-
32C3 preroll music
-
Herald: The next talk is going to be
“Beyond Your Cable Modem”
-
– how not to do DOCSIS networks.
-
Sorry, I’m not a hardware guy.
But Alexander Graf is going to
-
hold the talk and he has
done a lot of virtualization
-
and stuff other people
think is too complicated.
-
Now he is going to talk about
-
the outside of your apartment.
Give him a warm welcome.
-
applause
-
Alexander: Hi and welcome to my
talk “Beyond Your Cable Modem”.
-
This is going to look at what’s beyond
the stuff you usually see at home
-
where you just plug in a network cable
and you happen to have Internet available.
-
So, who am I?
-
I’m Alexander Graf – I’m usually
more of a virtualization developer.
-
I have nothing to do with
hacking in my day work,
-
I don’t usually go around and
hack embedded devices.
-
Usually, at least.
-
But, during the last year, I had
a lot of spare time at night
-
because the baby was
crying, so I figured:
-
I could as well spend that time
and do something useful.
-
So, what happened?
We moved to a new home.
-
I was living in a home
where I had DSL available,
-
I had a real phone line, everything
was great, things were just awesome.
-
But then we moved into
this new home where…
-
where there was no DSL available. Well,
there was DSL available but there were
-
different circumstances why I couldn’t use
it. So instead, I figured: You know what?
-
Try this cool new technology:
Internet over your cable TV.
-
Ehh, cable. TV cable.
-
So I got myself a cable
modem from the provider,
-
got myself registered and
now had Internet over cable TV.
-
Also, along the same lines, I figured:
-
Why not go and also do your phone
line over that cable provider
-
with your old phone number so that people
still can contact you when they want to.
-
Now, the thing is, when I finally
received the whole package,
-
I realized: Woh! Wait!
Something’s wrong here!
-
That’s an analogue phone line!
Are we, like, in 2015 or is it 1994?
-
So, instead of the usual digital
stuff that I am used to,
-
I just got myself an analogue phone line.
-
So I had to put myself
another box in there
-
that would convert the analogue phone
line back to a digital phone line,
-
so I could route it in my house to
another line, to another machine
-
that would then go and
route it to my phone.
-
You see the problem in there?
-
Yeah, that whole stuff over there
just doesn’t look right, right?
-
Why would you go and convert
something that is obviously digital?
-
I mean, the stuff that goes into
your cable is obviously digital, right?
-
Kind of obvious…
-
and convert it back to analogue
and then back to digital
-
just to be able to do a phone call.
-
So I called up the technicians, Support,
and said: “Hey guys, you know what?
-
Isn’t there a way I can,
like, directly access
-
whatever you have there and go
and use digital throughout?”
-
And the guy said: “Well, you know what?
Actually, behind the scenes,
-
we’re all just running SIP.
It’s just a normal SIP server.
-
Just normal voice-over-IP,
nothing special about it.
-
So, if you know what you’re doing,
just go ahead and connect to it.”
-
laughter and applause
-
Challenge accepted.
-
So, what we learned from
Felix earlier in his car talk:
-
It was: What do you do when you
don’t want to brick your own system?
-
Of course, you buy a new one
on ebay. They’re really cheap,
-
just go and get a cable modem
and then you can go away and
-
treat it with the kind of love that you
want a device to be treated with.
-
laughter
-
Turns out, my modem is actually
just running Linux. Hooh! Nice!
-
That fits me pretty well!
-
And it’s just a normal ARM system.
-
Well, the only special
thing is: It’s Big-Endian.
-
But then again, I’m kind of used to
ARM by now, why not just go away
-
and like go around and just
look at how this thing works.
-
And, well, we really just want to
get this voice-over-IP stuff working,
-
so take a look at how this
voice-over-IP stuff works on the device!
-
Turns out, there’s actually a normal SIP.
-
SIP works on port 5060 usually.
-
Normal SIP client running on
there, but this IP looks weird.
-
So, my external IP looks different.
-
And my internal IP is different, so
where does this IP come from?
-
So I looked at the IP list
of my device and figured:
-
Well, something’s weird here. I have
a lot of IPs in there and connections
-
that I really don’t know
anything about. Hm.
-
So down here, is obviously my phone line.
-
And up here, is something else
that I have no idea what this is about.
