dialogue: 0,0:33:55.94,0:33:59.47,Default,,0000,0000,0000,,TR-069 is a pretty nice standard.\NYou basically have authenticated
Dialogue: 0,0:33:59.47,0:34:03.09,Default,,0000,0000,0000,,– I think it was even HTTPS – traffic that\Nbasically goes and pokes the server
Dialogue: 0,0:34:03.09,0:34:07.90,Default,,0000,0000,0000,,to get you a firmware update. It’s a\Nperfectly nice way of provisioning
Dialogue: 0,0:34:07.90,0:34:10.73,Default,,0000,0000,0000,,such a system. It’s definitely a\Nlot different from the usual way
Dialogue: 0,0:34:10.73,0:34:15.41,Default,,0000,0000,0000,,so on those DOCSIS modems, the usual\Nway to tell it to get a new “firmware” is
Dialogue: 0,0:34:15.41,0:34:19.47,Default,,0000,0000,0000,,either to tell it to reboot and get a new\Nfile from the provisioning server or
Dialogue: 0,0:34:19.47,0:34:24.68,Default,,0000,0000,0000,,to just poke directly through SNMP to tell\Nit: “Go to this TFTP server over there
Dialogue: 0,0:34:24.68,0:34:27.88,Default,,0000,0000,0000,,with this file name and\Nflash it onto your Flash.”
Dialogue: 0,0:34:27.88,0:34:29.18,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:34:29.18,0:34:35.04,Default,,0000,0000,0000,,No, I have not tried to spoof the\Nprivileged IP address range.
Dialogue: 0,0:34:35.04,0:34:38.61,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:34:38.61,0:34:41.10,Default,,0000,0000,0000,,Herald: Now it’s number 4 again.
Dialogue: 0,0:34:41.10,0:34:45.33,Default,,0000,0000,0000,,Q: The question I have is:
Dialogue: 0,0:34:45.33,0:34:49.26,Default,,0000,0000,0000,,When you tried to first\Ncontact them via Heise,
Dialogue: 0,0:34:49.26,0:34:54.34,Default,,0000,0000,0000,,was there any way they\Nmight have tried to
Dialogue: 0,0:34:54.34,0:34:58.47,Default,,0000,0000,0000,,convince you to not\Ndo the talk and if so,
Dialogue: 0,0:34:58.47,0:35:02.46,Default,,0000,0000,0000,,would there be an itch on your head?
Dialogue: 0,0:35:02.46,0:35:07.23,Default,,0000,0000,0000,,A: They did not try in any\Nway whatsoever. Zero.
Dialogue: 0,0:35:07.23,0:35:10.32,Default,,0000,0000,0000,,Q: Do you think that was due to\Nthe credibility or do you think
Dialogue: 0,0:35:10.32,0:35:13.58,Default,,0000,0000,0000,,they thought “Oh, we screwed up”?
Dialogue: 0,0:35:13.58,0:35:20.19,Default,,0000,0000,0000,,A: I don’t know. I don’t think they\Nthought any other way would work at that
Dialogue: 0,0:35:20.19,0:35:24.01,Default,,0000,0000,0000,,point in time. Since the press was already\Ninvolved, they are not gonna pull back
Dialogue: 0,0:35:24.01,0:35:28.10,Default,,0000,0000,0000,,their story, there’s nothing\Nelse they can do.
Dialogue: 0,0:35:28.10,0:35:29.47,Default,,0000,0000,0000,,Q: Thank you again.
Dialogue: 0,0:35:29.47,0:35:34.34,Default,,0000,0000,0000,,Herald: Before I hand the microphone,\Ndo you want to do the entire 24
Dialogue: 0,0:35:34.34,0:35:38.01,Default,,0000,0000,0000,,remaining minutes Q&A or\Ndo you want to put a limit?
Dialogue: 0,0:35:38.01,0:35:41.66,Default,,0000,0000,0000,,Graf: No, I think 24 minutes Q&A is fine.\NWe can always cap it later on, right?
Dialogue: 0,0:35:41.66,0:35:44.40,Default,,0000,0000,0000,,Just go and ask. Ask as much as you like.
Dialogue: 0,0:35:44.40,0:35:50.75,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:35:50.75,0:35:53.57,Default,,0000,0000,0000,,Herald: The Internet, again.
Dialogue: 0,0:35:53.57,0:35:57.50,Default,,0000,0000,0000,,Q: How much of this would have been\Npossible if the modem had been
Dialogue: 0,0:35:57.50,0:36:01.73,Default,,0000,0000,0000,,in bridge mode?\NA: My modem was in bridge mode.
Dialogue: 0,0:36:01.73,0:36:04.53,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:36:04.53,0:36:07.06,Default,,0000,0000,0000,,Herald: And number 6.
Dialogue: 0,0:36:07.06,0:36:12.05,Default,,0000,0000,0000,,Q: Do you have an idea how\Nlong this has been that way?
