32C3 preroll music Herald: The next talk is going to be “Beyond Your Cable Modem” – how not to do DOCSIS networks. Sorry, I’m not a hardware guy. But Alexander Graf is going to hold the talk and he has done a lot of virtualization and stuff other people think is too complicated. Now he is going to talk about the outside of your apartment. Give him a warm welcome. applause Alexander: Hi and welcome to my talk “Beyond Your Cable Modem”. This is going to look at what’s beyond the stuff you usually see at home where you just plug in a network cable and you happen to have Internet available. So, who am I? I’m Alexander Graf – I’m usually more of a virtualization developer. I have nothing to do with hacking in my day work, I don’t usually go around and hack embedded devices. Usually, at least. But, during the last year, I had a lot of spare time at night because the baby was crying, so I figured: I could as well spend that time and do something useful. So, what happened? We moved to a new home. I was living in a home where I had DSL available, I had a real phone line, everything was great, things were just awesome. But then we moved into this new home where… where there was no DSL available. Well, there was DSL available but there were different circumstances why I couldn’t use it. So instead, I figured: You know what? Try this cool new technology: Internet over your cable TV. Ehh, cable. TV cable. So I got myself a cable modem from the provider, got myself registered and now had Internet over cable TV. Also, along the same lines, I figured: Why not go and also do your phone line over that cable provider with your old phone number so that people still can contact you when they want to. Now, the thing is, when I finally received the whole package, I realized: Woh! Wait! Something’s wrong here! That’s an analogue phone line! Are we, like, in 2015 or is it 1994? So, instead of the usual digital stuff that I am used to, I just got myself an analogue phone line. So I had to put myself another box in there that would convert the analogue phone line back to a digital phone line, so I could route it in my house to another line, to another machine that would then go and route it to my phone. You see the problem in there? Yeah, that whole stuff over there just doesn’t look right, right? Why would you go and convert something that is obviously digital? I mean, the stuff that goes into your cable is obviously digital, right? Kind of obvious… and convert it back to analogue and then back to digital just to be able to do a phone call. So I called up the technicians, Support, and said: “Hey guys, you know what? Isn’t there a way I can, like, directly access whatever you have there and go and use digital throughout?” And the guy said: “Well, you know what? Actually, behind the scenes, we’re all just running SIP. It’s just a normal SIP server. Just normal voice-over-IP, nothing special about it. So, if you know what you’re doing, just go ahead and connect to it.” laughter and applause Challenge accepted. So, what we learned from Felix earlier in his car talk: It was: What do you do when you don’t want to brick your own system? Of course, you buy a new one on ebay. They’re really cheap, just go and get a cable modem and then you can go away and treat it with the kind of love that you want a device to be treated with. laughter Turns out, my modem is actually just running Linux. Hooh! Nice! That fits me pretty well! And it’s just a normal ARM system. Well, the only special thing is: It’s Big-Endian. But then again, I’m kind of used to ARM by now, why not just go away and like go around and just look at how this thing works. And, well, we really just want to get this voice-over-IP stuff working, so take a look at how this voice-over-IP stuff works on the device! Turns out, there’s actually a normal SIP. SIP works on port 5060 usually. Normal SIP client running on there, but this IP looks weird. So, my external IP looks different. And my internal IP is different, so where does this IP come from? So I looked at the IP list of my device and figured: Well, something’s weird here. I have a lot of IPs in there and connections that I really don’t know anything about. Hm. So down here, is obviously my phone line. And up here, is something else that I have no idea what this is about. So I figured: Let’s go and dig a bit deeper. And see what’s actually happening there. So how does DOCSIS work? This is just a small introduction, like high-level introduction, on how the routing runs. So basically, you have the cable modem that is connected using your TV cable line to a CMTS, just a translation service, that then takes all of the DOCSIC-specific stuff and just basically gives you an IP routing over into something- something-something behind it. However, it doesn’t just give you one line. It actually gives you three. It gives you one line for your Internet. Makes sense, right? You want to get online. That’s the one you actually see when you plug into the device. It also gives you another line for VoIP. And it gives you one more line that I would call the “Admin” line. It’s the provisioning line. Now, let’s start with the Admin line. That sounds the most interesting, right? laughter What does the Admin line do? Well, in the end, a modem in the DOCSIS network is just a normal client like in your Ethernet network. So the first thing it does when it gets online is: it does a DHCP request. And on the DHCP request it goes and gets an IP address and gets all the information it needs. And it also, well, it’s kind of sane, it’s just a normal DHCP request. It also, however, gets something similar to PXE booting where it gets usually… in PXE booting you would get an executable that you’d run, here, you get something different. Here, you also get a file that you need to download using TFTP just like with PXE. However, in this case, it’s a configuration file… – There you go – …configuration file… …that you just receive using PXE to your cable modem; and then, the cable modem is configured. Now what is inside this Provisioning File, that’s what I call it? Well, there’s interesting information like: What is your firmware update filename called? If you want to update your firmware or if the provider wants to have you update your firmware. How much bandwidth do I have? laughter I hear, people have been playing with that one… laughter And, well, since it’s just a normal TFTP request you can just do it yourself, too. This is my configuration. You just go, get it, and you have your configuration file. Now, the interesting thing that I realied when I first started doing this was: Sure, this is my configuration file. But what about configuration files from other people? Well, you go and get the MAC address, if you have the MAC address you just go and get it and there you go: You have the other people’s configuration file. laughter Easy as that, right? That’s the way it’s supposed to work. applause The actual effects of that, we’re going to come to that later. Let’s just declare TFTP, the whole access to that, as “slightly insecure” for now. laughter But now, if you’re an ISP, you want to monitor what your people do, right? So imagine, you’re the admin there. Just imagine, you’re one of the good guys, right? And you want to see what are those people on your modem doing. Are they, like, downloading too much content? Because you obviously cannot filter or find that out from the other side. So, what do you do? Well, you obviously send the industry standard for that: An SNMP request. Using a password that only you know. laughter Send it over to the cable modem and the cable modem then goes in and replies with the respective reply saying “Oh, yeah, sure, I got that piece of information, there you go, you have it.” Oh, that was too quick! But how does your modem actually verify that password? Yeah, you guessed right: Using the Provisioning File, obviously! laughter Once you download the Provisioning File from any random modem in there – including yours – you end up getting an interesting password. laughter However, they actually did at least one thing: They limited the address range you are allowed to access those devices on. laughter Yeah… applause As a hint for those who did not clap: This means, everybody who is in that network. But how big is this network? I figured: Why not just give it a try and ask some people in Hannover whether I could just get their MAC addresses and see how far I could get. Just send an SNMP request over, I had the password now, right? And ask that modem: “Please tell me everything you know!” And it replied! laughter There’s a lot of interesting information, SNMP, you wouldn’t believe it! So this is obviously just stuff like “Oh, yeah, I’m this and that modem!” But there’s more in there. There’s, for example… this is my public IP address! – in case you’re searching for someone specific. Or… these are my internal MAC addresses and IP addresses. In case you’re searching for some specific notebook that someone stole from you or so. laughter Or… this is my Provisioning File, in case you just happened to port scan all of the machines out there and ask them using the same password that they all share on what their Provisioning Files could be called. clears throat Of course, I never did that. Right? laughter So, I would say, the whole SNMP story isn’t “really” all that secure either. But at a certain point in time, like when the modem actually doesn’t work like the way you would envision it to be or if you just need to do more administrative stuff, the admin wants to have more access than just SNMP, right? This is kind of isolated to a few specific pieces of information. You want some more hardcore access. Like real go down into a real shell. How do you do shells in 2015? Audience: TELNET! Alexander: Telnet. Exactly! laughter applause We’ll actually get to the point why Telnet was a good idea later, but… that’s 30 slides down or so. We already managed to get an SNMP connection working to a different modem, let’s just try the same with Telnet and see how far we can get. We can go in and just Telnet in and it replies and says “please give me a login” Hm. Now where do I get this login