WEBVTT
00:00:00.399 --> 00:00:09.720
32C3 preroll music
00:00:09.720 --> 00:00:13.680
Herald: The next talk is going to be
“Beyond Your Cable Modem”
00:00:13.680 --> 00:00:17.590
– how not to do DOCSIS networks.
00:00:17.590 --> 00:00:21.760
Sorry, I’m not a hardware guy.
But Alexander Graf is going to
00:00:21.760 --> 00:00:25.790
hold the talk and he has
done a lot of virtualization
00:00:25.790 --> 00:00:29.299
and stuff other people
think is too complicated.
00:00:29.299 --> 00:00:32.550
Now he is going to talk about
00:00:32.550 --> 00:00:36.740
the outside of your apartment.
Give him a warm welcome.
00:00:36.740 --> 00:00:43.740
applause
00:00:44.850 --> 00:00:47.250
Alexander: Hi and welcome to my
talk “Beyond Your Cable Modem”.
00:00:47.250 --> 00:00:50.390
This is going to look at what’s beyond
the stuff you usually see at home
00:00:50.390 --> 00:00:54.420
where you just plug in a network cable
and you happen to have Internet available.
00:00:54.420 --> 00:00:56.000
So, who am I?
00:00:56.000 --> 00:00:58.600
I’m Alexander Graf – I’m usually
more of a virtualization developer.
00:00:58.600 --> 00:01:00.690
I have nothing to do with
hacking in my day work,
00:01:00.690 --> 00:01:04.610
I don’t usually go around and
hack embedded devices.
00:01:04.610 --> 00:01:06.440
Usually, at least.
00:01:06.440 --> 00:01:09.370
But, during the last year, I had
a lot of spare time at night
00:01:09.370 --> 00:01:11.670
because the baby was
crying, so I figured:
00:01:11.670 --> 00:01:17.010
I could as well spend that time
and do something useful.
00:01:17.010 --> 00:01:19.930
So, what happened?
We moved to a new home.
00:01:19.930 --> 00:01:22.790
I was living in a home
where I had DSL available,
00:01:22.790 --> 00:01:26.540
I had a real phone line, everything
was great, things were just awesome.
00:01:26.540 --> 00:01:32.400
But then we moved into
this new home where…
00:01:32.400 --> 00:01:35.389
where there was no DSL available. Well,
there was DSL available but there were
00:01:35.389 --> 00:01:39.890
different circumstances why I couldn’t use
it. So instead, I figured: You know what?
00:01:39.890 --> 00:01:43.940
Try this cool new technology:
Internet over your cable TV.
00:01:43.940 --> 00:01:46.100
Ehh, cable. TV cable.
00:01:46.100 --> 00:01:48.870
So I got myself a cable
modem from the provider,
00:01:48.870 --> 00:01:52.690
got myself registered and
now had Internet over cable TV.
00:01:52.690 --> 00:01:56.650
Also, along the same lines, I figured:
00:01:56.650 --> 00:01:59.820
Why not go and also do your phone
line over that cable provider
00:01:59.820 --> 00:02:04.530
with your old phone number so that people
still can contact you when they want to.
00:02:04.530 --> 00:02:08.199
Now, the thing is, when I finally
received the whole package,
00:02:08.199 --> 00:02:12.219
I realized: Woh! Wait!
Something’s wrong here!
00:02:12.219 --> 00:02:18.950
That’s an analogue phone line!
Are we, like, in 2015 or is it 1994?
00:02:18.950 --> 00:02:21.660
So, instead of the usual digital
stuff that I am used to,
00:02:21.660 --> 00:02:25.029
I just got myself an analogue phone line.
00:02:25.029 --> 00:02:27.880
So I had to put myself
another box in there
00:02:27.880 --> 00:02:30.599
that would convert the analogue phone
line back to a digital phone line,
00:02:30.599 --> 00:02:33.249
so I could route it in my house to
another line, to another machine
00:02:33.249 --> 00:02:36.269
that would then go and
route it to my phone.
00:02:36.269 --> 00:02:38.349
You see the problem in there?
00:02:38.349 --> 00:02:41.859
Yeah, that whole stuff over there
just doesn’t look right, right?
00:02:41.859 --> 00:02:45.089
Why would you go and convert
something that is obviously digital?
00:02:45.089 --> 00:02:48.200
I mean, the stuff that goes into
your cable is obviously digital, right?
00:02:48.200 --> 00:02:50.149
Kind of obvious…
00:02:50.149 --> 00:02:52.639
and convert it back to analogue
and then back to digital
00:02:52.639 --> 00:02:55.209
just to be able to do a phone call.
00:02:55.209 --> 00:02:59.989
So I called up the technicians, Support,
and said: “Hey guys, you know what?
00:02:59.989 --> 00:03:02.519
Isn’t there a way I can,
like, directly access
00:03:02.519 --> 00:03:07.719
whatever you have there and go
and use digital throughout?”
00:03:07.719 --> 00:03:10.969
And the guy said: “Well, you know what?
Actually, behind the scenes,
00:03:10.969 --> 00:03:14.389
we’re all just running SIP.
It’s just a normal SIP server.
00:03:14.389 --> 00:03:17.360
Just normal voice-over-IP,
nothing special about it.
00:03:17.360 --> 00:03:22.799
So, if you know what you’re doing,
just go ahead and connect to it.”
00:03:22.799 --> 00:03:31.689
laughter and applause
00:03:31.689 --> 00:03:34.580
Challenge accepted.
00:03:34.580 --> 00:03:39.529
So, what we learned from
Felix earlier in his car talk:
00:03:39.529 --> 00:03:42.220
It was: What do you do when you
don’t want to brick your own system?
00:03:42.220 --> 00:03:45.670
Of course, you buy a new one
on ebay. They’re really cheap,
00:03:45.670 --> 00:03:49.700
just go and get a cable modem
and then you can go away and
00:03:49.700 --> 00:03:53.330
treat it with the kind of love that you
want a device to be treated with.
00:03:53.330 --> 00:03:55.980
laughter
00:03:55.980 --> 00:04:00.039
Turns out, my modem is actually
just running Linux. Hooh! Nice!
00:04:00.039 --> 00:04:02.419
That fits me pretty well!
00:04:02.419 --> 00:04:05.269
And it’s just a normal ARM system.
00:04:05.269 --> 00:04:07.449
Well, the only special
thing is: It’s Big-Endian.
00:04:07.449 --> 00:04:11.869
But then again, I’m kind of used to
ARM by now, why not just go away
00:04:11.869 --> 00:04:14.659
and like go around and just
look at how this thing works.
00:04:14.659 --> 00:04:18.340
And, well, we really just want to
get this voice-over-IP stuff working,
00:04:18.340 --> 00:04:22.340
so take a look at how this
voice-over-IP stuff works on the device!
00:04:22.340 --> 00:04:24.480
Turns out, there’s actually a normal SIP.
00:04:24.480 --> 00:04:28.540
SIP works on port 5060 usually.
00:04:28.540 --> 00:04:33.419
Normal SIP client running on
there, but this IP looks weird.
00:04:33.419 --> 00:04:35.490
So, my external IP looks different.
00:04:35.490 --> 00:04:40.920
And my internal IP is different, so
where does this IP come from?
00:04:40.920 --> 00:04:44.130
So I looked at the IP list
of my device and figured:
00:04:44.130 --> 00:04:47.729
Well, something’s weird here. I have
a lot of IPs in there and connections
00:04:47.729 --> 00:04:52.960
that I really don’t know
anything about. Hm.
00:04:52.960 --> 00:04:56.899
So down here, is obviously my phone line.
00:04:56.899 --> 00:05:02.849
And up here, is something else
that I have no idea what this is about.
00:05:02.849 --> 00:05:06.749
So I figured: Let’s go
and dig a bit deeper.
00:05:06.749 --> 00:05:09.810
And see what’s actually happening there.
00:05:09.810 --> 00:05:13.810
So how does DOCSIS work?
This is just a small introduction,
00:05:13.810 --> 00:05:16.816
like high-level introduction,
on how the routing runs.
00:05:16.816 --> 00:05:21.699
So basically, you have the cable modem
that is connected using your TV cable line
00:05:21.699 --> 00:05:25.970
to a CMTS, just a translation service,
00:05:25.970 --> 00:05:29.840
that then takes all of the DOCSIC-specific
stuff and just basically gives you
00:05:29.840 --> 00:05:35.849
an IP routing over into something-
something-something behind it.
00:05:35.849 --> 00:05:39.500
However, it doesn’t just give you one
line. It actually gives you three.
00:05:39.500 --> 00:05:42.689
It gives you one line for your Internet.
Makes sense, right? You want
00:05:42.689 --> 00:05:46.279
to get online. That’s the one you actually
see when you plug into the device.
00:05:46.279 --> 00:05:49.299
It also gives you another line for VoIP.
00:05:49.299 --> 00:05:51.690
And it gives you one more line
that I would call the “Admin” line.
00:05:51.690 --> 00:05:55.710
It’s the provisioning line.