Dialogue: 0,0:36:12.05,0:36:16.18,Default,,0000,0000,0000,,And do you have any\Nspecific reasons to believe
Dialogue: 0,0:36:16.18,0:36:20.76,Default,,0000,0000,0000,,what group of people
Dialogue: 0,0:36:20.76,0:36:25.50,Default,,0000,0000,0000,,might have abused these problems?
Dialogue: 0,0:36:25.50,0:36:29.29,Default,,0000,0000,0000,,A: I don’t know. I did not see anybody\Nelse on the network but it’s really hard
Dialogue: 0,0:36:29.29,0:36:33.82,Default,,0000,0000,0000,,to see someone in a\Nsea of 3 million devices.
Dialogue: 0,0:36:33.82,0:36:38.33,Default,,0000,0000,0000,,I am not aware of anybody exploiting this,
Dialogue: 0,0:36:38.33,0:36:41.94,Default,,0000,0000,0000,,so I can only state what Vodafone said.
Dialogue: 0,0:36:41.94,0:36:45.88,Default,,0000,0000,0000,,And they said that nobody else\Ndid exploit those problems.
Dialogue: 0,0:36:45.88,0:36:49.66,Default,,0000,0000,0000,,According… as far as time… and\NI believe that one actually… it’s…
Dialogue: 0,0:36:49.66,0:36:51.71,Default,,0000,0000,0000,,I don’t think that anybody\Ndid. Which is surprising
Dialogue: 0,0:36:51.71,0:36:55.17,Default,,0000,0000,0000,,since this whole stuff was kind of obvious
Dialogue: 0,0:36:55.17,0:36:59.21,Default,,0000,0000,0000,,but apparently nobody thought of\Ndigging into their modem before.
Dialogue: 0,0:36:59.21,0:37:03.15,Default,,0000,0000,0000,,The one thing about the timing is:
Dialogue: 0,0:37:03.15,0:37:05.49,Default,,0000,0000,0000,,Apparently, they already,\NKabel Deutschland,
Dialogue: 0,0:37:05.49,0:37:08.65,Default,,0000,0000,0000,,basically already does\NInternet for 10 years by now
Dialogue: 0,0:37:08.65,0:37:13.69,Default,,0000,0000,0000,,and there’s very little reason to believe\Nit’s been different in the beginning.
Dialogue: 0,0:37:13.69,0:37:18.74,Default,,0000,0000,0000,,So it was probably vulnerable \Nfor about ten years.
Dialogue: 0,0:37:18.74,0:37:22.33,Default,,0000,0000,0000,,That said, in the beginning, they\Nwere not even using DOCSIS 3.0,
Dialogue: 0,0:37:22.33,0:37:25.62,Default,,0000,0000,0000,,which did not really do real encryption,\Nso at the end of the day you could
Dialogue: 0,0:37:25.62,0:37:29.64,Default,,0000,0000,0000,,just do whatever, any ways on the network.
Dialogue: 0,0:37:29.64,0:37:35.44,Default,,0000,0000,0000,,Back in the day. By now,\Nit’s only halfway complicated.
Dialogue: 0,0:37:35.44,0:37:37.100,Default,,0000,0000,0000,,Herald: Now number 1.
Dialogue: 0,0:37:37.100,0:37:40.78,Default,,0000,0000,0000,,Q: Yes, thank you for the talk, too.
Dialogue: 0,0:37:40.78,0:37:47.04,Default,,0000,0000,0000,,So it’s completely possible that they may\Nhave not found out that somebody else
Dialogue: 0,0:37:47.04,0:37:52.19,Default,,0000,0000,0000,,accessed this before and maybe already\Nflashed a lot of devices with another
Dialogue: 0,0:37:52.19,0:37:55.76,Default,,0000,0000,0000,,firmware which is still\Nlistening to his commands?
Dialogue: 0,0:37:55.76,0:37:59.27,Default,,0000,0000,0000,,With the new setup. Because\Nhe changed the firmware.
Dialogue: 0,0:37:59.27,0:38:03.77,Default,,0000,0000,0000,,A: They did not… okay, they did update\Nthe firmware at that one point in time
Dialogue: 0,0:38:03.77,0:38:06.21,Default,,0000,0000,0000,,when I showed that they switched to SSH.
Dialogue: 0,0:38:06.21,0:38:08.95,Default,,0000,0000,0000,,They did not change the\Nfirmware ever since. So
Dialogue: 0,0:38:08.95,0:38:13.68,Default,,0000,0000,0000,,all the services that I was talking about,\Nthey are still running on your modem.