from? laughter Turns out, the administrator needs to provide that password just the same to the modem, which needs to verify it. Based on configuration. Which it gets from the Provisioning File. That… I think you see the point. So in the same Provisioning File that you can obviously again download for every single user in the network you also have the password. In plaintext. That’s the part that actually took me the longest in this whole thing. I spent weeks trying to figure out what hash this is. raging laughter big applause So if we try to log in to the server using those credentials we got, we get greeted with a nice command line interface for poor Mr. Admin at our provider’s side. But I don’t really like those, like, boiled-down interfaces. I want a real shell. I want to load kernel modules. I want to filter all my network traffic. I want to reroute everything that modem does to a different machine. I want to rewrite the VoIP client to instead do… either way! So I want to do something real. Let’s do the help command and it tells us that there’s a cool command called “shell”. laughter Ah yeah, there you go, got a shell! By now, at that point, I can actually go and do anything I want to that modem. I got full root access. By the way, all the modems run every single piece of software running on there, including your web server and your SIP server and anything as UID 0. Which is a good idea, right? So, I now got shell access so I can do anything I want. I can re-route all your traffic, I don’t, obviously, but this is basically where we went half a year ago. Another thing to note is that – since it’s so annoying to generate different passwords for different devices… Yeah, yeah, I know. You just use one password for all, right? It’s good enough. So you don’t even have to read your other person’s Provisioning File, you can just use your own password that is in your own Provisioning File which you already have on your modem because you’re provisioned yourself. The only notable exception that I found to this whole scheme – I mean, you could basically go and log in to any modem out there, except for Fritz!Boxes. applause Yeah, congratulations everyone! Kudos! So, apparently, AVM are the only ones who did not follow the standard scheme from my provider and instead said: “No no no, guys! You don’t do the firmware. WE do the firmware”, and they just don’t like to enable Telnet. Apparently there are people in that company that actually know what they’re doing. So, I would say the whole Telnet access thing isn’t exactly… I wouldn’t mark it “secure” either. Naahhh… naaah… But we didn’t really come here for the Admin network, right? I was just… it happened to be around. I just looked at it and… njeeeeeh. We wanted to go and do voice-over-IP! Hah! Yeah, so how does VoIP look like? It’s kind of similar. It also does a DHCP request in the beginning. DHCP is usually fine, I mark it with a green tick here. I’ll leave it to others to further dig down into that part. It does the same TFTP bit so if you just go and – instead of downloading your Provisioning File from your own modem, from the RAN, from the admin network – you just go and get it from the other MAC address and there you go, you have it. Nicely enough, all those cable providers registered consecutive MAC addresses, so if you have one, you also have the others. Just… You basically just ask a friend: “Give me your MAC address that’s written on the box” and you basically have everything you need. SNMP is the same thing. You can access it using SNMP. The really nice thing about SNMP here is that the box also tells you the other accesses it has, so if you only have one IP address, or… I also have a nice DNS service internally that tells you what the IP address is to a certain MAC address, so you just ask the DNS for the MAC address of the VoIP access, then you go and SNMP, ask it for the IP address of the admin network, and there you go. You’re in the box. However, the really interesting bit on the voice-over-IP network is SIP. Since… you want to do VoIP, right? That’s what the whole thing is about. So VoIP basically works… the way that your modem wants to go and do a phone call. So how do you do a phone call with SIP? You need to provide data like credentials, like, tell the other side, the server, how you authenticate yourself. Which, obviously, is written in your Provisioning File. So, you use those and tell the server: “I want to do a phone call” and there you go: You do a phone call. Now if we look at this Provisioning File, you can see that it contains your server and your user name and your phone number and your… well, basically everything you’d need to log in into an SIP server. Now, since I can read, anybody else’s Provisioning Files, … laughter So, imagine I’m this user up there. Right? And I’m just doing a normal call as this phone number up there. Well, maybe there’s this other guy in the network who just goes in and downloads your Provisioning File and, well, he gets all the credentials he would need, so he gets the same phone number and then he can just go and do