-
So I figured: Let’s go
and dig a bit deeper.
-
And see what’s actually happening there.
-
So how does DOCSIS work?
This is just a small introduction,
-
like high-level introduction,
on how the routing runs.
-
So basically, you have the cable modem
that is connected using your TV cable line
-
to a CMTS, just a translation service,
-
that then takes all of the DOCSIC-specific
stuff and just basically gives you
-
an IP routing over into something-
something-something behind it.
-
However, it doesn’t just give you one
line. It actually gives you three.
-
It gives you one line for your Internet.
Makes sense, right? You want
-
to get online. That’s the one you actually
see when you plug into the device.
-
It also gives you another line for VoIP.
-
And it gives you one more line
that I would call the “Admin” line.
-
It’s the provisioning line.
-
Now, let’s start with the Admin line.
That sounds the most interesting, right?
-
laughter
-
What does the Admin line do?
-
Well, in the end, a modem in the DOCSIS
network is just a normal client
-
like in your Ethernet network.
-
So the first thing it does
when it gets online is:
-
it does a DHCP request.
And on the DHCP request
-
it goes and gets an IP address
and gets all the information it needs.
-
And it also, well, it’s kind of sane,
it’s just a normal DHCP request.
-
It also, however, gets something
similar to PXE booting
-
where it gets usually… in PXE booting you
would get an executable that you’d run,
-
here, you get something different.
Here, you also get a file
-
that you need to download
using TFTP just like with PXE.
-
However, in this case,
it’s a configuration file…
-
– There you go –
…configuration file…
-
…that you just receive using
PXE to your cable modem;
-
and then, the cable modem is configured.
-
Now what is inside this Provisioning
File, that’s what I call it? Well,
-
there’s interesting information like: What
is your firmware update filename called?
-
If you want to update your firmware
or if the provider wants to have you
-
update your firmware.
How much bandwidth do I have?
-
laughter
-
I hear, people have been
playing with that one…
-
laughter
-
And, well, since it’s just a normal TFTP
request you can just do it yourself, too.
-
This is my configuration. You just go, get
it, and you have your configuration file.
-
Now, the interesting thing that I realied
when I first started doing this was:
-
Sure, this is my configuration file.
But what about configuration files
-
from other people? Well, you
go and get the MAC address,
-
if you have the MAC address you
just go and get it and there you go:
-
You have the other people’s
configuration file.
-
laughter
-
Easy as that, right? That’s the
way it’s supposed to work.
-
applause
-
The actual effects of that,
we’re going to come to that later.
-
Let’s just declare TFTP,
the whole access to that,
-
as “slightly insecure” for now.
-
laughter
-
But now, if you’re an ISP, you want to
monitor what your people do, right?
-
So imagine, you’re the admin there.
-
Just imagine, you’re one
of the good guys, right?
-
And you want to see what are those
people on your modem doing.
-
Are they, like, downloading
too much content?
-
Because you obviously cannot filter
or find that out from the other side.
-
So, what do you do? Well, you obviously
send the industry standard for that:
-
An SNMP request. Using a
password that only you know.
-
laughter
-
Send it over to the cable modem
and the cable modem then goes in
-
and replies with the respective
reply saying “Oh, yeah, sure,
-
I got that piece of information,
there you go, you have it.”
-
Oh, that was too quick!
-
But how does your modem
actually verify that password?
-
Yeah, you guessed right: Using
the Provisioning File, obviously!
-
laughter
-
Once you download the Provisioning File
from any random modem in there
-
– including yours – you end up
getting an interesting password.
-
laughter
-
However, they actually
did at least one thing:
-
They limited the address range you are
allowed to access those devices on.
-
laughter
-
Yeah…
applause
-
As a hint for those who did not clap:
-
This means, everybody
who is in that network.
-
But how big is this network?
-
I figured: Why not just give it a try
and ask some people in Hannover
-
whether I could just get
their MAC addresses
-
and see how far I could get.
-
Just send an SNMP request over,
I had the password now, right?
-
And ask that modem:
-
“Please tell me everything you know!”
-
And it replied!
laughter
-
There’s a lot of interesting information,
SNMP, you wouldn’t believe it!
-
So this is obviously just stuff like
“Oh, yeah, I’m this and that modem!”
-
But there’s more in there.
There’s, for example…
-
this is my public IP address!