Dialogue: 0,0:38:13.68,0:38:17.79,Default,,0000,0000,0000,,Q: Okay, but they can’t be sure that there\Nis another firmware by somebody else
Dialogue: 0,0:38:17.79,0:38:23.19,Default,,0000,0000,0000,,on routers running. If somebody else\Nmaybe thought of making a bot net,
Dialogue: 0,0:38:23.19,0:38:26.24,Default,,0000,0000,0000,,before all of this came up,\Nin the last 5 years or 10 years,
Dialogue: 0,0:38:26.24,0:38:28.46,Default,,0000,0000,0000,,and already controls some devices
Dialogue: 0,0:38:28.46,0:38:32.17,Default,,0000,0000,0000,,and they can’t be sure that their firmware\Nis not running on those devices.
Dialogue: 0,0:38:32.17,0:38:35.74,Default,,0000,0000,0000,,There can be still devices somewhere\Ncontrolled by somebody else.
Dialogue: 0,0:38:35.74,0:38:38.44,Default,,0000,0000,0000,,A: Sure. You have to, obviously, fake\Nall the information they receive
Dialogue: 0,0:38:38.44,0:38:40.100,Default,,0000,0000,0000,,from the modem pretty well,\Notherwise they get you onto the
Dialogue: 0,0:38:40.100,0:38:46.45,Default,,0000,0000,0000,,security block that I am on.\NBut if you do that correctly,
Dialogue: 0,0:38:46.45,0:38:49.09,Default,,0000,0000,0000,,you can probably just replace\Nall the pieces of firmware,
Dialogue: 0,0:38:49.09,0:38:53.46,Default,,0000,0000,0000,,just ignore all the updates and try to\Nbehave the same way as they’d expect
Dialogue: 0,0:38:53.46,0:38:55.57,Default,,0000,0000,0000,,and then hope that nobody finds out.
Dialogue: 0,0:38:55.57,0:38:58.36,Default,,0000,0000,0000,,It’s entirely possible –\NI don’t think it’s very likely
Dialogue: 0,0:38:58.36,0:38:59.87,Default,,0000,0000,0000,,but it is definitely entirely possible.
Dialogue: 0,0:38:59.87,0:39:03.27,Default,,0000,0000,0000,,Q: Let’s hope there are no more\Nnetworks like this out there.
Dialogue: 0,0:39:03.27,0:39:07.10,Default,,0000,0000,0000,,Herald: Usually, there\Nare no 2nd questions,
Dialogue: 0,0:39:07.10,0:39:11.14,Default,,0000,0000,0000,,so… we still got comfortable time
Dialogue: 0,0:39:11.14,0:39:15.09,Default,,0000,0000,0000,,but try to limit yourself to one question.
Dialogue: 0,0:39:15.09,0:39:17.18,Default,,0000,0000,0000,,Now it’s number 2.
Dialogue: 0,0:39:17.18,0:39:21.03,Default,,0000,0000,0000,,Q: Have you tried to change your\NMAC address on the DOCSIS level
Dialogue: 0,0:39:21.03,0:39:22.71,Default,,0000,0000,0000,,or also for the DHCP request
Dialogue: 0,0:39:22.71,0:39:25.100,Default,,0000,0000,0000,,or how do they do authentication\Nof the modem over the network?
Dialogue: 0,0:39:25.100,0:39:30.28,Default,,0000,0000,0000,,A: So, the authentication\Nworks using certificates.
Dialogue: 0,0:39:30.28,0:39:34.39,Default,,0000,0000,0000,,I’m actually not sure, I haven’t\Nread the standard on that side
Dialogue: 0,0:39:34.39,0:39:38.04,Default,,0000,0000,0000,,whether the MAC address is part\Nof the certificate. I don’t know.
Dialogue: 0,0:39:38.04,0:39:42.54,Default,,0000,0000,0000,,If it’s not, you can easily just\Nchange it. I haven’t tried.
Dialogue: 0,0:39:42.54,0:39:49.29,Default,,0000,0000,0000,,But then again, the modems\Nare – what? – 8 Euros?
Dialogue: 0,0:39:49.29,0:39:51.22,Default,,0000,0000,0000,,Herald: Number 7.
Dialogue: 0,0:39:51.22,0:39:55.53,Default,,0000,0000,0000,,Q: What other recommendations\Ndo you have
Dialogue: 0,0:39:55.53,0:40:00.31,Default,,0000,0000,0000,,– if someone were to have a\Nsuspicion about a vulnerability –
Dialogue: 0,0:40:00.31,0:40:05.73,Default,,0000,0000,0000,,for the research part and\Nfor the disclosure part?
Dialogue: 0,0:40:05.73,0:40:09.67,Default,,0000,0000,0000,,A: What do you have to do… I can’t give\Nyou any legal or any advice on that one.
Dialogue: 0,0:40:09.67,0:40:13.09,Default,,0000,0000,0000,,I can tell you that getting\Nsomebody involved
Dialogue: 0,0:40:13.09,0:40:16.13,Default,,0000,0000,0000,,that has done this before\Nis a really smart idea.