a call. Hm. Yeah. Maybe I should have registered a few 0900 numbers. Now the really interesting part here is – it also works the other way! You register for it and if you’re the fastest one registering it, the other modem doesn’t get the chance to receive calls which means now you receive the calls and then you can just tell the other modem that there was a call, just that, by now, you actually route all the traffic through your modem and you can listen to all the voice data that there is on the line. Yay! Yeah… laughter Not sure it’d be a good idea to talk to your lawyer around… Using this line for secure stuff is probably not the best. I wouldn’t mark SIP as secure on this thing, either. But at this point, so on the Telnet access and on all the other parts, I was, like, sure, I can fix it for myself. I’m an egoist, right? I can fix it for myself. I don’t care about the rest of mankind… I do, but I can claim that! I can just as well ignore all the others and say: I fix it for myself. But for voice-over-IP, I can’t. Because I’m completely out of the loop. This other guy, he could just go and steal my credentials, because he can… and there’s nothing I can do about it. So at that point, I was kind of scared that someone would be able to hack me. So I started to think about how to fix this thing. Now, the first thing that comes to mind is obviously: You as a user go and pick up the phone and call the service line from your provider. laughter Yeah, I don’t think, that’s a good idea. laughter Nah, no I didn’t want to go down that road, nah… So, instead, I figured, I’m going to call someone else. I’m going to call a couple friends. laughter and applause applause Gonna call a couple of friends from Heise, thanks to my Linux work, I knew a few of those, and they also tend to do security, which kind of falls into this whole thing and used them as a proxy. So that nobody could actually go and sue me until things were public. So, imagine what the provider would do when he hears that I hacked into their Telnet account. Sure, you’d do the obvious thing: You’d replace Telnet with SSH, right? It’s what everybody would do. It’s the first thing. You look at this and think, like, “Oh my god, this is 2015, why would you be doing Telnet?” Well, the answer is pretty simple. Emm… laughter Take a look again. It’s not as simple as you think. Take a look at it again, there’s this Provisioning File. SSH actually gets different credentials! So, the SSH credentials are actually down here. And the password is different from the one on the top. I don’t know what the password is. But I can tell you that the password hash is really cool! So, the password hash is something that comes from VxWorks, so I’m pretty sure that there are more devices out there that might be interesting to look at. The VxWorks hash actually works in a really simple way: It creates a checksum of your input that lies somewhere between those 2 numbers and then creates a fancy String out of them based on some heuristics. But essentially, the whole password down there boils down to just a single number that is basically, in a realistic case, the upper limit is 40 characters, so you’re not going to see a password that long, realistically you basically check around 100 passwords and any hash out there, any password that’s available, you already cracked it. Which means, there are so many collisions in this hash, which I wouldn’t even call a hash, that I don’t know what the original password is like… I don’t know. But this one works pretty well! laughter and applause applause So we go ahead and we log into this machine and we type in our collision and… there you go! We got the same thing as before! So we told them again: “Guys, look, it’s not as easy as that. You should probably take a bit deeper breath and take a look at how things actually are broken.” Which, turns out, they did! So what happened next? We had this whole huge mess with lots of services that are all attackable and everything’s just wholly broken. That was two months ago. There were some circumstances why we just couldn’t tell them earlier. And we basically told them: “Guys, you know, in 2 months’ time we’re going to do a talk here and everything’s going to be public so you might want to fix your network until then.” laughter So the first thing that they did is: They added a check to their TFTP server to verify whether you’re actually eligible to download this Provisioning File. applause So now, you can only download your own Provisioning File. Which is great… finally! I mean, this is the obvious thing to do. So that one’s fixed. Then, they went ahead and said: Well, there’s no real reason why one modem should do SNMP traffic with another. So they just added a firewall, saying, we’re blocking SNMP traffic between different machines – problem solved! applause The same for SSH – they went ahead and said: There’s no reason why you should be doing TCP between one modem and another. Problem solved! applause And because the VoIP access credentials are actually part of your Provisioning File which you can now no longer download