-
– in case you’re searching
for someone specific. Or…
-
these are my internal MAC
addresses and IP addresses.
-
In case you’re searching for some
specific notebook that someone
-
stole from you or so.
laughter
-
Or… this is my Provisioning File, in
case you just happened to port scan
-
all of the machines out there and
ask them using the same password
-
that they all share on what their
Provisioning Files could be called.
-
clears throat
-
Of course, I never did that. Right?
-
laughter
-
So, I would say, the whole SNMP story
isn’t “really” all that secure either.
-
But at a certain point in time, like when
the modem actually doesn’t work
-
like the way you would envision
it to be or if you just need to do
-
more administrative stuff, the admin wants
to have more access than just SNMP, right?
-
This is kind of isolated to a few
specific pieces of information.
-
You want some more hardcore access.
Like real go down into a real shell.
-
How do you do shells in 2015?
Audience: TELNET!
-
Alexander: Telnet. Exactly!
laughter
-
applause
-
We’ll actually get to the point why
Telnet was a good idea later, but…
-
that’s 30 slides down or so.
-
We already managed to get an SNMP
connection working to a different modem,
-
let’s just try the same with Telnet
and see how far we can get.
-
We can go in and just Telnet in and it
replies and says “please give me a login”
-
Hm. Now where do I get this login from?
-
laughter
-
Turns out, the administrator needs to
provide that password just the same
-
to the modem, which needs to verify it.
-
Based on configuration. Which it gets
from the Provisioning File. That…
-
I think you see the point.
-
So in the same Provisioning File that you
can obviously again download for every
-
single user in the network
you also have the password.
-
In plaintext.
-
That’s the part that actually took
me the longest in this whole thing.
-
I spent weeks trying to
figure out what hash this is.
-
raging laughter
-
big applause
-
So if we try to log in to the server
using those credentials we got,
-
we get greeted with a nice
command line interface
-
for poor Mr. Admin at our provider’s side.
-
But I don’t really like those,
like, boiled-down interfaces.
-
I want a real shell.
I want to load kernel modules.
-
I want to filter all my network traffic.
-
I want to reroute everything that
modem does to a different machine.
-
I want to rewrite the VoIP
client to instead do… either way!
-
So I want to do something real.
Let’s do the help command
-
and it tells us that there’s a
cool command called “shell”.
-
laughter
-
Ah yeah, there you go, got a shell!
-
By now, at that point, I can actually
go and do anything I want to that modem.
-
I got full root access. By the way,
all the modems run every single
-
piece of software running on there,
including your web server and your
-
SIP server and anything as UID 0.
Which is a good idea, right?
-
So, I now got shell access so
I can do anything I want.
-
I can re-route all your traffic,
I don’t, obviously, but
-
this is basically where we
went half a year ago.
-
Another thing to note is that
– since it’s so annoying to generate
-
different passwords for different devices…
-
Yeah, yeah, I know.
-
You just use one password
for all, right? It’s good enough.
-
So you don’t even have to read your
other person’s Provisioning File,
-
you can just use your own password
that is in your own Provisioning File
-
which you already have on your modem
because you’re provisioned yourself.
-
The only notable exception that
I found to this whole scheme
-
– I mean, you could basically go
and log in to any modem out there,
-
except for Fritz!Boxes.
applause
-
Yeah, congratulations everyone! Kudos!
-
So, apparently, AVM are the only ones
who did not follow the standard scheme
-
from my provider and instead said: “No
no no, guys! You don’t do the firmware.
-
WE do the firmware”, and they just
don’t like to enable Telnet. Apparently
-
there are people in that company that
actually know what they’re doing.
-
So, I would say the whole Telnet
access thing isn’t exactly…
-
I wouldn’t mark it “secure”
either. Naahhh… naaah…
-
But we didn’t really come here
for the Admin network, right?
-
I was just… it happened to be around.
I just looked at it and… njeeeeeh.
-
We wanted to go and do
voice-over-IP! Hah!
-
Yeah, so how does VoIP look
like? It’s kind of similar.
-
It also does a DHCP
request in the beginning.
-
DHCP is usually fine, I mark
it with a green tick here.
-
I’ll leave it to others to further
dig down into that part.