Dialogue: 0,0:40:16.13,0:40:18.91,Default,,0000,0000,0000,,Because they’ve gone\Nthrough a lot of pain points.
Dialogue: 0,0:40:18.91,0:40:22.43,Default,,0000,0000,0000,,The press is even better because\Nthey have a really, really big lever
Dialogue: 0,0:40:22.43,0:40:25.78,Default,,0000,0000,0000,,nobody wants to be in the press\Nfor 2 months or whatever
Dialogue: 0,0:40:25.78,0:40:31.17,Default,,0000,0000,0000,,just on negative news that there was\Nsomebody who was legitimately trying
Dialogue: 0,0:40:31.17,0:40:35.36,Default,,0000,0000,0000,,to tell them to improve their\Nnetwork and they sued them.
Dialogue: 0,0:40:35.36,0:40:39.73,Default,,0000,0000,0000,,So there’s a really good chance that\Ngoing via the press is going to keep
Dialogue: 0,0:40:39.73,0:40:43.96,Default,,0000,0000,0000,,problems away from you,\Nbut there’s no guarantee.
Dialogue: 0,0:40:43.96,0:40:50.05,Default,,0000,0000,0000,,I cannot give you real – I mean legal\Nor any coherent – advice on that one.
Dialogue: 0,0:40:50.05,0:40:53.59,Default,,0000,0000,0000,,I would… I mean, if I would find such\Na thing again, I would definitely go
Dialogue: 0,0:40:53.59,0:40:57.14,Default,,0000,0000,0000,,the same route. I would just call\Nup Heise and tell them and…
Dialogue: 0,0:40:57.14,0:41:00.26,Default,,0000,0000,0000,,That went pretty smoothly.
Dialogue: 0,0:41:00.26,0:41:03.61,Default,,0000,0000,0000,,And if… I mean, the really cool thing\Nis, they actually listen to the press.
Dialogue: 0,0:41:03.61,0:41:05.63,Default,,0000,0000,0000,,If I had gone to the service,\Nthey would have just said
Dialogue: 0,0:41:05.63,0:41:10.80,Default,,0000,0000,0000,,“Sorry, wrong number,\NI can’t help you.”
Dialogue: 0,0:41:10.80,0:41:13.52,Default,,0000,0000,0000,,Herald: Now the Internet.
Dialogue: 0,0:41:13.52,0:41:17.20,Default,,0000,0000,0000,,Q: How did you obtain the\Noriginal data? Did you use JTAG
Dialogue: 0,0:41:17.20,0:41:22.47,Default,,0000,0000,0000,,or dump the device’s firmware\Nand run it virtualized?
Dialogue: 0,0:41:22.47,0:41:27.78,Default,,0000,0000,0000,,A: Ahhhhh. Not sure how much of\Nthat I should actually tell everybody.
Dialogue: 0,0:41:27.78,0:41:30.91,Default,,0000,0000,0000,,Let’s say, I replaced…
Dialogue: 0,0:41:30.91,0:41:34.15,Default,,0000,0000,0000,,You can actually see\Nthis on the slide, wait.
Dialogue: 0,0:41:34.15,0:41:39.05,Default,,0000,0000,0000,,{\i1}makes “Tchtchtchtchtch” sound{\i0}
Dialogue: 0,0:41:39.05,0:41:42.25,Default,,0000,0000,0000,,Oh my god, this is going to take forever.
Dialogue: 0,0:41:42.25,0:41:46.98,Default,,0000,0000,0000,,Okay, dududum, where’s my\Nmouse cursor? There it is.
Dialogue: 0,0:41:46.98,0:41:50.96,Default,,0000,0000,0000,,Okay… So, I got a\Npicture of the modem…
Dialogue: 0,0:41:50.96,0:41:55.82,Default,,0000,0000,0000,,…here. There you go. So…
Dialogue: 0,0:41:55.82,0:41:59.80,Default,,0000,0000,0000,,…what you can see here, down there,\Nthe white and the yellow cables,
Dialogue: 0,0:41:59.80,0:42:02.25,Default,,0000,0000,0000,,those are the serial port.
Dialogue: 0,0:42:02.25,0:42:06.13,Default,,0000,0000,0000,,And the IDE cable up there\Nthat’s where the flash chip was
Dialogue: 0,0:42:06.13,0:42:09.50,Default,,0000,0000,0000,,before I started fiddling with the modem.\N{\i1}laughter{\i0}
Dialogue: 0,0:42:09.50,0:42:12.04,Default,,0000,0000,0000,,Now, the flash chip is actually\Nin that socket up there.