from somebody else, that one is fixed too. Awesome! shy applause Go ahead, go ahead, clap! It’s awesome! applause Thank you, ISPs. So after two months, you actually managed to limit me into the borders that I was supposed to be in, in the beginning. It’s cool! So what do we have… Please guard your networks even if you believe that somebody couldn’t go in – they probably will. Because, as soon as a customer can access your device physically, which kind of happens to be the case with a modem that’s sitting in your apartment, that guy can access your network. There’s no way you can prevent it. So don’t believe that the border of your network is the home. The border of your network is the cable going into that home. The same way goes the other way around: If an ISP gives you a device, don’t trust that thing. Seriously. They can do anything they like. And sometimes, somebody else can, too. In this case, according to my provider, I was able to access 3 million devices. applause That’s quite some number. applause Also, the press is your friend. If you are afraid of revealing something, tell someone who can do it for you and usually, things go out well. Let’s hope for the best. And then, this whole thing went online in the beginning of the week and there were a couple of questions on the forums that I read and I just wanted to take the time to reply to those. First thing that always comes up is: “Is this a conspiracy?” Like “Oh my god, this is the NSA backdoor!” No way. I mean, seriously, those guys are not that stupid. They have their own front doors, they don’t need backdoors. laughter This really is just a case of “If we don’t secure things, it’s going to be easier for us.” Njee, it was easier for everybody, including the ones who shouldn’t have access. So, no, this is not a conspiracy. This is not some backdoor from some agency. This is really just a matter of a company not doing their homework. The same thing goes for other providers. My cable just wasn’t long enough to connect to some other country so I don’t know whether other DOCSIS networks are affected. From the best of my knowledge: Yes, they are. I’m not allowed to tell you to check. But if you happen to have that idea on your own… laughter and applause applause No animals were hurt during the production of this movie. laughter All the passwords were changed, so if you happen to know the real passwords, you probably had a good laugh during the presentation. If you don’t know the real passwords, njeeee, they are different. To the best of my knowledge, all of that knowledge that I just gave you is completely useless to you, because all the issues are fixed. Thank you. applause Herald [to Alexander]: Q&A? [Alexander nodding] Alexander: So now we can go for questions if you like. So please… or… you go ahead and announce it. Herald: So if you have questions, run towards a microphone and stand behind it visibly. The first one was on number 4. Q: You were talking about taking a couple of weeks to get to know that the password wasn’t hashed but plaintext. So how long did this whole exchange in total go on? How much facepalming and how many hours did it take for you? A: So I didn’t spend full time on it, I really literally just whenever the baby was crying I just went up and figured “I can do something”. It’s not… I basically got cable access two years ago. I first got into the modem about one year ago, I think. That’s when I started looking for real. I basically ended up digging deeper and deeper, right? It’s not… VoIP, for example, I only realized the whole voice-over-IP story in August. Since I just didn’t look before. I was like so excited to see all the other bits. shy laughter Just didn’t look. Herald: Now number 1, please. Q: Are you really sure that the TFTP Provisioning File fetching is secure now? Because… do they do some MAC integrity tests for MAC spoofing? A: Yeaaaaah… laughter The problem is the law, right? I’m not allowed to tell you to try it yourself, I’m not allowed to tell you that I don’t think that anything on the physical layer is insecure. I’m not allowed to tell you that… I mean there’s so many things I’m not allowed to tell you about this whole network… I haven’t tried. I really just went in and said “TFTP Fetch and see whether I can get it.” laughter and applause applause Herald: Number 7 up there on the balcony. Q: Hello. My question is, in the beginning in your config files, I think there was something about traffic priority or network priority as well. Did you play around with that one as well? Is that something about Net Neutrality, maybe? A: Ahh, that’s an interesting… OK, so, it’s not about Net Neutrality at all. It’s about QoS of different services, so they basically say that VoIP traffic gets higher priority than the other bits since you want to have low latency on voice-over-IP traffic, obviously. So that has nothing to do with Net Neutrality in this thing at all. I did play around with those settings, just because… coincidentally, right the day after the Fahrplan got released, my account got throttled to 80 kBit/s. I don’t know why. Could