00:05:55.710 --> 00:05:59.549
Now, let’s start with the Admin line.
That sounds the most interesting, right?
00:05:59.549 --> 00:06:00.920
laughter
00:06:00.920 --> 00:06:03.819
What does the Admin line do?
00:06:03.819 --> 00:06:09.080
Well, in the end, a modem in the DOCSIS
network is just a normal client
00:06:09.080 --> 00:06:11.159
like in your Ethernet network.
00:06:11.159 --> 00:06:13.890
So the first thing it does
when it gets online is:
00:06:13.890 --> 00:06:16.750
it does a DHCP request.
And on the DHCP request
00:06:16.750 --> 00:06:20.229
it goes and gets an IP address
and gets all the information it needs.
00:06:20.229 --> 00:06:25.340
And it also, well, it’s kind of sane,
it’s just a normal DHCP request.
00:06:25.340 --> 00:06:28.949
It also, however, gets something
similar to PXE booting
00:06:28.949 --> 00:06:32.960
where it gets usually… in PXE booting you
would get an executable that you’d run,
00:06:32.960 --> 00:06:35.709
here, you get something different.
Here, you also get a file
00:06:35.709 --> 00:06:39.159
that you need to download
using TFTP just like with PXE.
00:06:39.159 --> 00:06:44.769
However, in this case,
it’s a configuration file…
00:06:44.769 --> 00:06:46.900
– There you go –
…configuration file…
00:06:46.900 --> 00:06:50.109
…that you just receive using
PXE to your cable modem;
00:06:50.109 --> 00:06:52.989
and then, the cable modem is configured.
00:06:52.989 --> 00:06:56.680
Now what is inside this Provisioning
File, that’s what I call it? Well,
00:06:56.680 --> 00:07:01.360
there’s interesting information like: What
is your firmware update filename called?
00:07:01.360 --> 00:07:04.530
If you want to update your firmware
or if the provider wants to have you
00:07:04.530 --> 00:07:09.799
update your firmware.
How much bandwidth do I have?
00:07:09.799 --> 00:07:14.189
laughter
00:07:14.189 --> 00:07:17.370
I hear, people have been
playing with that one…
00:07:17.370 --> 00:07:20.289
laughter
00:07:20.289 --> 00:07:23.749
And, well, since it’s just a normal TFTP
request you can just do it yourself, too.
00:07:23.749 --> 00:07:28.499
This is my configuration. You just go, get
it, and you have your configuration file.
00:07:28.499 --> 00:07:34.219
Now, the interesting thing that I realied
when I first started doing this was:
00:07:34.219 --> 00:07:36.999
Sure, this is my configuration file.
But what about configuration files
00:07:36.999 --> 00:07:42.080
from other people? Well, you
go and get the MAC address,
00:07:42.080 --> 00:07:44.560
if you have the MAC address you
just go and get it and there you go:
00:07:44.560 --> 00:07:47.339
You have the other people’s
configuration file.
00:07:47.339 --> 00:07:48.460
laughter
00:07:48.460 --> 00:07:51.440
Easy as that, right? That’s the
way it’s supposed to work.
00:07:51.440 --> 00:07:58.440
applause
00:07:59.690 --> 00:08:03.099
The actual effects of that,
we’re going to come to that later.
00:08:03.099 --> 00:08:05.909
Let’s just declare TFTP,
the whole access to that,
00:08:05.909 --> 00:08:08.920
as “slightly insecure” for now.
00:08:08.920 --> 00:08:11.840
laughter
00:08:11.840 --> 00:08:16.329
But now, if you’re an ISP, you want to
monitor what your people do, right?
00:08:16.329 --> 00:08:18.910
So imagine, you’re the admin there.
00:08:18.910 --> 00:08:21.619
Just imagine, you’re one
of the good guys, right?
00:08:21.619 --> 00:08:24.650
And you want to see what are those
people on your modem doing.
00:08:24.650 --> 00:08:27.060
Are they, like, downloading
too much content?
00:08:27.060 --> 00:08:32.410
Because you obviously cannot filter
or find that out from the other side.
00:08:32.410 --> 00:08:35.890
So, what do you do? Well, you obviously
send the industry standard for that:
00:08:35.890 --> 00:08:42.130
An SNMP request. Using a
password that only you know.
00:08:42.130 --> 00:08:47.220
laughter
00:08:47.220 --> 00:08:50.190
Send it over to the cable modem
and the cable modem then goes in
00:08:50.190 --> 00:08:54.010
and replies with the respective
reply saying “Oh, yeah, sure,
00:08:54.010 --> 00:08:57.250
I got that piece of information,
there you go, you have it.”
00:08:57.250 --> 00:09:00.580
Oh, that was too quick!
00:09:00.580 --> 00:09:07.580
But how does your modem
actually verify that password?
00:09:07.940 --> 00:09:10.740
Yeah, you guessed right: Using
the Provisioning File, obviously!
00:09:10.740 --> 00:09:12.810
laughter
00:09:12.810 --> 00:09:17.010
Once you download the Provisioning File
from any random modem in there
00:09:17.010 --> 00:09:22.640
– including yours – you end up
getting an interesting password.
00:09:22.640 --> 00:09:27.800
laughter
00:09:27.800 --> 00:09:30.480
However, they actually
did at least one thing:
00:09:30.480 --> 00:09:35.150
They limited the address range you are
allowed to access those devices on.
00:09:35.150 --> 00:09:39.540
laughter
00:09:39.540 --> 00:09:46.540
Yeah…
applause
00:09:47.090 --> 00:09:50.210
As a hint for those who did not clap:
00:09:50.210 --> 00:09:54.740
This means, everybody
who is in that network.
00:09:54.740 --> 00:09:57.250
But how big is this network?
00:09:57.250 --> 00:10:01.520
I figured: Why not just give it a try
and ask some people in Hannover
00:10:01.520 --> 00:10:03.930
whether I could just get
their MAC addresses
00:10:03.930 --> 00:10:06.850
and see how far I could get.
00:10:06.850 --> 00:10:10.920
Just send an SNMP request over,
I had the password now, right?
00:10:10.920 --> 00:10:15.060
And ask that modem:
00:10:15.060 --> 00:10:18.380
“Please tell me everything you know!”
00:10:18.380 --> 00:10:22.770
And it replied!
laughter
00:10:22.770 --> 00:10:25.130
There’s a lot of interesting information,
SNMP, you wouldn’t believe it!
00:10:25.130 --> 00:10:28.880
So this is obviously just stuff like
“Oh, yeah, I’m this and that modem!”
00:10:28.880 --> 00:10:31.160
But there’s more in there.
There’s, for example…
00:10:31.160 --> 00:10:34.280
this is my public IP address!
00:10:34.280 --> 00:10:38.170
– in case you’re searching
for someone specific. Or…
00:10:38.170 --> 00:10:41.250
these are my internal MAC
addresses and IP addresses.
00:10:41.250 --> 00:10:43.790
In case you’re searching for some
specific notebook that someone
00:10:43.790 --> 00:10:49.530
stole from you or so.
laughter
00:10:49.530 --> 00:10:53.390
Or… this is my Provisioning File, in
case you just happened to port scan
00:10:53.390 --> 00:10:56.110
all of the machines out there and
ask them using the same password
00:10:56.110 --> 00:11:01.040
that they all share on what their
Provisioning Files could be called.
00:11:01.040 --> 00:11:02.410
clears throat
00:11:02.410 --> 00:11:04.596
Of course, I never did that. Right?
00:11:04.596 --> 00:11:08.040
laughter
00:11:08.040 --> 00:11:15.040
So, I would say, the whole SNMP story
isn’t “really” all that secure either.
00:11:15.970 --> 00:11:19.610
But at a certain point in time, like when
the modem actually doesn’t work
00:11:19.610 --> 00:11:22.310
like the way you would envision
it to be or if you just need to do
00:11:22.310 --> 00:11:25.990
more administrative stuff, the admin wants
to have more access than just SNMP, right?
00:11:25.990 --> 00:11:31.020
This is kind of isolated to a few
specific pieces of information.
00:11:31.020 --> 00:11:36.940
You want some more hardcore access.
Like real go down into a real shell.
00:11:36.940 --> 00:11:40.430
How do you do shells in 2015?
Audience: TELNET!
00:11:40.430 --> 00:11:44.470
Alexander: Telnet. Exactly!
laughter
00:11:44.470 --> 00:11:51.470
applause
00:11:52.650 --> 00:11:58.820
We’ll actually get to the point why
Telnet was a good idea later, but…
00:11:58.820 --> 00:12:04.260
that’s 30 slides down or so.
00:12:04.260 --> 00:12:07.420
We already managed to get an SNMP
connection working to a different modem,
00:12:07.420 --> 00:12:12.660
let’s just try the same with Telnet
and see how far we can get.
00:12:12.660 --> 00:12:19.090
We can go in and just Telnet in and it
replies and says “please give me a login”
00:12:19.090 --> 00:12:23.930
Hm. Now where do I get this login from?