Dialogue: 0,0:42:12.04,0:42:15.57,Default,,0000,0000,0000,,Which means I could swap the\Nflash chip between a device I own
Dialogue: 0,0:42:15.57,0:42:18.05,Default,,0000,0000,0000,,– BeagleBone Black, for example,\Nthat’s a really nice spy interface
Dialogue: 0,0:42:18.05,0:42:20.48,Default,,0000,0000,0000,,that you could just use to write those
Dialogue: 0,0:42:20.48,0:42:22.17,Default,,0000,0000,0000,,– and then plug it back into the modem.
Dialogue: 0,0:42:22.17,0:42:28.05,Default,,0000,0000,0000,,So I could replace the firmware\Nand get myself an initial shell.
Dialogue: 0,0:42:28.05,0:42:32.99,Default,,0000,0000,0000,,As I mentioned earlier, I really\Ndo not like to lose Internet access.
Dialogue: 0,0:42:32.99,0:42:37.79,Default,,0000,0000,0000,,So this is not the modem that\NI was actually using at home.
Dialogue: 0,0:42:37.79,0:42:40.77,Default,,0000,0000,0000,,Instead, I just used that modem\Nto fetch a firmware image
Dialogue: 0,0:42:40.77,0:42:44.72,Default,,0000,0000,0000,,so I could then look and see\Nwhether there might be other bugs
Dialogue: 0,0:42:44.72,0:42:48.83,Default,,0000,0000,0000,,that you could use.
Dialogue: 0,0:42:48.83,0:42:51.52,Default,,0000,0000,0000,,Herald: Now number 8.
Dialogue: 0,0:42:51.52,0:42:54.79,Default,,0000,0000,0000,,Q: Earlier, you’ve said that\N– who was it… –
Dialogue: 0,0:42:54.79,0:42:59.47,Default,,0000,0000,0000,,Fritz!Box was more secure and they\Ndidn’t have the same vulnerabilities.
Dialogue: 0,0:42:59.47,0:43:03.08,Default,,0000,0000,0000,,Do you think they simply didn’t use\Nhardcoded passwords and stuff.
Dialogue: 0,0:43:03.08,0:43:07.10,Default,,0000,0000,0000,,So do you think they’ll be vulnerable\Nto similar attacks and that someone
Dialogue: 0,0:43:07.10,0:43:10.67,Default,,0000,0000,0000,,probably, like you wouldn’t tell them,\Nbut maybe they should look into it
Dialogue: 0,0:43:10.67,0:43:14.50,Default,,0000,0000,0000,,or do you think that it isn’t possible\Nand someone should, like, prove you wrong.
Dialogue: 0,0:43:14.50,0:43:17.100,Default,,0000,0000,0000,,A: From all I can tell, but this is…\NI mean, just a gut feeling that I get
Dialogue: 0,0:43:17.100,0:43:20.47,Default,,0000,0000,0000,,from looking at different firmware files,
Dialogue: 0,0:43:20.47,0:43:22.79,Default,,0000,0000,0000,,the usual way, at least\Nthe Linux based firmware
Dialogue: 0,0:43:22.79,0:43:28.63,Default,,0000,0000,0000,,works on those systems is\Nthat there’s TI creating a BSP
Dialogue: 0,0:43:28.63,0:43:31.92,Default,,0000,0000,0000,,then they give it out to Motorola.\NThen Motorola gives it out to CBN.
Dialogue: 0,0:43:31.92,0:43:35.73,Default,,0000,0000,0000,,Then CBN gives it out\Nto Kabel Deutschland.
Dialogue: 0,0:43:35.73,0:43:40.83,Default,,0000,0000,0000,,And then, each party of those\Nadds a few pieces of stuff.
Dialogue: 0,0:43:40.83,0:43:44.52,Default,,0000,0000,0000,,That’s the usual way it\Nworks in those devices.
Dialogue: 0,0:43:44.52,0:43:47.56,Default,,0000,0000,0000,,Whereas in the AVM boxes,\Nthings looked vastly different.
Dialogue: 0,0:43:47.56,0:43:49.56,Default,,0000,0000,0000,,There was one firmware image\Nthat even contained information
Dialogue: 0,0:43:49.56,0:43:51.97,Default,,0000,0000,0000,,for some Austrian provider.
Dialogue: 0,0:43:51.97,0:43:58.04,Default,,0000,0000,0000,,So instead of giving full\Ncontrol to the cable provider,
Dialogue: 0,0:43:58.04,0:44:04.86,Default,,0000,0000,0000,,AVM kept control on their own and actually\Naudited the stuff they were doing.
Dialogue: 0,0:44:04.86,0:44:07.64,Default,,0000,0000,0000,,That’s the major difference.
Dialogue: 0,0:44:07.64,0:44:13.42,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:44:13.42,0:44:16.62,Default,,0000,0000,0000,,Herald: One more question\Nfrom the Internet.
Dialogue: 0,0:44:16.62,0:44:20.50,Default,,0000,0000,0000,,Q: Do you know if they\Nstill use unencrypted SIP?