-
It does the same TFTP bit so if you just
go and – instead of downloading your
-
Provisioning File from your own modem,
from the RAN, from the admin network –
-
you just go and get it from the other MAC
address and there you go, you have it.
-
Nicely enough, all those cable providers
registered consecutive MAC addresses,
-
so if you have one,
you also have the others.
-
Just… You basically just ask a friend:
“Give me your MAC address that’s
-
written on the box” and you basically
have everything you need.
-
SNMP is the same thing.
You can access it using SNMP.
-
The really nice thing about
SNMP here is that the box also
-
tells you the other accesses it has, so
if you only have one IP address, or…
-
I also have a nice DNS service internally
that tells you what the IP address is
-
to a certain MAC address, so you just
ask the DNS for the MAC address of
-
the VoIP access, then you go and
SNMP, ask it for the IP address
-
of the admin network, and
there you go. You’re in the box.
-
However, the really interesting bit
on the voice-over-IP network is SIP.
-
Since… you want to do VoIP, right?
That’s what the whole thing is about.
-
So VoIP basically works… the way that your
modem wants to go and do a phone call.
-
So how do you do a phone call with SIP?
-
You need to provide data like credentials,
like, tell the other side, the server,
-
how you authenticate yourself.
-
Which, obviously, is written
in your Provisioning File.
-
So, you use those and tell the
server: “I want to do a phone call”
-
and there you go: You do a phone call.
-
Now if we look at this Provisioning File,
you can see that it contains your server
-
and your user name and your phone number
-
and your… well, basically everything
you’d need to log in into an SIP server.
-
Now, since I can read, anybody
else’s Provisioning Files, …
-
laughter
-
So, imagine I’m this user up there. Right?
-
And I’m just doing a normal call
as this phone number up there.
-
Well, maybe there’s this
other guy in the network
-
who just goes in and downloads
your Provisioning File
-
and, well, he gets all the credentials
he would need, so he gets
-
the same phone number and
then he can just go and do a call.
-
Hm. Yeah. Maybe I should have
registered a few 0900 numbers.
-
Now the really interesting part here is –
it also works the other way!
-
You register for it and if you’re
the fastest one registering it,
-
the other modem doesn’t get the
chance to receive calls which means
-
now you receive the calls and then you can
just tell the other modem that there was
-
a call, just that, by now, you actually
route all the traffic through your modem
-
and you can listen to all the voice data
that there is on the line. Yay!
-
Yeah…
laughter
-
Not sure it’d be a good idea to
talk to your lawyer around…
-
Using this line for secure stuff
is probably not the best.
-
I wouldn’t mark SIP as secure
on this thing, either.
-
But at this point, so on the Telnet
access and on all the other parts,
-
I was, like, sure,
I can fix it for myself.
-
I’m an egoist, right?
I can fix it for myself.
-
I don’t care about the rest of mankind…
-
I do, but I can claim that!
-
I can just as well ignore all the
others and say: I fix it for myself.
-
But for voice-over-IP, I can’t.
Because I’m completely out of the loop.
-
This other guy, he could just go and
steal my credentials, because he can…
-
and there’s nothing I can do about it.
-
So at that point, I was kind of scared
that someone would be able to hack me.
-
So I started to think about
how to fix this thing.
-
Now, the first thing that comes to
mind is obviously: You as a user
-
go and pick up the phone and call
the service line from your provider.
-
laughter
-
Yeah, I don’t think, that’s a good idea.
laughter
-
Nah, no I didn’t want to go down that
road, nah… So, instead, I figured,
-
I’m going to call someone else.
I’m going to call a couple friends.
-
laughter and applause
-
applause
-
Gonna call a couple of friends from
Heise, thanks to my Linux work, I knew
-
a few of those, and they also tend to
do security, which kind of falls into
-
this whole thing and used them as a proxy.
-
So that nobody could actually go and
sue me until things were public.
-
So, imagine what the provider
would do when he hears
-
that I hacked into their Telnet account.
-
Sure, you’d do the obvious thing:
You’d replace Telnet with SSH, right?
-
It’s what everybody would do. It’s the
first thing. You look at this and think,
-
like, “Oh my god, this is 2015,
why would you be doing Telnet?”
-
Well, the answer is pretty simple. Emm…
laughter
-
Take a look again. It’s not as simple
as you think. Take a look at it again,
-
there’s this Provisioning File. SSH
actually gets different credentials!