00:12:23.930 --> 00:12:26.160
laughter
00:12:26.160 --> 00:12:29.900
Turns out, the administrator needs to
provide that password just the same
00:12:29.900 --> 00:12:33.100
to the modem, which needs to verify it.
00:12:33.100 --> 00:12:37.550
Based on configuration. Which it gets
from the Provisioning File. That…
00:12:37.550 --> 00:12:41.490
I think you see the point.
00:12:41.490 --> 00:12:44.680
So in the same Provisioning File that you
can obviously again download for every
00:12:44.680 --> 00:12:49.880
single user in the network
you also have the password.
00:12:49.880 --> 00:12:52.980
In plaintext.
00:12:52.980 --> 00:12:56.250
That’s the part that actually took
me the longest in this whole thing.
00:12:56.250 --> 00:12:59.980
I spent weeks trying to
figure out what hash this is.
00:12:59.980 --> 00:13:05.210
raging laughter
00:13:05.210 --> 00:13:11.550
big applause
00:13:11.550 --> 00:13:15.880
So if we try to log in to the server
using those credentials we got,
00:13:15.880 --> 00:13:18.200
we get greeted with a nice
command line interface
00:13:18.200 --> 00:13:22.180
for poor Mr. Admin at our provider’s side.
00:13:22.180 --> 00:13:26.540
But I don’t really like those,
like, boiled-down interfaces.
00:13:26.540 --> 00:13:29.210
I want a real shell.
I want to load kernel modules.
00:13:29.210 --> 00:13:31.730
I want to filter all my network traffic.
00:13:31.730 --> 00:13:35.730
I want to reroute everything that
modem does to a different machine.
00:13:35.730 --> 00:13:41.110
I want to rewrite the VoIP
client to instead do… either way!
00:13:41.110 --> 00:13:44.520
So I want to do something real.
Let’s do the help command
00:13:44.520 --> 00:13:47.480
and it tells us that there’s a
cool command called “shell”.
00:13:47.480 --> 00:13:49.550
laughter
00:13:49.550 --> 00:13:52.890
Ah yeah, there you go, got a shell!
00:13:52.890 --> 00:13:57.070
By now, at that point, I can actually
go and do anything I want to that modem.
00:13:57.070 --> 00:14:01.760
I got full root access. By the way,
all the modems run every single
00:14:01.760 --> 00:14:05.390
piece of software running on there,
including your web server and your
00:14:05.390 --> 00:14:11.280
SIP server and anything as UID 0.
Which is a good idea, right?
00:14:11.280 --> 00:14:14.680
So, I now got shell access so
I can do anything I want.
00:14:14.680 --> 00:14:18.510
I can re-route all your traffic,
I don’t, obviously, but
00:14:18.510 --> 00:14:21.980
this is basically where we
went half a year ago.
00:14:21.980 --> 00:14:25.390
Another thing to note is that
– since it’s so annoying to generate
00:14:25.390 --> 00:14:29.660
different passwords for different devices…
00:14:29.660 --> 00:14:31.780
Yeah, yeah, I know.
00:14:31.780 --> 00:14:36.080
You just use one password
for all, right? It’s good enough.
00:14:36.080 --> 00:14:42.620
So you don’t even have to read your
other person’s Provisioning File,
00:14:42.620 --> 00:14:45.040
you can just use your own password
that is in your own Provisioning File
00:14:45.040 --> 00:14:50.330
which you already have on your modem
because you’re provisioned yourself.
00:14:50.330 --> 00:14:54.300
The only notable exception that
I found to this whole scheme
00:14:54.300 --> 00:14:57.690
– I mean, you could basically go
and log in to any modem out there,
00:14:57.690 --> 00:15:02.140
except for Fritz!Boxes.
applause
00:15:02.140 --> 00:15:07.920
Yeah, congratulations everyone! Kudos!
00:15:07.920 --> 00:15:11.570
So, apparently, AVM are the only ones
who did not follow the standard scheme
00:15:11.570 --> 00:15:15.480
from my provider and instead said: “No
no no, guys! You don’t do the firmware.
00:15:15.480 --> 00:15:20.170
WE do the firmware”, and they just
don’t like to enable Telnet. Apparently
00:15:20.170 --> 00:15:25.430
there are people in that company that
actually know what they’re doing.
00:15:25.430 --> 00:15:31.010
So, I would say the whole Telnet
access thing isn’t exactly…
00:15:31.010 --> 00:15:36.660
I wouldn’t mark it “secure”
either. Naahhh… naaah…
00:15:36.660 --> 00:15:39.240
But we didn’t really come here
for the Admin network, right?
00:15:39.240 --> 00:15:45.020
I was just… it happened to be around.
I just looked at it and… njeeeeeh.
00:15:45.020 --> 00:15:48.420
We wanted to go and do
voice-over-IP! Hah!
00:15:48.420 --> 00:15:52.030
Yeah, so how does VoIP look
like? It’s kind of similar.
00:15:52.030 --> 00:15:54.130
It also does a DHCP
request in the beginning.
00:15:54.130 --> 00:15:59.600
DHCP is usually fine, I mark
it with a green tick here.
00:15:59.600 --> 00:16:04.770
I’ll leave it to others to further
dig down into that part.
00:16:04.770 --> 00:16:09.690
It does the same TFTP bit so if you just
go and – instead of downloading your
00:16:09.690 --> 00:16:16.660
Provisioning File from your own modem,
from the RAN, from the admin network –
00:16:16.660 --> 00:16:23.200
you just go and get it from the other MAC
address and there you go, you have it.
00:16:23.200 --> 00:16:29.250
Nicely enough, all those cable providers
registered consecutive MAC addresses,
00:16:29.250 --> 00:16:35.770
so if you have one,
you also have the others.
00:16:35.770 --> 00:16:40.070
Just… You basically just ask a friend:
“Give me your MAC address that’s
00:16:40.070 --> 00:16:44.090
written on the box” and you basically
have everything you need.
00:16:44.090 --> 00:16:46.760
SNMP is the same thing.
You can access it using SNMP.
00:16:46.760 --> 00:16:49.280
The really nice thing about
SNMP here is that the box also
00:16:49.280 --> 00:16:53.980
tells you the other accesses it has, so
if you only have one IP address, or…
00:16:53.980 --> 00:16:57.950
I also have a nice DNS service internally
that tells you what the IP address is
00:16:57.950 --> 00:17:01.210
to a certain MAC address, so you just
ask the DNS for the MAC address of
00:17:01.210 --> 00:17:09.409
the VoIP access, then you go and
SNMP, ask it for the IP address
00:17:09.409 --> 00:17:14.169
of the admin network, and
there you go. You’re in the box.
00:17:14.169 --> 00:17:17.940
However, the really interesting bit
on the voice-over-IP network is SIP.
00:17:17.940 --> 00:17:22.330
Since… you want to do VoIP, right?
That’s what the whole thing is about.
00:17:22.330 --> 00:17:28.330
So VoIP basically works… the way that your
modem wants to go and do a phone call.
00:17:28.330 --> 00:17:30.730
So how do you do a phone call with SIP?
00:17:30.730 --> 00:17:38.690
You need to provide data like credentials,
like, tell the other side, the server,
00:17:38.690 --> 00:17:40.470
how you authenticate yourself.
00:17:40.470 --> 00:17:43.890
Which, obviously, is written
in your Provisioning File.
00:17:43.890 --> 00:17:47.640
So, you use those and tell the
server: “I want to do a phone call”
00:17:47.640 --> 00:17:49.580
and there you go: You do a phone call.
00:17:49.580 --> 00:17:54.000
Now if we look at this Provisioning File,
you can see that it contains your server
00:17:54.000 --> 00:17:57.560
and your user name and your phone number
00:17:57.560 --> 00:18:03.870
and your… well, basically everything
you’d need to log in into an SIP server.
00:18:03.870 --> 00:18:10.310
Now, since I can read, anybody
else’s Provisioning Files, …
00:18:10.310 --> 00:18:11.590
laughter
00:18:11.590 --> 00:18:16.440
So, imagine I’m this user up there. Right?
00:18:16.440 --> 00:18:21.400
And I’m just doing a normal call
as this phone number up there.
00:18:21.400 --> 00:18:24.330
Well, maybe there’s this
other guy in the network
00:18:24.330 --> 00:18:27.700
who just goes in and downloads
your Provisioning File
00:18:27.700 --> 00:18:31.070
and, well, he gets all the credentials
he would need, so he gets
00:18:31.070 --> 00:18:35.870
the same phone number and
then he can just go and do a call.
00:18:35.870 --> 00:18:46.800
Hm. Yeah. Maybe I should have
registered a few 0900 numbers.
00:18:46.800 --> 00:18:50.500
Now the really interesting part here is –
it also works the other way!