Dialogue: 0,0:44:20.50,0:44:24.12,Default,,0000,0000,0000,,A: Oh yeah. {\i1}chuckles{\i0}\N{\i1}slight laughter{\i0}
Dialogue: 0,0:44:24.12,0:44:27.32,Default,,0000,0000,0000,,A: Oh yeah.\N{\i1}loud laughter{\i0}
Dialogue: 0,0:44:27.32,0:44:29.52,Default,,0000,0000,0000,,A: Nothing in the protocols\Nchanged at all, whatsoever.
Dialogue: 0,0:44:29.52,0:44:32.33,Default,,0000,0000,0000,,They really just added a few firewalls.
Dialogue: 0,0:44:32.33,0:44:37.76,Default,,0000,0000,0000,,So once you are on the physical layer,\Nyou can read everything you like, yes.
Dialogue: 0,0:44:37.76,0:44:42.19,Default,,0000,0000,0000,,Well, and you break through\Nthe DOCSIS encryption, obviously.
Dialogue: 0,0:44:42.19,0:44:45.02,Default,,0000,0000,0000,,Herald: Now the newly adjusted number 2.
Dialogue: 0,0:44:45.02,0:44:47.89,Default,,0000,0000,0000,,Q: Thank you. Mine is\Nnot so much a question
Dialogue: 0,0:44:47.89,0:44:51.15,Default,,0000,0000,0000,,as I’d like to add some insight\Nand perspective to this.
Dialogue: 0,0:44:51.15,0:44:54.55,Default,,0000,0000,0000,,I, myself, worked for several ISPs
Dialogue: 0,0:44:54.55,0:44:57.50,Default,,0000,0000,0000,,and the… we… actually\NI worked for an ISP
Dialogue: 0,0:44:57.50,0:45:01.35,Default,,0000,0000,0000,,that had not this particular\Nissue, but a similar issue.
Dialogue: 0,0:45:01.35,0:45:04.16,Default,,0000,0000,0000,,The way that it was fixed and
Dialogue: 0,0:45:04.16,0:45:07.03,Default,,0000,0000,0000,,– you can look me up, I’ve worked\Nfor several ISPs, you won’t know
Dialogue: 0,0:45:07.03,0:45:08.68,Default,,0000,0000,0000,,which one had this problem –
Dialogue: 0,0:45:08.68,0:45:13.71,Default,,0000,0000,0000,,but what was actually the fix\Nwas a simple IP check.
Dialogue: 0,0:45:13.71,0:45:17.82,Default,,0000,0000,0000,,So once you downloaded\Nfrom the TFTP server,
Dialogue: 0,0:45:17.82,0:45:21.52,Default,,0000,0000,0000,,it was just checked if you did it\Nfrom the IP that was suspected.
Dialogue: 0,0:45:21.52,0:45:26.91,Default,,0000,0000,0000,,So this issue may actually be\Nreproducible if you can somehow
Dialogue: 0,0:45:26.91,0:45:30.43,Default,,0000,0000,0000,,get hold of an IP [address]\Nyou weren’t supposed to have.
Dialogue: 0,0:45:30.43,0:45:34.58,Default,,0000,0000,0000,,Like, say, spoof MAC address\Nor something like that.
Dialogue: 0,0:45:34.58,0:45:39.86,Default,,0000,0000,0000,,That being said, I’d like to attach\Na comment to the whole SIP thing, too.
Dialogue: 0,0:45:39.86,0:45:45.44,Default,,0000,0000,0000,,You indicated that it’d be possible\Nto silently intercept the conversations
Dialogue: 0,0:45:45.44,0:45:50.04,Default,,0000,0000,0000,,which is not necessarily the issue\Nbecause many SIP servers
Dialogue: 0,0:45:50.04,0:45:52.86,Default,,0000,0000,0000,,can be configured\Nto allow multiple endpoints
Dialogue: 0,0:45:52.86,0:45:55.88,Default,,0000,0000,0000,,so as the\N– what’d you call it? –
Dialogue: 0,0:45:55.88,0:45:58.42,Default,,0000,0000,0000,,the bad guy would be able\Nto pick up your calls,
Dialogue: 0,0:45:58.42,0:46:01.21,Default,,0000,0000,0000,,you would also hear you\Nphone calling yourself.
Dialogue: 0,0:46:01.21,0:46:04.50,Default,,0000,0000,0000,,A: Right, and if your phone picks\Nup within 0.01 microseconds,
Dialogue: 0,0:46:04.50,0:46:06.97,Default,,0000,0000,0000,,then, yeah, there’s nothing\Nyou can do about it.
Dialogue: 0,0:46:06.97,0:46:10.07,Default,,0000,0000,0000,,It just rings again.\NThat’s the point about it.