-
So, the SSH credentials
are actually down here.
-
And the password is different
from the one on the top.
-
I don’t know what the password is.
-
But I can tell you that the
password hash is really cool!
-
So, the password hash is something
that comes from VxWorks, so I’m pretty
-
sure that there are more devices out there
that might be interesting to look at.
-
The VxWorks hash actually
works in a really simple way:
-
It creates a checksum of your input that
lies somewhere between those 2 numbers
-
and then creates a fancy String out
of them based on some heuristics.
-
But essentially, the whole password down
there boils down to just a single number
-
that is basically, in a realistic case,
the upper limit is 40 characters,
-
so you’re not going to see
a password that long,
-
realistically you basically check around
100 passwords and any hash out there,
-
any password that’s available, you
already cracked it. Which means,
-
there are so many collisions in this
hash, which I wouldn’t even call a hash,
-
that I don’t know what the original
password is like… I don’t know.
-
But this one works pretty well!
-
laughter and applause
-
applause
-
So we go ahead and we log into this
machine and we type in our collision
-
and… there you go! We got
the same thing as before!
-
So we told them again: “Guys,
look, it’s not as easy as that.
-
You should probably take a bit
deeper breath and take a look
-
at how things actually are broken.”
-
Which, turns out, they did!
So what happened next?
-
We had this whole huge mess with
lots of services that are all attackable
-
and everything’s just wholly broken.
-
That was two months ago.
-
There were some circumstances
why we just couldn’t tell them earlier.
-
And we basically told them: “Guys, you
know, in 2 months’ time we’re going to do
-
a talk here and everything’s going to
be public so you might want to fix
-
your network until then.”
laughter
-
So the first thing that they did is: They
added a check to their TFTP server
-
to verify whether you’re actually eligible
to download this Provisioning File.
-
applause
-
So now, you can only download your
own Provisioning File. Which is great…
-
finally! I mean, this is the obvious
thing to do. So that one’s fixed.
-
Then, they went ahead and said: Well,
there’s no real reason why one modem
-
should do SNMP traffic with another.
So they just added a firewall, saying,
-
we’re blocking SNMP traffic
between different machines
-
– problem solved!
-
applause
-
The same for SSH – they went ahead and
said: There’s no reason why you should
-
be doing TCP between
one modem and another.
-
Problem solved!
-
applause
-
And because the VoIP access credentials
-
are actually part of your Provisioning
File which you can now
-
no longer download from somebody
else, that one is fixed too.
-
Awesome! shy applause
Go ahead, go ahead, clap! It’s awesome!
-
applause
-
Thank you, ISPs. So after two months,
you actually managed to limit me
-
into the borders that I was supposed
to be in, in the beginning.
-
It’s cool!
So what do we have…
-
Please guard your networks even if you
believe that somebody couldn’t go in
-
– they probably will.
-
Because, as soon as a customer
can access your device physically,
-
which kind of happens to be the
case with a modem that’s sitting
-
in your apartment,
-
that guy can access your network.
There’s no way you can prevent it.
-
So don’t believe that the border
of your network is the home.
-
The border of your network is
the cable going into that home.
-
The same way goes the other way
around: If an ISP gives you a device,
-
don’t trust that thing.
-
Seriously. They can do anything they like.
-
And sometimes, somebody else can, too.
-
In this case, according to my provider, I
was able to access 3 million devices.
-
applause
That’s quite some number.
-
applause
-
Also, the press is your friend. If you
are afraid of revealing something,
-
tell someone who can do it for you
-
and usually, things go out well.
Let’s hope for the best.
-
And then, this whole thing went
online in the beginning of the week
-
and there were a couple of questions
on the forums that I read
-
and I just wanted to take
the time to reply to those.
-
First thing that always comes
up is: “Is this a conspiracy?”
-
Like “Oh my god, this
is the NSA backdoor!”
-
No way. I mean, seriously,
those guys are not that stupid.
-
They have their own front doors,
they don’t need backdoors.
-
laughter
-
This really is just a case of “If we don’t
secure things, it’s going to be easier
-
for us.” Njee, it was
easier for everybody,
-
including the ones who
shouldn’t have access.
-
So, no, this is not a conspiracy. This is
not some backdoor from some agency.
-
This is really just a matter of a
company not doing their homework.