be related, could be not. But I figured, “I’m paying for 100 MBit/s” so I should probably get 100 MBit/s and started to look at those things. I did not manage to actually convince my modem to get me more. Q: Did you change the bandwidth in the settings? Herald: No dialogues, please. A: Yes, I did change the bandwidth. It’s not… my guess is, they’re also QoS’ing on the other side. But if you want to verify it, I’m not telling you not to. laughter Herald: Number 2, please. Q: Yes. So at first, thank you for the nice insights. I’m a cable user, so I’m interested here. And I want to, again, make a statement on the Provisioning File. You should have told them that the Provisioning File fetching in this way isn’t a good idea anyway. And I personally would believe if they do not can transfer it via a completely different channel, it will not get really secure. A: They can not do it differently because it’s part of a standard. There’s a DOCSIS standard which all the modems have to adhere to and that’s part of the standard. They cannot do it differently. If you want to have it done differently, you have to tell the DOCSIS standardization committee which is in India. Q: Yes, so I’ll talk to them. Thanks! Herald: Now, we’ll have a question from the Internet. Q: Could two modems be programmed to talk among themselves directly, bypassing the ISP firewall? A: Say it again. Signal Angel repeats question more slowly A: You mean with the new scheme or with the old scheme? With the old scheme, it was… you could just go and route through it. With the new scheme… you… not with the official modems. laughter and applause applause Herald: And number 8 on the balcony. Q: Did you find any traces of TR-069 in this thing? A: I did on the AVM boxes that were secure, yeah. So that was the only bit that actually ended up making a lot of sense. TR-069 is a pretty nice standard. You basically have authenticated – I think it was even HTTPS – traffic that basically goes and pokes the server to get you a firmware update. It’s a perfectly nice way of provisioning such a system. It’s definitely a lot different from the usual way so on those DOCSIS modems, the usual way to tell it to get a new “firmware” is either to tell it to reboot and get a new file from the provisioning server or to just poke directly through SNMP to tell it: “Go to this TFTP server over there with this file name and flash it onto your Flash.” laughter No, I have not tried to spoof the privileged IP address range. laughter Herald: Now it’s number 4 again. Q: The question I have is: When you tried to first contact them via Heise, was there any way they might have tried to convince you to not do the talk and if so, would there be an itch on your head? A: They did not try in any way whatsoever. Zero. Q: Do you think that was due to the credibility or do you think they thought “Oh, we screwed up”? A: I don’t know. I don’t think they thought any other way would work at that point in time. Since the press was already involved, they are not gonna pull back their story, there’s nothing else they can do. Q: Thank you again. Herald: Before I hand the microphone, do you want to do the entire 24 remaining minutes Q&A or do you want to put a limit? Graf: No, I think 24 minutes Q&A is fine. We can always cap it later on, right? Just go and ask. Ask as much as you like. applause Herald: The Internet, again. Q: How much of this would have been possible if the modem had been in bridge mode? A: My modem was in bridge mode. laughter Herald: And number 6. Q: Do you have an idea how long this has been that way? And do you have any specific reasons to believe what group of people might have abused these problems? A: I don’t know. I did not see anybody else on the network but it’s really hard to see someone in a sea of 3 million devices. I am not aware of anybody exploiting this, so I can only state what Vodafone said. And they said that nobody else did exploit those problems. According… as far as time… and I believe that one actually… it’s… I don’t think that anybody did. Which is surprising since this whole stuff was kind of obvious but apparently nobody thought of digging into their modem before. The one thing about the timing is: Apparently, they already, Kabel Deutschland, basically already does Internet for 10 years by now and there’s very little reason to believe it’s been different in the beginning. So it was probably vulnerable for about ten years. That said, in the beginning, they were not even using DOCSIS 3.0, which did not really do real encryption, so at the end of the day you could just do whatever, any ways on the network. Back in the day. By now, it’s only halfway complicated. Herald: Now number 1. Q: Yes, thank you for the talk, too. So it’s completely possible that they may have not found out that somebody else accessed this before and maybe already flashed a lot of devices with another firmware which is still listening to his commands? With the new setup. Because he changed the firmware. A: They did not… okay, they did update the firmware at that one point in time when I showed that