Dialogue: 0,0:46:10.07,0:46:13.61,Default,,0000,0000,0000,,Also, the other bit that\Nyou have on the SIP server
Dialogue: 0,0:46:13.61,0:46:17.31,Default,,0000,0000,0000,,is that that particular server actually\Nonly allowed one endpoint
Dialogue: 0,0:46:17.31,0:46:20.69,Default,,0000,0000,0000,,to be registered at a time.\NAt least from what I could tell.
Dialogue: 0,0:46:20.69,0:46:25.17,Default,,0000,0000,0000,,It was some Huawei\Nbox. I don’t know.
Dialogue: 0,0:46:25.17,0:46:28.63,Default,,0000,0000,0000,,Herald: Number 3, please.
Dialogue: 0,0:46:28.63,0:46:30.67,Default,,0000,0000,0000,,Q: Yeah, I attended this talk today
Dialogue: 0,0:46:30.67,0:46:36.72,Default,,0000,0000,0000,,because I know that at the beginning,\Nwhen DOCSIS was introduced,
Dialogue: 0,0:46:36.72,0:46:39.96,Default,,0000,0000,0000,,the modem were asking\Nfor the configuration file
Dialogue: 0,0:46:39.96,0:46:44.90,Default,,0000,0000,0000,,also over the Ethernet\Nport which is great.
Dialogue: 0,0:46:44.90,0:46:48.34,Default,,0000,0000,0000,,And my question is:
Dialogue: 0,0:46:48.34,0:46:54.48,Default,,0000,0000,0000,,Is there a way within the DOCSIS standard\Nso that the ISP can verify their hardware?
Dialogue: 0,0:46:54.48,0:47:00.21,Default,,0000,0000,0000,,I mean, you… I have seen\Nthe type and the vendor name
Dialogue: 0,0:47:00.21,0:47:06.35,Default,,0000,0000,0000,,and the SNMP but you can\Nobviously spoof that.
Dialogue: 0,0:47:06.35,0:47:11.49,Default,,0000,0000,0000,,Of course, firmware\Nbinaries won’t run on the
Dialogue: 0,0:47:11.49,0:47:15.36,Default,,0000,0000,0000,,wrong hardware, but…
Dialogue: 0,0:47:15.36,0:47:17.35,Default,,0000,0000,0000,,A: I’m not quite sure\NI’m getting what you’re…
Dialogue: 0,0:47:17.35,0:47:21.89,Default,,0000,0000,0000,,Q: The question is: Is there\Na way to control for the ISP
Dialogue: 0,0:47:21.89,0:47:25.64,Default,,0000,0000,0000,,which hardware there is they’re using?
Dialogue: 0,0:47:25.64,0:47:27.93,Default,,0000,0000,0000,,A: So I come from a\Nvirtualization background.
Dialogue: 0,0:47:27.93,0:47:31.63,Default,,0000,0000,0000,,And in my world, there is\Nno such thing. It doesn’t exist.
Dialogue: 0,0:47:31.63,0:47:33.16,Default,,0000,0000,0000,,{\i1}slight laughter{\i0}
Dialogue: 0,0:47:33.16,0:47:38.94,Default,,0000,0000,0000,,Sorry. If you can somehow\Nabstract it, you can abstract it.
Dialogue: 0,0:47:38.94,0:47:42.84,Default,,0000,0000,0000,,Q:OK.\NHerald: 8, please.
Dialogue: 0,0:47:42.84,0:47:48.19,Default,,0000,0000,0000,,Q: Hi. I wanted to add on the\Npart with the MAC spoofing.
Dialogue: 0,0:47:48.19,0:47:52.13,Default,,0000,0000,0000,,Because I had a modem\Nlike that, like 5 years ago,
Dialogue: 0,0:47:52.13,0:47:55.71,Default,,0000,0000,0000,,and actually I never went\Ninside the modem,
Dialogue: 0,0:47:55.71,0:47:59.96,Default,,0000,0000,0000,,but I had some applications where\NI needed a new IP address
Dialogue: 0,0:47:59.96,0:48:02.64,Default,,0000,0000,0000,,in a short period of time…
Dialogue: 0,0:48:02.64,0:48:06.78,Default,,0000,0000,0000,,{\i1}loud laughter{\i0}
Dialogue: 0,0:48:06.78,0:48:10.34,Default,,0000,0000,0000,,And I remember that actually… the thing…
Dialogue: 0,0:48:10.34,0:48:16.83,Default,,0000,0000,0000,,if you told the modem your MAC\Naddress, a different MAC address,
Dialogue: 0,0:48:16.83,0:48:20.98,Default,,0000,0000,0000,,you got different external\NIP addresses back then.
Dialogue: 0,0:48:20.98,0:48:24.36,Default,,0000,0000,0000,,I don’t know if things have changed\Nbecause it was 5 years ago
Dialogue: 0,0:48:24.36,0:48:28.18,Default,,0000,0000,0000,,but… yeah… after what\NI’ve heard from you,
Dialogue: 0,0:48:28.18,0:48:30.62,Default,,0000,0000,0000,,I’m kind of unsure that things changed.