-
The same thing goes for other providers.
-
My cable just wasn’t long enough
to connect to some other country
-
so I don’t know whether other
DOCSIS networks are affected.
-
From the best of my knowledge:
Yes, they are.
-
I’m not allowed to tell you to check.
-
But if you happen to have
that idea on your own…
-
laughter and applause
-
applause
-
No animals were hurt during
the production of this movie.
-
laughter
-
All the passwords were changed, so if you
happen to know the real passwords,
-
you probably had a good laugh
during the presentation.
-
If you don’t know the real passwords,
njeeee, they are different.
-
To the best of my knowledge, all of that
knowledge that I just gave you is
-
completely useless to you,
because all the issues are fixed.
-
Thank you.
-
applause
-
Herald [to Alexander]: Q&A?
[Alexander nodding]
-
Alexander: So now we can
go for questions if you like.
-
So please… or… you go
ahead and announce it.
-
Herald: So if you have questions,
run towards a microphone and
-
stand behind it visibly.
The first one was on number 4.
-
Q: You were talking about taking
a couple of weeks to get to know
-
that the password wasn’t
hashed but plaintext.
-
So how long did this whole
exchange in total go on?
-
How much facepalming and
how many hours did it take for you?
-
A: So I didn’t spend full time on it,
I really literally just whenever
-
the baby was crying I just went up
and figured “I can do something”.
-
It’s not… I basically got
cable access two years ago.
-
I first got into the modem
about one year ago, I think.
-
That’s when I started looking for real.
-
I basically ended up digging
deeper and deeper, right? It’s not…
-
VoIP, for example, I only realized the
whole voice-over-IP story in August.
-
Since I just didn’t look before. I was
like so excited to see all the other bits.
-
shy laughter
-
Just didn’t look.
-
Herald: Now number 1, please.
-
Q: Are you really sure that the TFTP
Provisioning File fetching is secure now?
-
Because… do they do some MAC
integrity tests for MAC spoofing?
-
A: Yeaaaaah…
-
laughter
-
The problem is the law, right? I’m not
allowed to tell you to try it yourself,
-
I’m not allowed to tell you that I don’t
think that anything on the physical layer
-
is insecure. I’m not allowed to tell you
that… I mean there’s so many things
-
I’m not allowed to tell you about
this whole network… I haven’t tried.
-
I really just went in and said “TFTP
Fetch and see whether I can get it.”
-
laughter and applause
-
applause
-
Herald: Number 7 up
there on the balcony.
-
Q: Hello. My question is, in the
beginning in your config files,
-
I think there was something about traffic
priority or network priority as well.
-
Did you play around with that one as well?
Is that something about Net Neutrality,
-
maybe?
A: Ahh, that’s an interesting…
-
OK, so, it’s not about
Net Neutrality at all.
-
It’s about QoS of different services,
so they basically say that
-
VoIP traffic gets higher
priority than the other bits
-
since you want to have low latency
on voice-over-IP traffic, obviously.
-
So that has nothing to do with
Net Neutrality in this thing at all.
-
I did play around with
those settings, just because…
-
coincidentally, right the day after
the Fahrplan got released,
-
my account got throttled to 80 kBit/s.
-
I don’t know why.
Could be related, could be not.
-
But I figured, “I’m paying for 100 MBit/s”
so I should probably get 100 MBit/s
-
and started to look at those things.
-
I did not manage to actually convince
my modem to get me more.
-
Q: Did you change the
bandwidth in the settings?
-
Herald: No dialogues, please.
-
A: Yes, I did change the bandwidth.
It’s not… my guess is,
-
they’re also QoS’ing on the
other side. But if you want to
-
verify it, I’m not telling you not to.
-
laughter
-
Herald: Number 2, please.
-
Q: Yes. So at first, thank
you for the nice insights.
-
I’m a cable user, so I’m interested here.
-
And I want to, again, make a
statement on the Provisioning File.
-
You should have told them that the
Provisioning File fetching in this way
-
isn’t a good idea anyway.
-
And I personally would believe
if they do not can transfer it
-
via a completely different channel,
it will not get really secure.
-
A: They can not do it differently
because it’s part of a standard.
-
There’s a DOCSIS standard which
all the modems have to adhere to
-
and that’s part of the standard.
They cannot do it differently.