they switched to SSH. They did not change the firmware ever since. So all the services that I was talking about, they are still running on your modem. Q: Okay, but they can’t be sure that there is another firmware by somebody else on routers running. If somebody else maybe thought of making a bot net, before all of this came up, in the last 5 years or 10 years, and already controls some devices and they can’t be sure that their firmware is not running on those devices. There can be still devices somewhere controlled by somebody else. A: Sure. You have to, obviously, fake all the information they receive from the modem pretty well, otherwise they get you onto the security block that I am on. But if you do that correctly, you can probably just replace all the pieces of firmware, just ignore all the updates and try to behave the same way as they’d expect and then hope that nobody finds out. It’s entirely possible – I don’t think it’s very likely but it is definitely entirely possible. Q: Let’s hope there are no more networks like this out there. Herald: Usually, there are no 2nd questions, so… we still got comfortable time but try to limit yourself to one question. Now it’s number 2. Q: Have you tried to change your MAC address on the DOCSIS level or also for the DHCP request or how do they do authentication of the modem over the network? A: So, the authentication works using certificates. I’m actually not sure, I haven’t read the standard on that side whether the MAC address is part of the certificate. I don’t know. If it’s not, you can easily just change it. I haven’t tried. But then again, the modems are – what? – 8 Euros? Herald: Number 7. Q: What other recommendations do you have – if someone were to have a suspicion about a vulnerability – for the research part and for the disclosure part? A: What do you have to do… I can’t give you any legal or any advice on that one. I can tell you that getting somebody involved that has done this before is a really smart idea. Because they’ve gone through a lot of pain points. The press is even better because they have a really, really big lever nobody wants to be in the press for 2 months or whatever just on negative news that there was somebody who was legitimately trying to tell them to improve their network and they sued them. So there’s a really good chance that going via the press is going to keep problems away from you, but there’s no guarantee. I cannot give you real – I mean legal or any coherent – advice on that one. I would… I mean, if I would find such a thing again, I would definitely go the same route. I would just call up Heise and tell them and… That went pretty smoothly. And if… I mean, the really cool thing is, they actually listen to the press. If I had gone to the service, they would have just said “Sorry, wrong number, I can’t help you.” Herald: Now the Internet. Q: How did you obtain the original data? Did you use JTAG or dump the device’s firmware and run it virtualized? A: Ahhhhh. Not sure how much of that I should actually tell everybody. Let’s say, I replaced… You can actually see this on the slide, wait. makes “Tchtchtchtchtch” sound Oh my god, this is going to take forever. Okay, dududum, where’s my mouse cursor? There it is. Okay… So, I got a picture of the modem… …here. There you go. So… …what you can see here, down there, the white and the yellow cables, those are the serial port. And the IDE cable up there that’s where the flash chip was before I started fiddling with the modem. laughter Now, the flash chip is actually in that socket up there. Which means I could swap the flash chip between a device I own – BeagleBone Black, for example, that’s a really nice spy interface that you could just use to write those – and then plug it back into the modem. So I could replace the firmware and get myself an initial shell. As I mentioned earlier, I really do not like to lose Internet access. So this is not the modem that I was actually using at home. Instead, I just used that modem to fetch a firmware image so I could then look and see whether there might be other bugs that you could use. Herald: Now number 8. Q: Earlier, you’ve said that – who was it… – Fritz!Box was more secure and they didn’t have the same vulnerabilities. Do you think they simply didn’t use hardcoded passwords and stuff. So do you think they’ll be vulnerable to similar attacks and that someone probably, like you wouldn’t tell them, but maybe they should look into it or do you think that it isn’t possible and someone should, like, prove you wrong. A: From all I can tell, but this is… I mean, just a gut feeling that I get from looking at different firmware files, the usual way, at least the Linux based firmware works on those systems is that there’s TI creating a BSP then they give it out to Motorola. Then Motorola gives it out to CBN. Then CBN gives it out to Kabel Deutschland. And then, each party of those adds a few pieces of stuff. That’s the usual way it works in those devices. Whereas in the AVM boxes, things looked vastly different. There was one firmware image that even contained