Dialogue: 0,0:48:30.62,0:48:33.58,Default,,0000,0000,0000,,A: No, I’m fairly sure this is actually\Naccurate. From what I understand,
Dialogue: 0,0:48:33.58,0:48:37.67,Default,,0000,0000,0000,,I never did that myself but I\Nheard from people who did,
Dialogue: 0,0:48:37.67,0:48:42.79,Default,,0000,0000,0000,,the MAC address check and the\Ncertificate check are actually separate.
Dialogue: 0,0:48:42.79,0:48:47.91,Default,,0000,0000,0000,,So that if you own a valid certificate\Nfrom some random dude who happens to
Dialogue: 0,0:48:47.91,0:48:52.53,Default,,0000,0000,0000,,actually pay for the service,\Nand you get that certificate,
Dialogue: 0,0:48:52.53,0:48:55.61,Default,,0000,0000,0000,,and you’re not on the\Nsame CMTS as that guy,
Dialogue: 0,0:48:55.61,0:48:59.22,Default,,0000,0000,0000,,then you can actually go and, well,
Dialogue: 0,0:48:59.22,0:49:03.27,Default,,0000,0000,0000,,basically say that you’re him even if\Nyou have a different MAC address.
Dialogue: 0,0:49:03.27,0:49:06.26,Default,,0000,0000,0000,,Which then, again, implies that if you\Nchange the MAC address, you can just
Dialogue: 0,0:49:06.26,0:49:09.06,Default,,0000,0000,0000,,be somebody else. Which\Nthen again implies that…
Dialogue: 0,0:49:09.06,0:49:13.61,Default,,0000,0000,0000,,maybe you can actually go and get\Nsomebody else’s Provisioning Files, yeah.
Dialogue: 0,0:49:13.61,0:49:15.45,Default,,0000,0000,0000,,{\i1}slight laughter{\i0}
Dialogue: 0,0:49:15.45,0:49:18.41,Default,,0000,0000,0000,,Q: Well, yeah… not up to you.
Dialogue: 0,0:49:18.41,0:49:20.46,Default,,0000,0000,0000,,A: Not going to try out.
Dialogue: 0,0:49:20.46,0:49:22.32,Default,,0000,0000,0000,,Herald: Number 2, please.
Dialogue: 0,0:49:22.32,0:49:28.01,Default,,0000,0000,0000,,Q: Yeah, you had this one\Nwith one particular provider
Dialogue: 0,0:49:28.01,0:49:30.39,Default,,0000,0000,0000,,and I happen to know that\Nthere’s a second provider
Dialogue: 0,0:49:30.39,0:49:36.02,Default,,0000,0000,0000,,using the same technology in Germany:\Nwere they somehow involved in this loop?
Dialogue: 0,0:49:36.02,0:49:40.26,Default,,0000,0000,0000,,I mean, it took Kabel Deutschland\Ntwo months to fix this and…
Dialogue: 0,0:49:40.26,0:49:42.11,Default,,0000,0000,0000,,A: No, but they better hurry up!
Dialogue: 0,0:49:42.11,0:49:45.87,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:49:45.87,0:49:48.13,Default,,0000,0000,0000,,Q: Thanks!\N{\i1}applause{\i0}
Dialogue: 0,0:49:48.13,0:49:53.69,Default,,0000,0000,0000,,A: And, quite frankly, I do not believe
Dialogue: 0,0:49:53.69,0:49:58.49,Default,,0000,0000,0000,,that this is limited to Germany\Nat all, whatsoever.
Dialogue: 0,0:49:58.49,0:50:06.95,Default,,0000,0000,0000,,So… Yeah. Let’s see who’s faster.
Dialogue: 0,0:50:06.95,0:50:08.95,Default,,0000,0000,0000,,Alright, end of questions, right?\NOr is there any…?
Dialogue: 0,0:50:08.95,0:50:11.36,Default,,0000,0000,0000,,Herald: It looks like we’re\Nat the end of questions.
Dialogue: 0,0:50:11.36,0:50:13.28,Default,,0000,0000,0000,,The Internet maybe…?
Dialogue: 0,0:50:13.28,0:50:15.52,Default,,0000,0000,0000,,No, the Internet doesn’t\Nhave any questions.
Dialogue: 0,0:50:15.52,0:50:17.73,Default,,0000,0000,0000,,There are 8 empty microphones.
Dialogue: 0,0:50:17.73,0:50:24.80,Default,,0000,0000,0000,,So thank you very much for your talk\Nand thank you very much for the Q&A.
Dialogue: 0,0:50:24.80,0:50:30.95,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:50:30.95,0:50:34.90,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:50:34.90,0:50:41.84,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin 2016. Join and help us!