00:18:50.500 --> 00:18:53.900
You register for it and if you’re
the fastest one registering it,
00:18:53.900 --> 00:18:58.580
the other modem doesn’t get the
chance to receive calls which means
00:18:58.580 --> 00:19:02.360
now you receive the calls and then you can
just tell the other modem that there was
00:19:02.360 --> 00:19:06.910
a call, just that, by now, you actually
route all the traffic through your modem
00:19:06.910 --> 00:19:13.000
and you can listen to all the voice data
that there is on the line. Yay!
00:19:14.450 --> 00:19:18.260
Yeah…
laughter
00:19:18.260 --> 00:19:22.160
Not sure it’d be a good idea to
talk to your lawyer around…
00:19:22.160 --> 00:19:27.030
Using this line for secure stuff
is probably not the best.
00:19:27.030 --> 00:19:33.080
I wouldn’t mark SIP as secure
on this thing, either.
00:19:33.080 --> 00:19:38.240
But at this point, so on the Telnet
access and on all the other parts,
00:19:38.240 --> 00:19:40.870
I was, like, sure,
I can fix it for myself.
00:19:40.870 --> 00:19:44.230
I’m an egoist, right?
I can fix it for myself.
00:19:44.230 --> 00:19:46.650
I don’t care about the rest of mankind…
00:19:46.650 --> 00:19:51.270
I do, but I can claim that!
00:19:51.270 --> 00:19:54.490
I can just as well ignore all the
others and say: I fix it for myself.
00:19:54.490 --> 00:19:58.420
But for voice-over-IP, I can’t.
Because I’m completely out of the loop.
00:19:58.420 --> 00:20:05.090
This other guy, he could just go and
steal my credentials, because he can…
00:20:05.090 --> 00:20:07.050
and there’s nothing I can do about it.
00:20:07.050 --> 00:20:12.080
So at that point, I was kind of scared
that someone would be able to hack me.
00:20:12.080 --> 00:20:17.120
So I started to think about
how to fix this thing.
00:20:17.120 --> 00:20:22.540
Now, the first thing that comes to
mind is obviously: You as a user
00:20:22.540 --> 00:20:28.910
go and pick up the phone and call
the service line from your provider.
00:20:28.910 --> 00:20:31.540
laughter
00:20:31.540 --> 00:20:34.410
Yeah, I don’t think, that’s a good idea.
laughter
00:20:34.410 --> 00:20:38.590
Nah, no I didn’t want to go down that
road, nah… So, instead, I figured,
00:20:38.590 --> 00:20:41.730
I’m going to call someone else.
I’m going to call a couple friends.
00:20:41.730 --> 00:20:44.250
laughter and applause
00:20:44.250 --> 00:20:50.960
applause
00:20:50.960 --> 00:20:54.430
Gonna call a couple of friends from
Heise, thanks to my Linux work, I knew
00:20:54.430 --> 00:20:59.640
a few of those, and they also tend to
do security, which kind of falls into
00:20:59.640 --> 00:21:02.160
this whole thing and used them as a proxy.
00:21:02.160 --> 00:21:09.160
So that nobody could actually go and
sue me until things were public.
00:21:11.690 --> 00:21:15.100
So, imagine what the provider
would do when he hears
00:21:15.100 --> 00:21:19.229
that I hacked into their Telnet account.
00:21:19.229 --> 00:21:23.670
Sure, you’d do the obvious thing:
You’d replace Telnet with SSH, right?
00:21:23.670 --> 00:21:26.350
It’s what everybody would do. It’s the
first thing. You look at this and think,
00:21:26.350 --> 00:21:29.610
like, “Oh my god, this is 2015,
why would you be doing Telnet?”
00:21:29.610 --> 00:21:35.720
Well, the answer is pretty simple. Emm…
laughter
00:21:35.720 --> 00:21:38.989
Take a look again. It’s not as simple
as you think. Take a look at it again,
00:21:38.989 --> 00:21:43.060
there’s this Provisioning File. SSH
actually gets different credentials!
00:21:43.060 --> 00:21:46.790
So, the SSH credentials
are actually down here.
00:21:46.790 --> 00:21:49.530
And the password is different
from the one on the top.
00:21:49.530 --> 00:21:51.410
I don’t know what the password is.
00:21:51.410 --> 00:21:56.310
But I can tell you that the
password hash is really cool!
00:21:56.310 --> 00:21:59.890
So, the password hash is something
that comes from VxWorks, so I’m pretty
00:21:59.890 --> 00:22:04.390
sure that there are more devices out there
that might be interesting to look at.
00:22:04.390 --> 00:22:06.970
The VxWorks hash actually
works in a really simple way:
00:22:06.970 --> 00:22:12.850
It creates a checksum of your input that
lies somewhere between those 2 numbers
00:22:12.850 --> 00:22:16.940
and then creates a fancy String out
of them based on some heuristics.
00:22:16.940 --> 00:22:21.860
But essentially, the whole password down
there boils down to just a single number
00:22:21.860 --> 00:22:26.740
that is basically, in a realistic case,
the upper limit is 40 characters,
00:22:26.740 --> 00:22:28.980
so you’re not going to see
a password that long,
00:22:28.980 --> 00:22:33.280
realistically you basically check around
100 passwords and any hash out there,
00:22:33.280 --> 00:22:37.460
any password that’s available, you
already cracked it. Which means,
00:22:37.460 --> 00:22:41.580
there are so many collisions in this
hash, which I wouldn’t even call a hash,
00:22:41.580 --> 00:22:44.390
that I don’t know what the original
password is like… I don’t know.
00:22:44.390 --> 00:22:47.380
But this one works pretty well!
00:22:47.380 --> 00:22:50.730
laughter and applause
00:22:50.730 --> 00:22:56.940
applause
00:22:56.940 --> 00:23:00.750
So we go ahead and we log into this
machine and we type in our collision
00:23:00.750 --> 00:23:04.080
and… there you go! We got
the same thing as before!
00:23:04.080 --> 00:23:07.900
So we told them again: “Guys,
look, it’s not as easy as that.
00:23:07.900 --> 00:23:10.860
You should probably take a bit
deeper breath and take a look
00:23:10.860 --> 00:23:14.390
at how things actually are broken.”
00:23:14.390 --> 00:23:18.030
Which, turns out, they did!
So what happened next?
00:23:18.030 --> 00:23:24.010
We had this whole huge mess with
lots of services that are all attackable
00:23:24.010 --> 00:23:27.210
and everything’s just wholly broken.
00:23:27.210 --> 00:23:31.960
That was two months ago.
00:23:31.960 --> 00:23:35.530
There were some circumstances
why we just couldn’t tell them earlier.
00:23:35.530 --> 00:23:39.780
And we basically told them: “Guys, you
know, in 2 months’ time we’re going to do
00:23:39.780 --> 00:23:43.050
a talk here and everything’s going to
be public so you might want to fix
00:23:43.050 --> 00:23:46.840
your network until then.”
laughter
00:23:46.840 --> 00:23:51.660
So the first thing that they did is: They
added a check to their TFTP server
00:23:51.660 --> 00:23:56.630
to verify whether you’re actually eligible
to download this Provisioning File.
00:23:56.630 --> 00:24:01.770
applause
00:24:01.770 --> 00:24:04.720
So now, you can only download your
own Provisioning File. Which is great…
00:24:04.720 --> 00:24:09.330
finally! I mean, this is the obvious
thing to do. So that one’s fixed.
00:24:09.330 --> 00:24:13.180
Then, they went ahead and said: Well,
there’s no real reason why one modem
00:24:13.180 --> 00:24:16.280
should do SNMP traffic with another.
So they just added a firewall, saying,
00:24:16.280 --> 00:24:19.570
we’re blocking SNMP traffic
between different machines
00:24:19.570 --> 00:24:22.610
– problem solved!
00:24:22.610 --> 00:24:26.780
applause
00:24:26.780 --> 00:24:30.439
The same for SSH – they went ahead and
said: There’s no reason why you should
00:24:30.439 --> 00:24:34.120
be doing TCP between
one modem and another.
00:24:34.120 --> 00:24:36.360
Problem solved!
00:24:36.360 --> 00:24:39.610
applause
00:24:39.610 --> 00:24:44.610
And because the VoIP access credentials
00:24:44.610 --> 00:24:47.910
are actually part of your Provisioning
File which you can now
00:24:47.910 --> 00:24:51.140
no longer download from somebody
else, that one is fixed too.
00:24:51.140 --> 00:24:56.689
Awesome! shy applause
Go ahead, go ahead, clap! It’s awesome!
00:24:56.689 --> 00:25:00.210
applause
00:25:00.210 --> 00:25:04.809
Thank you, ISPs. So after two months,
you actually managed to limit me
00:25:04.809 --> 00:25:07.900
into the borders that I was supposed
to be in, in the beginning.
00:25:07.900 --> 00:25:11.800
It’s cool!
So what do we have…
00:25:11.800 --> 00:25:16.110
Please guard your networks even if you
believe that somebody couldn’t go in
00:25:16.110 --> 00:25:17.970
– they probably will.
00:25:17.970 --> 00:25:22.930
Because, as soon as a customer
can access your device physically,
00:25:22.930 --> 00:25:26.290
which kind of happens to be the
case with a modem that’s sitting
00:25:26.290 --> 00:25:31.920
in your apartment,
00:25:31.920 --> 00:25:35.020
that guy can access your network.