information for some Austrian provider. So instead of giving full control to the cable provider, AVM kept control on their own and actually audited the stuff they were doing. That’s the major difference. applause Herald: One more question from the Internet. Q: Do you know if they still use unencrypted SIP? A: Oh yeah. chuckles slight laughter A: Oh yeah. loud laughter A: Nothing in the protocols changed at all, whatsoever. They really just added a few firewalls. So once you are on the physical layer, you can read everything you like, yes. Well, and you break through the DOCSIS encryption, obviously. Herald: Now the newly adjusted number 2. Q: Thank you. Mine is not so much a question as I’d like to add some insight and perspective to this. I, myself, worked for several ISPs and the… we… actually I worked for an ISP that had not this particular issue, but a similar issue. The way that it was fixed and – you can look me up, I’ve worked for several ISPs, you won’t know which one had this problem – but what was actually the fix was a simple IP check. So once you downloaded from the TFTP server, it was just checked if you did it from the IP that was suspected. So this issue may actually be reproducible if you can somehow get hold of an IP [address] you weren’t supposed to have. Like, say, spoof MAC address or something like that. That being said, I’d like to attach a comment to the whole SIP thing, too. You indicated that it’d be possible to silently intercept the conversations which is not necessarily the issue because many SIP servers can be configured to allow multiple endpoints so as the – what’d you call it? – the bad guy would be able to pick up your calls, you would also hear you phone calling yourself. A: Right, and if your phone picks up within 0.01 microseconds, then, yeah, there’s nothing you can do about it. It just rings again. That’s the point about it. Also, the other bit that you have on the SIP server is that that particular server actually only allowed one endpoint to be registered at a time. At least from what I could tell. It was some Huawei box. I don’t know. Herald: Number 3, please. Q: Yeah, I attended this talk today because I know that at the beginning, when DOCSIS was introduced, the modem were asking for the configuration file also over the Ethernet port which is great. And my question is: Is there a way within the DOCSIS standard so that the ISP can verify their hardware? I mean, you… I have seen the type and the vendor name and the SNMP but you can obviously spoof that. Of course, firmware binaries won’t run on the wrong hardware, but… A: I’m not quite sure I’m getting what you’re… Q: The question is: Is there a way to control for the ISP which hardware there is they’re using? A: So I come from a virtualization background. And in my world, there is no such thing. It doesn’t exist. slight laughter Sorry. If you can somehow abstract it, you can abstract it. Q:OK. Herald: 8, please. Q: Hi. I wanted to add on the part with the MAC spoofing. Because I had a modem like that, like 5 years ago, and actually I never went inside the modem, but I had some applications where I needed a new IP address in a short period of time… loud laughter And I remember that actually… the thing… if you told the modem your MAC address, a different MAC address, you got different external IP addresses back then. I don’t know if things have changed because it was 5 years ago but… yeah… after what I’ve heard from you, I’m kind of unsure that things changed. A: No, I’m fairly sure this is actually accurate. From what I understand, I never did that myself but I heard from people who did, the MAC address check and the certificate check are actually separate. So that if you own a valid certificate from some random dude who happens to actually pay for the service, and you get that certificate, and you’re not on the same CMTS as that guy, then you can actually go and, well, basically say that you’re him even if you have a different MAC address. Which then, again, implies that if you change the MAC address, you can just be somebody else. Which then again implies that… maybe you can actually go and get somebody else’s Provisioning Files, yeah. slight laughter Q: Well, yeah… not up to you. A: Not going to try out. Herald: Number 2, please. Q: Yeah, you had this one with one particular provider and I happen to know that there’s a second provider using the same technology in Germany: were they somehow involved in this loop? I mean, it took Kabel Deutschland two months to fix this and… A: No, but they better hurry up! laughter and applause Q: Thanks! applause A: And, quite frankly, I do not believe that this is limited to Germany at all, whatsoever. So… Yeah. Let’s see who’s faster. Alright, end of questions, right? Or is there any…? Herald: It looks like we’re at the end of questions. The Internet maybe…? No, the Internet doesn’t have any questions. There are 8 empty microphones. So thank you very much for your talk and thank you very much for the Q&A. applause postroll music Subtitles created by c3subtitles.de in 2016. Join and help us!