-
If you want to have it done
differently, you have to tell
-
the DOCSIS standardization
committee which is in India.
-
Q: Yes, so I’ll talk to them. Thanks!
-
Herald: Now, we’ll have a
question from the Internet.
-
Q: Could two modems be
programmed to talk among
-
themselves directly,
bypassing the ISP firewall?
-
A: Say it again.
-
Signal Angel repeats question more slowly
-
A: You mean with the new scheme
or with the old scheme?
-
With the old scheme, it was…
you could just go and route through it.
-
With the new scheme… you…
not with the official modems.
-
laughter and applause
-
applause
-
Herald: And number 8 on the balcony.
-
Q: Did you find any traces
of TR-069 in this thing?
-
A: I did on the AVM boxes
that were secure, yeah.
-
So that was the only bit that actually
ended up making a lot of sense.
-
TR-069 is a pretty nice standard.
You basically have authenticated
-
– I think it was even HTTPS – traffic that
basically goes and pokes the server
-
to get you a firmware update. It’s a
perfectly nice way of provisioning
-
such a system. It’s definitely a
lot different from the usual way
-
so on those DOCSIS modems, the usual
way to tell it to get a new “firmware” is
-
either to tell it to reboot and get a new
file from the provisioning server or
-
to just poke directly through SNMP to tell
it: “Go to this TFTP server over there
-
with this file name and
flash it onto your Flash.”
-
laughter
-
No, I have not tried to spoof the
privileged IP address range.
-
laughter
-
Herald: Now it’s number 4 again.
-
Q: The question I have is:
-
When you tried to first
contact them via Heise,
-
was there any way they
might have tried to
-
convince you to not
do the talk and if so,
-
would there be an itch on your head?
-
A: They did not try in any
way whatsoever. Zero.
-
Q: Do you think that was due to
the credibility or do you think
-
they thought “Oh, we screwed up”?
-
A: I don’t know. I don’t think they
thought any other way would work at that
-
point in time. Since the press was already
involved, they are not gonna pull back
-
their story, there’s nothing
else they can do.
-
Q: Thank you again.
-
Herald: Before I hand the microphone,
do you want to do the entire 24
-
remaining minutes Q&A or
do you want to put a limit?
-
Graf: No, I think 24 minutes Q&A is fine.
We can always cap it later on, right?
-
Just go and ask. Ask as much as you like.
-
applause
-
Herald: The Internet, again.
-
Q: How much of this would have been
possible if the modem had been
-
in bridge mode?
A: My modem was in bridge mode.
-
laughter
-
Herald: And number 6.
-
Q: Do you have an idea how
long this has been that way?
-
And do you have any
specific reasons to believe
-
what group of people
-
might have abused these problems?
-
A: I don’t know. I did not see anybody
else on the network but it’s really hard
-
to see someone in a
sea of 3 million devices.
-
I am not aware of anybody exploiting this,
-
so I can only state what Vodafone said.
-
And they said that nobody else
did exploit those problems.
-
According… as far as time… and
I believe that one actually… it’s…
-
I don’t think that anybody
did. Which is surprising
-
since this whole stuff was kind of obvious
-
but apparently nobody thought of
digging into their modem before.
-
The one thing about the timing is:
-
Apparently, they already,
Kabel Deutschland,
-
basically already does
Internet for 10 years by now
-
and there’s very little reason to believe
it’s been different in the beginning.
-
So it was probably vulnerable
for about ten years.
-
That said, in the beginning, they
were not even using DOCSIS 3.0,
-
which did not really do real encryption,
so at the end of the day you could
-
just do whatever, any ways on the network.
-
Back in the day. By now,
it’s only halfway complicated.
-
Herald: Now number 1.
-
Q: Yes, thank you for the talk, too.
-
So it’s completely possible that they may
have not found out that somebody else
-
accessed this before and maybe already
flashed a lot of devices with another
-
firmware which is still
listening to his commands?
-
With the new setup. Because
he changed the firmware.
-
A: They did not… okay, they did update
the firmware at that one point in time
-
when I showed that they switched to SSH.
-
They did not change the
firmware ever since. So
-
all the services that I was talking about,
they are still running on your modem.