There’s no way you can prevent it.
00:25:35.020 --> 00:25:38.950
So don’t believe that the border
of your network is the home.
00:25:38.950 --> 00:25:43.980
The border of your network is
the cable going into that home.
00:25:43.980 --> 00:25:46.640
The same way goes the other way
around: If an ISP gives you a device,
00:25:46.640 --> 00:25:48.590
don’t trust that thing.
00:25:48.590 --> 00:25:51.030
Seriously. They can do anything they like.
00:25:51.030 --> 00:25:55.230
And sometimes, somebody else can, too.
00:25:55.230 --> 00:26:02.510
In this case, according to my provider, I
was able to access 3 million devices.
00:26:02.510 --> 00:26:05.405
applause
That’s quite some number.
00:26:05.405 --> 00:26:10.590
applause
00:26:10.590 --> 00:26:16.730
Also, the press is your friend. If you
are afraid of revealing something,
00:26:16.730 --> 00:26:18.680
tell someone who can do it for you
00:26:18.680 --> 00:26:25.130
and usually, things go out well.
Let’s hope for the best.
00:26:25.130 --> 00:26:29.110
And then, this whole thing went
online in the beginning of the week
00:26:29.110 --> 00:26:32.640
and there were a couple of questions
on the forums that I read
00:26:32.640 --> 00:26:35.880
and I just wanted to take
the time to reply to those.
00:26:35.880 --> 00:26:38.200
First thing that always comes
up is: “Is this a conspiracy?”
00:26:38.200 --> 00:26:41.270
Like “Oh my god, this
is the NSA backdoor!”
00:26:41.270 --> 00:26:44.710
No way. I mean, seriously,
those guys are not that stupid.
00:26:44.710 --> 00:26:47.990
They have their own front doors,
they don’t need backdoors.
00:26:47.990 --> 00:26:50.080
laughter
00:26:50.080 --> 00:26:54.549
This really is just a case of “If we don’t
secure things, it’s going to be easier
00:26:54.549 --> 00:26:59.630
for us.” Njee, it was
easier for everybody,
00:26:59.630 --> 00:27:03.070
including the ones who
shouldn’t have access.
00:27:03.070 --> 00:27:07.930
So, no, this is not a conspiracy. This is
not some backdoor from some agency.
00:27:07.930 --> 00:27:13.110
This is really just a matter of a
company not doing their homework.
00:27:13.110 --> 00:27:15.970
The same thing goes for other providers.
00:27:15.970 --> 00:27:20.360
My cable just wasn’t long enough
to connect to some other country
00:27:20.360 --> 00:27:24.310
so I don’t know whether other
DOCSIS networks are affected.
00:27:24.310 --> 00:27:30.540
From the best of my knowledge:
Yes, they are.
00:27:30.540 --> 00:27:33.639
I’m not allowed to tell you to check.
00:27:33.639 --> 00:27:37.049
But if you happen to have
that idea on your own…
00:27:37.049 --> 00:27:40.480
laughter and applause
00:27:40.480 --> 00:27:47.480
applause
00:27:47.480 --> 00:27:50.269
No animals were hurt during
the production of this movie.
00:27:50.269 --> 00:27:51.320
laughter
00:27:51.320 --> 00:27:55.330
All the passwords were changed, so if you
happen to know the real passwords,
00:27:55.330 --> 00:27:58.049
you probably had a good laugh
during the presentation.
00:27:58.049 --> 00:28:03.660
If you don’t know the real passwords,
njeeee, they are different.
00:28:03.660 --> 00:28:07.130
To the best of my knowledge, all of that
knowledge that I just gave you is
00:28:07.130 --> 00:28:13.810
completely useless to you,
because all the issues are fixed.
00:28:13.810 --> 00:28:16.630
Thank you.
00:28:16.630 --> 00:28:32.020
applause
00:28:32.020 --> 00:28:33.690
Herald [to Alexander]: Q&A?
[Alexander nodding]
00:28:33.690 --> 00:28:36.009
Alexander: So now we can
go for questions if you like.
00:28:36.009 --> 00:28:39.399
So please… or… you go
ahead and announce it.
00:28:39.399 --> 00:28:43.650
Herald: So if you have questions,
run towards a microphone and
00:28:43.650 --> 00:28:49.020
stand behind it visibly.
The first one was on number 4.
00:28:49.020 --> 00:28:54.430
Q: You were talking about taking
a couple of weeks to get to know
00:28:54.430 --> 00:28:57.990
that the password wasn’t
hashed but plaintext.
00:28:57.990 --> 00:29:02.500
So how long did this whole
exchange in total go on?
00:29:02.500 --> 00:29:07.010
How much facepalming and
how many hours did it take for you?
00:29:07.010 --> 00:29:10.070
A: So I didn’t spend full time on it,
I really literally just whenever
00:29:10.070 --> 00:29:14.250
the baby was crying I just went up
and figured “I can do something”.
00:29:14.250 --> 00:29:21.550
It’s not… I basically got
cable access two years ago.
00:29:21.550 --> 00:29:25.210
I first got into the modem
about one year ago, I think.
00:29:25.210 --> 00:29:31.610
That’s when I started looking for real.
00:29:31.610 --> 00:29:34.670
I basically ended up digging
deeper and deeper, right? It’s not…
00:29:34.670 --> 00:29:38.840
VoIP, for example, I only realized the
whole voice-over-IP story in August.
00:29:38.840 --> 00:29:42.650
Since I just didn’t look before. I was
like so excited to see all the other bits.
00:29:42.650 --> 00:29:44.250
shy laughter
00:29:44.250 --> 00:29:46.350
Just didn’t look.
00:29:46.350 --> 00:29:48.900
Herald: Now number 1, please.
00:29:48.900 --> 00:29:54.220
Q: Are you really sure that the TFTP
Provisioning File fetching is secure now?
00:29:54.220 --> 00:30:01.429
Because… do they do some MAC
integrity tests for MAC spoofing?
00:30:01.429 --> 00:30:04.670
A: Yeaaaaah…
00:30:04.670 --> 00:30:09.259
laughter
00:30:09.259 --> 00:30:13.870
The problem is the law, right? I’m not
allowed to tell you to try it yourself,
00:30:13.870 --> 00:30:18.580
I’m not allowed to tell you that I don’t
think that anything on the physical layer
00:30:18.580 --> 00:30:23.089
is insecure. I’m not allowed to tell you
that… I mean there’s so many things
00:30:23.089 --> 00:30:29.109
I’m not allowed to tell you about
this whole network… I haven’t tried.
00:30:29.109 --> 00:30:36.109
I really just went in and said “TFTP
Fetch and see whether I can get it.”
00:30:36.109 --> 00:30:41.080
laughter and applause
00:30:41.080 --> 00:30:45.760
applause
00:30:45.760 --> 00:30:48.690
Herald: Number 7 up
there on the balcony.
00:30:48.690 --> 00:30:52.309
Q: Hello. My question is, in the
beginning in your config files,
00:30:52.309 --> 00:30:56.870
I think there was something about traffic
priority or network priority as well.
00:30:56.870 --> 00:31:00.760
Did you play around with that one as well?
Is that something about Net Neutrality,
00:31:00.760 --> 00:31:03.180
maybe?
A: Ahh, that’s an interesting…
00:31:03.180 --> 00:31:05.390
OK, so, it’s not about
Net Neutrality at all.
00:31:05.390 --> 00:31:11.240
It’s about QoS of different services,
so they basically say that
00:31:11.240 --> 00:31:15.110
VoIP traffic gets higher
priority than the other bits
00:31:15.110 --> 00:31:18.200
since you want to have low latency
on voice-over-IP traffic, obviously.
00:31:18.200 --> 00:31:20.860
So that has nothing to do with
Net Neutrality in this thing at all.
00:31:20.860 --> 00:31:28.210
I did play around with
those settings, just because…
00:31:28.210 --> 00:31:31.410
coincidentally, right the day after
the Fahrplan got released,
00:31:31.410 --> 00:31:35.230
my account got throttled to 80 kBit/s.
00:31:35.230 --> 00:31:38.130
I don’t know why.
Could be related, could be not.
00:31:38.130 --> 00:31:43.400
But I figured, “I’m paying for 100 MBit/s”
so I should probably get 100 MBit/s
00:31:43.400 --> 00:31:46.330
and started to look at those things.
00:31:46.330 --> 00:31:50.280
I did not manage to actually convince
my modem to get me more.
00:31:50.280 --> 00:31:52.820
Q: Did you change the
bandwidth in the settings?
00:31:52.820 --> 00:31:55.140
Herald: No dialogues, please.
00:31:55.140 --> 00:31:59.670
A: Yes, I did change the bandwidth.
It’s not… my guess is,
00:31:59.670 --> 00:32:02.359
they’re also QoS’ing on the
other side. But if you want to
00:32:02.359 --> 00:32:05.260
verify it, I’m not telling you not to.
00:32:05.260 --> 00:32:07.600
laughter
00:32:07.600 --> 00:32:09.309
Herald: Number 2, please.
00:32:09.309 --> 00:32:12.370
Q: Yes. So at first, thank
you for the nice insights.
00:32:12.370 --> 00:32:15.140
I’m a cable user, so I’m interested here.
00:32:15.140 --> 00:32:19.219
And I want to, again, make a
statement on the Provisioning File.
00:32:19.219 --> 00:32:23.940
You should have told them that the
Provisioning File fetching in this way
00:32:23.940 --> 00:32:26.210
isn’t a good idea anyway.
00:32:26.210 --> 00:32:30.460
And I personally would believe
if they do not can transfer it
00:32:30.460 --> 00:32:36.490
via a completely different channel,
it will not get really secure.
00:32:36.490 --> 00:32:39.869
A: They can not do it differently
because it’s part of a standard.
00:32:39.869 --> 00:32:42.849
There’s a DOCSIS standard which
all the modems have to adhere to
00:32:42.849 --> 00:32:46.259
and that’s part of the standard.
They cannot do it differently.
00:32:46.259 --> 00:32:48.350
If you want to have it done
differently, you have to tell
00:32:48.350 --> 00:32:53.310
the DOCSIS standardization
committee which is in India.
00:32:53.310 --> 00:32:56.910
Q: Yes, so I’ll talk to them. Thanks!
00:32:56.910 --> 00:33:00.159
Herald: Now, we’ll have a
question from the Internet.
00:33:00.159 --> 00:33:03.650
Q: Could two modems be
programmed to talk among
00:33:03.650 --> 00:33:07.169
themselves directly,
bypassing the ISP firewall?
00:33:07.169 --> 00:33:09.109
A: Say it again.
00:33:09.109 --> 00:33:15.270
Signal Angel repeats question more slowly
00:33:15.270 --> 00:33:17.110
A: You mean with the new scheme
or with the old scheme?
00:33:17.110 --> 00:33:21.150
With the old scheme, it was…
you could just go and route through it.
00:33:21.150 --> 00:33:29.200
With the new scheme… you…
not with the official modems.
00:33:29.200 --> 00:33:33.450
laughter and applause
00:33:33.450 --> 00:33:39.060
applause
00:33:39.060 --> 00:33:42.860
Herald: And number 8 on the balcony.
00:33:42.860 --> 00:33:47.199
Q: Did you find any traces
of TR-069 in this thing?
00:33:47.199 --> 00:33:52.450
A: I did on the AVM boxes
that were secure, yeah.
00:33:52.450 --> 00:33:55.939
So that was the only bit that actually
ended up making a lot of sense.
00:33:55.939 --> 00:33:59.470
TR-069 is a pretty nice standard.
You basically have authenticated
00:33:59.470 --> 00:34:03.090
– I think it was even HTTPS – traffic that
basically goes and pokes the server
00:34:03.090 --> 00:34:07.899
to get you a firmware update. It’s a
perfectly nice way of provisioning
00:34:07.899 --> 00:34:10.728
such a system. It’s definitely a
lot different from the usual way
00:34:10.728 --> 00:34:15.409
so on those DOCSIS modems, the usual
way to tell it to get a new “firmware” is
00:34:15.409 --> 00:34:19.469
either to tell it to reboot and get a new
file from the provisioning server or
00:34:19.469 --> 00:34:24.679
to just poke directly through SNMP to tell
it: “Go to this TFTP server over there
00:34:24.679 --> 00:34:27.879
with this file name and
flash it onto your Flash.”
00:34:27.879 --> 00:34:29.179
laughter
00:34:29.179 --> 00:34:35.039
No, I have not tried to spoof the
privileged IP address range.
00:34:35.039 --> 00:34:38.610
laughter
00:34:38.610 --> 00:34:41.099
Herald: Now it’s number 4 again.
00:34:41.099 --> 00:34:45.328
Q: The question I have is:
00:34:45.328 --> 00:34:49.259
When you tried to first
contact them via Heise,
00:34:49.259 --> 00:34:54.339
was there any way they
might have tried to
00:34:54.339 --> 00:34:58.470
convince you to not
do the talk and if so,
00:34:58.470 --> 00:35:02.460
would there be an itch on your head?
00:35:02.460 --> 00:35:07.229
A: They did not try in any
way whatsoever. Zero.
00:35:07.229 --> 00:35:10.319
Q: Do you think that was due to
the credibility or do you think
00:35:10.319 --> 00:35:13.580
they thought “Oh, we screwed up”?
00:35:13.580 --> 00:35:20.190
A: I don’t know. I don’t think they
thought any other way would work at that
00:35:20.190 --> 00:35:24.009
point in time. Since the press was already
involved, they are not gonna pull back
00:35:24.009 --> 00:35:28.099
their story, there’s nothing
else they can do.
00:35:28.099 --> 00:35:29.470
Q: Thank you again.
00:35:29.470 --> 00:35:34.339
Herald: Before I hand the microphone,
do you want to do the entire 24
00:35:34.339 --> 00:35:38.009
remaining minutes Q&A or
do you want to put a limit?
00:35:38.009 --> 00:35:41.660
Graf: No, I think 24 minutes Q&A is fine.
We can always cap it later on, right?
00:35:41.660 --> 00:35:44.399
Just go and ask. Ask as much as you like.
00:35:44.399 --> 00:35:50.749
applause
00:35:50.749 --> 00:35:53.570
Herald: The Internet, again.
00:35:53.570 --> 00:35:57.499
Q: How much of this would have been
possible if the modem had been
00:35:57.499 --> 00:36:01.729
in bridge mode?
A: My modem was in bridge mode.
00:36:01.729 --> 00:36:04.529
laughter
00:36:04.529 --> 00:36:07.060
Herald: And number 6.
00:36:07.060 --> 00:36:12.049
Q: Do you have an idea how
long this has been that way?
00:36:12.049 --> 00:36:16.180
And do you have any
specific reasons to believe
00:36:16.180 --> 00:36:20.759
what group of people
00:36:20.759 --> 00:36:25.499
might have abused these problems?
00:36:25.499 --> 00:36:29.289
A: I don’t know. I did not see anybody
else on the network but it’s really hard
00:36:29.289 --> 00:36:33.819
to see someone in a
sea of 3 million devices.
00:36:33.819 --> 00:36:38.329
I am not aware of anybody exploiting this,
00:36:38.329 --> 00:36:41.940
so I can only state what Vodafone said.
00:36:41.940 --> 00:36:45.880
And they said that nobody else
did exploit those problems.
00:36:45.880 --> 00:36:49.660
According… as far as time… and
I believe that one actually… it’s…
00:36:49.660 --> 00:36:51.709
I don’t think that anybody
did. Which is surprising
00:36:51.709 --> 00:36:55.169
since this whole stuff was kind of obvious
00:36:55.169 --> 00:36:59.209
but apparently nobody thought of
digging into their modem before.
00:36:59.209 --> 00:37:03.149
The one thing about the timing is:
00:37:03.149 --> 00:37:05.489
Apparently, they already,
Kabel Deutschland,
00:37:05.489 --> 00:37:08.649
basically already does
Internet for 10 years by now
00:37:08.649 --> 00:37:13.690
and there’s very little reason to believe
it’s been different in the beginning.
00:37:13.690 --> 00:37:18.740
So it was probably vulnerable
for about ten years.
00:37:18.740 --> 00:37:22.330
That said, in the beginning, they
were not even using DOCSIS 3.0,
00:37:22.330 --> 00:37:25.619
which did not really do real encryption,
so at the end of the day you could
00:37:25.619 --> 00:37:29.640
just do whatever, any ways on the network.
00:37:29.640 --> 00:37:35.440
Back in the day. By now,
it’s only halfway complicated.
00:37:35.440 --> 00:37:37.999
Herald: Now number 1.
00:37:37.999 --> 00:37:40.779
Q: Yes, thank you for the talk, too.
00:37:40.779 --> 00:37:47.040
So it’s completely possible that they may
have not found out that somebody else
00:37:47.040 --> 00:37:52.189
accessed this before and maybe already
flashed a lot of devices with another
00:37:52.189 --> 00:37:55.760
firmware which is still
listening to his commands?
00:37:55.760 --> 00:37:59.270
With the new setup. Because
he changed the firmware.
00:37:59.270 --> 00:38:03.769
A: They did not… okay, they did update
the firmware at that one point in time
00:38:03.769 --> 00:38:06.210
when I showed that they switched to SSH.
00:38:06.210 --> 00:38:08.949
They did not change the
firmware ever since. So
00:38:08.949 --> 00:38:13.679
all the services that I was talking about,
they are still running on your modem.
00:38:13.679 --> 00:38:17.789
Q: Okay, but they can’t be sure that there
is another firmware by somebody else
00:38:17.789 --> 00:38:23.190
on routers running. If somebody else
maybe thought of making a bot net,
00:38:23.190 --> 00:38:26.239
before all of this came up,
in the last 5 years or 10 years,
00:38:26.239 --> 00:38:28.459
and already controls some devices
00:38:28.459 --> 00:38:32.170
and they can’t be sure that their firmware
is not running on those devices.
00:38:32.170 --> 00:38:35.739
There can be still devices somewhere
controlled by somebody else.
00:38:35.739 --> 00:38:38.439
A: Sure. You have to, obviously, fake
all the information they receive
00:38:38.439 --> 00:38:40.999
from the modem pretty well,
otherwise they get you onto the
00:38:40.999 --> 00:38:46.450
security block that I am on.
But if you do that correctly,
00:38:46.450 --> 00:38:49.089
you can probably just replace
all the pieces of firmware,
00:38:49.089 --> 00:38:53.459
just ignore all the updates and try to
behave the same way as they’d expect
00:38:53.459 --> 00:38:55.570
and then hope that nobody finds out.
00:38:55.570 --> 00:38:58.360
It’s entirely possible –
I don’t think it’s very likely
00:38:58.360 --> 00:38:59.869
but it is definitely entirely possible.
00:38:59.869 --> 00:39:03.269
Q: Let’s hope there are no more
networks like this out there.
00:39:03.269 --> 00:39:07.099
Herald: Usually, there
are no 2nd questions,
00:39:07.099 --> 00:39:11.139
so… we still got comfortable time
00:39:11.139 --> 00:39:15.089
but try to limit yourself to one question.
00:39:15.089 --> 00:39:17.179
Now it’s number 2.
00:39:17.179 --> 00:39:21.029
Q: Have you tried to change your
MAC address on the DOCSIS level
00:39:21.029 --> 00:39:22.710
or also for the DHCP request
00:39:22.710 --> 00:39:25.999
or how do they do authentication
of the modem over the network?
00:39:25.999 --> 00:39:30.279
A: So, the authentication
works using certificates.
00:39:30.279 --> 00:39:34.389
I’m actually not sure, I haven’t
read the standard on that side
00:39:34.389 --> 00:39:38.039
whether the MAC address is part
of the certificate. I don’t know.
00:39:38.039 --> 00:39:42.539
If it’s not, you can easily just
change it. I haven’t tried.
00:39:42.539 --> 00:39:49.289
But then again, the modems
are – what? – 8 Euros?
00:39:49.289 --> 00:39:51.219
Herald: Number 7.
00:39:51.219 --> 00:39:55.529
Q: What other recommendations
do you have
00:39:55.529 --> 00:40:00.309
– if someone were to have a
suspicion about a vulnerability –
00:40:00.309 --> 00:40:05.729
for the research part and
for the disclosure part?
00:40:05.729 --> 00:40:09.669
A: What do you have to do… I can’t give
you any legal or any advice on that one.
00:40:09.669 --> 00:40:13.089
I can tell you that getting
somebody involved
00:40:13.089 --> 00:40:16.129
that has done this before
is a really smart idea.
00:40:16.129 --> 00:40:18.909
Because they’ve gone
through a lot of pain points.
00:40:18.909 --> 00:40:22.430
The press is even better because
they have a really, really big lever
00:40:22.430 --> 00:40:25.780
nobody wants to be in the press
for 2 months or whatever
00:40:25.780 --> 00:40:31.169
just on negative news that there was
somebody who was legitimately trying
00:40:31.169 --> 00:40:35.360
to tell them to improve their
network and they sued them.
00:40:35.360 --> 00:40:39.729
So there’s a really good chance that
going via the press is going to keep
00:40:39.729 --> 00:40:43.959
problems away from you,
but there’s no guarantee.
00:40:43.959 --> 00:40:50.049
I cannot give you real – I mean legal
or any coherent – advice on that one.
00:40:50.049 --> 00:40:53.589
I would… I mean, if I would find such
a thing again, I would definitely go
00:40:53.589 --> 00:40:57.139
the same route. I would just call
up Heise and tell them and…
00:40:57.139 --> 00:41:00.259
That went pretty smoothly.
00:41:00.259 --> 00:41:03.609
And if… I mean, the really cool thing
is, they actually listen to the press.
00:41:03.609 --> 00:41:05.630
If I had gone to the service,
they would have just said
00:41:05.630 --> 00:41:10.800
“Sorry, wrong number,
I can’t help you.”
00:41:10.800 --> 00:41:13.519
Herald: Now the Internet.
00:41:13.519 --> 00:41:17.199
Q: How did you obtain the
original data? Did you use JTAG
00:41:17.199 --> 00:41:22.470
or dump the device’s firmware
and run it virtualized?
00:41:22.470 --> 00:41:27.779
A: Ahhhhh. Not sure how much of
that I should actually tell everybody.
00:41:27.779 --> 00:41:30.909
Let’s say, I replaced…
00:41:30.909 --> 00:41:34.150
You can actually see
this on the slide, wait.
00:41:34.150 --> 00:41:39.049
makes “Tchtchtchtchtch” sound
00:41:39.049 --> 00:41:42.250
Oh my god, this is going to take forever.
00:41:42.250 --> 00:41:46.980
Okay, dududum, where’s my
mouse cursor? There it is.
00:41:46.980 --> 00:41:50.960
Okay… So, I got a
picture of the modem…
00:41:50.960 --> 00:41:55.820
…here. There you go. So…
00:41:55.820 --> 00:41:59.799
…what you can see here, down there,
the white and the yellow cables,
00:41:59.799 --> 00:42:02.250
those are the serial port.
00:42:02.250 --> 00:42:06.130
And the IDE cable up there
that’s where the flash chip was
00:42:06.130 --> 00:42:09.499
before I started fiddling with the modem.
laughter
00:42:09.499 --> 00:42:12.039
Now, the flash chip is actually
in that socket up there.
00:42:12.039 --> 00:42:15.569
Which means I could swap the
flash chip between a device I own
00:42:15.569 --> 00:42:18.050
– BeagleBone Black, for example,
that’s a really nice spy interface
00:42:18.050 --> 00:42:20.479
that you could just use to write those
00:42:20.479 --> 00:42:22.170
– and then plug it back into the modem.
00:42:22.170 --> 00:42:28.049
So I could replace the firmware
and get myself an initial shell.
00:42:28.049 --> 00:42:32.989
As I mentioned earlier, I really
do not like to lose Internet access.
00:42:32.989 --> 00:42:37.790
So this is not the modem that
I was actually using at home.
00:42:37.790 --> 00:42:40.769
Instead, I just used that modem
to fetch a firmware image
00:42:40.769 --> 00:42:44.719
so I could then look and see
whether there might be other bugs
00:42:44.719 --> 00:42:48.829
that you could use.
00:42:48.829 --> 00:42:51.520
Herald: Now number 8.
00:42:51.520 --> 00:42:54.789
Q: Earlier, you’ve said that
– who was it… –
00:42:54.789 --> 00:42:59.469
Fritz!Box was more secure and they
didn’t have the same vulnerabilities.
00:42:59.469 --> 00:43:03.079
Do you think they simply didn’t use
hardcoded passwords and stuff.
00:43:03.079 --> 00:43:07.099
So do you think they’ll be vulnerable
to similar attacks and that someone
00:43:07.099 --> 00:43:10.670
probably, like you wouldn’t tell them,
but maybe they should look into it
00:43:10.670 --> 00:43:14.499
or do you think that it isn’t possible
and someone should, like, prove you wrong.
00:43:14.499 --> 00:43:17.999
A: From all I can tell, but this is…
I mean, just a gut feeling that I get
00:43:17.999 --> 00:43:20.469
from looking at different firmware files,
00:43:20.469 --> 00:43:22.789
the usual way, at least
the Linux based firmware
00:43:22.789 --> 00:43:28.629
works on those systems is
that there’s TI creating a BSP
00:43:28.629 --> 00:43:31.920
then they give it out to Motorola.
Then Motorola gives it out to CBN.
00:43:31.920 --> 00:43:35.729
Then CBN gives it out
to Kabel Deutschland.
00:43:35.729 --> 00:43:40.829
And then, each party of those
adds a few pieces of stuff.
00:43:40.829 --> 00:43:44.519
That’s the usual way it
works in those devices.
00:43:44.519 --> 00:43:47.559
Whereas in the AVM boxes,
things looked vastly different.
00:43:47.559 --> 00:43:49.559
There was one firmware image
that even contained information
00:43:49.559 --> 00:43:51.970
for some Austrian provider.
00:43:51.970 --> 00:43:58.040
So instead of giving full
control to the cable provider,
00:43:58.040 --> 00:44:04.860
AVM kept control on their own and actually
audited the stuff they were doing.
00:44:04.860 --> 00:44:07.639
That’s the major difference.
00:44:07.639 --> 00:44:13.420
applause
00:44:13.420 --> 00:44:16.620
Herald: One more question
from the Internet.
00:44:16.620 --> 00:44:20.499
Q: Do you know if they
still use unencrypted SIP?
00:44:20.499 --> 00:44:24.119
A: Oh yeah. chuckles
slight laughter
00:44:24.119 --> 00:44:27.320
A: Oh yeah.
loud laughter
00:44:27.320 --> 00:44:29.519
A: Nothing in the protocols
changed at all, whatsoever.
00:44:29.519 --> 00:44:32.329
They really just added a few firewalls.
00:44:32.329 --> 00:44:37.759
So once you are on the physical layer,
you can read everything you like, yes.
00:44:37.759 --> 00:44:42.189
Well, and you break through
the DOCSIS encryption, obviously.
00:44:42.189 --> 00:44:45.019
Herald: Now the newly adjusted number 2.
00:44:45.019 --> 00:44:47.889
Q: Thank you. Mine is
not so much a question
00:44:47.889 --> 00:44:51.149
as I’d like to add some insight
and perspective to this.
00:44:51.149 --> 00:44:54.549
I, myself, worked for several ISPs
00:44:54.549 --> 00:44:57.500
and the… we… actually
I worked for an ISP
00:44:57.500 --> 00:45:01.350
that had not this particular
issue, but a similar issue.
00:45:01.350 --> 00:45:04.159
The way that it was fixed and
00:45:04.159 --> 00:45:07.030
– you can look me up, I’ve worked
for several ISPs, you won’t know
00:45:07.030 --> 00:45:08.679
which one had this problem –
00:45:08.679 --> 00:45:13.709
but what was actually the fix
was a simple IP check.
00:45:13.709 --> 00:45:17.820
So once you downloaded
from the TFTP server,
00:45:17.820 --> 00:45:21.519
it was just checked if you did it
from the IP that was suspected.
00:45:21.519 --> 00:45:26.910
So this issue may actually be
reproducible if you can somehow
00:45:26.910 --> 00:45:30.429
get hold of an IP [address]
you weren’t supposed to have.
00:45:30.429 --> 00:45:34.580
Like, say, spoof MAC address
or something like that.
00:45:34.580 --> 00:45:39.860
That being said, I’d like to attach
a comment to the whole SIP thing, too.
00:45:39.860 --> 00:45:45.439
You indicated that it’d be possible
to silently intercept the conversations
00:45:45.439 --> 00:45:50.039
which is not necessarily the issue
because many SIP servers
00:45:50.039 --> 00:45:52.860
can be configured
to allow multiple endpoints
00:45:52.860 --> 00:45:55.879
so as the
– what’d you call it? –
00:45:55.879 --> 00:45:58.419
the bad guy would be able
to pick up your calls,
00:45:58.419 --> 00:46:01.209
you would also hear you
phone calling yourself.
00:46:01.209 --> 00:46:04.500
A: Right, and if your phone picks
up within 0.01 microseconds,
00:46:04.500 --> 00:46:06.970
then, yeah, there’s nothing
you can do about it.
00:46:06.970 --> 00:46:10.070
It just rings again.
That’s the point about it.
00:46:10.070 --> 00:46:13.609
Also, the other bit that
you have on the SIP server
00:46:13.609 --> 00:46:17.309
is that that particular server actually
only allowed one endpoint
00:46:17.309 --> 00:46:20.690
to be registered at a time.
At least from what I could tell.
00:46:20.690 --> 00:46:25.170
It was some Huawei
box. I don’t know.
00:46:25.170 --> 00:46:28.630
Herald: Number 3, please.
00:46:28.630 --> 00:46:30.669
Q: Yeah, I attended this talk today
00:46:30.669 --> 00:46:36.720
because I know that at the beginning,
when DOCSIS was introduced,
00:46:36.720 --> 00:46:39.960
the modem were asking
for the configuration file
00:46:39.960 --> 00:46:44.899
also over the Ethernet
port which is great.
00:46:44.899 --> 00:46:48.339
And my question is:
00:46:48.339 --> 00:46:54.479
Is there a way within the DOCSIS standard
so that the ISP can verify their hardware?
00:46:54.479 --> 00:47:00.209
I mean, you… I have seen
the type and the vendor name
00:47:00.209 --> 00:47:06.349
and the SNMP but you can
obviously spoof that.
00:47:06.349 --> 00:47:11.490
Of course, firmware
binaries won’t run on the
00:47:11.490 --> 00:47:15.360
wrong hardware, but…
00:47:15.360 --> 00:47:17.349
A: I’m not quite sure
I’m getting what you’re…
00:47:17.349 --> 00:47:21.889
Q: The question is: Is there
a way to control for the ISP
00:47:21.889 --> 00:47:25.639
which hardware there is they’re using?
00:47:25.639 --> 00:47:27.929
A: So I come from a
virtualization background.
00:47:27.929 --> 00:47:31.629
And in my world, there is
no such thing. It doesn’t exist.
00:47:31.629 --> 00:47:33.159
slight laughter
00:47:33.159 --> 00:47:38.940
Sorry. If you can somehow
abstract it, you can abstract it.
00:47:38.940 --> 00:47:42.839
Q:OK.
Herald: 8, please.
00:47:42.839 --> 00:47:48.189
Q: Hi. I wanted to add on the
part with the MAC spoofing.
00:47:48.189 --> 00:47:52.129
Because I had a modem
like that, like 5 years ago,
00:47:52.129 --> 00:47:55.709
and actually I never went
inside the modem,
00:47:55.709 --> 00:47:59.959
but I had some applications where
I needed a new IP address
00:47:59.959 --> 00:48:02.639
in a short period of time…
00:48:02.639 --> 00:48:06.779
loud laughter
00:48:06.779 --> 00:48:10.339
And I remember that actually… the thing…
00:48:10.339 --> 00:48:16.830
if you told the modem your MAC
address, a different MAC address,
00:48:16.830 --> 00:48:20.979
you got different external
IP addresses back then.
00:48:20.979 --> 00:48:24.359
I don’t know if things have changed
because it was 5 years ago
00:48:24.359 --> 00:48:28.180
but… yeah… after what
I’ve heard from you,
00:48:28.180 --> 00:48:30.619
I’m kind of unsure that things changed.
00:48:30.619 --> 00:48:33.579
A: No, I’m fairly sure this is actually
accurate. From what I understand,
00:48:33.579 --> 00:48:37.670
I never did that myself but I
heard from people who did,
00:48:37.670 --> 00:48:42.789
the MAC address check and the
certificate check are actually separate.
00:48:42.789 --> 00:48:47.910
So that if you own a valid certificate
from some random dude who happens to
00:48:47.910 --> 00:48:52.529
actually pay for the service,
and you get that certificate,
00:48:52.529 --> 00:48:55.609
and you’re not on the
same CMTS as that guy,
00:48:55.609 --> 00:48:59.219
then you can actually go and, well,
00:48:59.219 --> 00:49:03.269
basically say that you’re him even if
you have a different MAC address.
00:49:03.269 --> 00:49:06.260
Which then, again, implies that if you
change the MAC address, you can just
00:49:06.260 --> 00:49:09.060
be somebody else. Which
then again implies that…
00:49:09.060 --> 00:49:13.609
maybe you can actually go and get
somebody else’s Provisioning Files, yeah.
00:49:13.609 --> 00:49:15.449
slight laughter
00:49:15.449 --> 00:49:18.409
Q: Well, yeah… not up to you.
00:49:18.409 --> 00:49:20.459
A: Not going to try out.
00:49:20.459 --> 00:49:22.319
Herald: Number 2, please.
00:49:22.319 --> 00:49:28.009
Q: Yeah, you had this one
with one particular provider
00:49:28.009 --> 00:49:30.389
and I happen to know that
there’s a second provider
00:49:30.389 --> 00:49:36.019
using the same technology in Germany:
were they somehow involved in this loop?
00:49:36.019 --> 00:49:40.260
I mean, it took Kabel Deutschland
two months to fix this and…
00:49:40.260 --> 00:49:42.109
A: No, but they better hurry up!
00:49:42.109 --> 00:49:45.870
laughter and applause
00:49:45.870 --> 00:49:48.130
Q: Thanks!
applause
00:49:48.130 --> 00:49:53.689
A: And, quite frankly, I do not believe
00:49:53.689 --> 00:49:58.489
that this is limited to Germany
at all, whatsoever.
00:49:58.489 --> 00:50:06.949
So… Yeah. Let’s see who’s faster.
00:50:06.949 --> 00:50:08.950
Alright, end of questions, right?
Or is there any…?
00:50:08.950 --> 00:50:11.359
Herald: It looks like we’re
at the end of questions.
00:50:11.359 --> 00:50:13.279
The Internet maybe…?
00:50:13.279 --> 00:50:15.520
No, the Internet doesn’t
have any questions.
00:50:15.520 --> 00:50:17.730
There are 8 empty microphones.
00:50:17.730 --> 00:50:24.800
So thank you very much for your talk
and thank you very much for the Q&A.
00:50:24.800 --> 00:50:30.954
applause
00:50:30.954 --> 00:50:34.904
postroll music
00:50:34.904 --> 00:50:41.841
Subtitles created by c3subtitles.de
in 2016. Join and help us!