-
Q: Okay, but they can’t be sure that there
is another firmware by somebody else
-
on routers running. If somebody else
maybe thought of making a bot net,
-
before all of this came up,
in the last 5 years or 10 years,
-
and already controls some devices
-
and they can’t be sure that their firmware
is not running on those devices.
-
There can be still devices somewhere
controlled by somebody else.
-
A: Sure. You have to, obviously, fake
all the information they receive
-
from the modem pretty well,
otherwise they get you onto the
-
security block that I am on.
But if you do that correctly,
-
you can probably just replace
all the pieces of firmware,
-
just ignore all the updates and try to
behave the same way as they’d expect
-
and then hope that nobody finds out.
-
It’s entirely possible –
I don’t think it’s very likely
-
but it is definitely entirely possible.
-
Q: Let’s hope there are no more
networks like this out there.
-
Herald: Usually, there
are no 2nd questions,
-
so… we still got comfortable time
-
but try to limit yourself to one question.
-
Now it’s number 2.
-
Q: Have you tried to change your
MAC address on the DOCSIS level
-
or also for the DHCP request
-
or how do they do authentication
of the modem over the network?
-
A: So, the authentication
works using certificates.
-
I’m actually not sure, I haven’t
read the standard on that side
-
whether the MAC address is part
of the certificate. I don’t know.
-
If it’s not, you can easily just
change it. I haven’t tried.
-
But then again, the modems
are – what? – 8 Euros?
-
Herald: Number 7.
-
Q: What other recommendations
do you have
-
– if someone were to have a
suspicion about a vulnerability –
-
for the research part and
for the disclosure part?
-
A: What do you have to do… I can’t give
you any legal or any advice on that one.
-
I can tell you that getting
somebody involved
-
that has done this before
is a really smart idea.
-
Because they’ve gone
through a lot of pain points.
-
The press is even better because
they have a really, really big lever
-
nobody wants to be in the press
for 2 months or whatever
-
just on negative news that there was
somebody who was legitimately trying
-
to tell them to improve their
network and they sued them.
-
So there’s a really good chance that
going via the press is going to keep
-
problems away from you,
but there’s no guarantee.
-
I cannot give you real – I mean legal
or any coherent – advice on that one.
-
I would… I mean, if I would find such
a thing again, I would definitely go
-
the same route. I would just call
up Heise and tell them and…
-
That went pretty smoothly.
-
And if… I mean, the really cool thing
is, they actually listen to the press.
-
If I had gone to the service,
they would have just said
-
“Sorry, wrong number,
I can’t help you.”
-
Herald: Now the Internet.
-
Q: How did you obtain the
original data? Did you use JTAG
-
or dump the device’s firmware
and run it virtualized?
-
A: Ahhhhh. Not sure how much of
that I should actually tell everybody.
-
Let’s say, I replaced…
-
You can actually see
this on the slide, wait.
-
makes “Tchtchtchtchtch” sound
-
Oh my god, this is going to take forever.
-
Okay, dududum, where’s my
mouse cursor? There it is.
-
Okay… So, I got a
picture of the modem…
-
…here. There you go. So…
-
…what you can see here, down there,
the white and the yellow cables,
-
those are the serial port.
-
And the IDE cable up there
that’s where the flash chip was
-
before I started fiddling with the modem.
laughter
-
Now, the flash chip is actually
in that socket up there.
-
Which means I could swap the
flash chip between a device I own
-
– BeagleBone Black, for example,
that’s a really nice spy interface
-
that you could just use to write those
-
– and then plug it back into the modem.
-
So I could replace the firmware
and get myself an initial shell.
-
As I mentioned earlier, I really
do not like to lose Internet access.
-
So this is not the modem that
I was actually using at home.
-
Instead, I just used that modem
to fetch a firmware image
-
so I could then look and see
whether there might be other bugs
-
that you could use.
-
Herald: Now number 8.
-
Q: Earlier, you’ve said that
– who was it… –
-
Fritz!Box was more secure and they
didn’t have the same vulnerabilities.
-
Do you think they simply didn’t use
hardcoded passwords and stuff.
-
So do you think they’ll be vulnerable
to similar attacks and that someone
-
probably, like you wouldn’t tell them,
but maybe they should look into it
-
or do you think that it isn’t possible
and someone should, like, prove you wrong.
-
A: From all I can tell, but this is…
I mean, just a gut feeling that I get
-
from looking at different firmware files,
-
the usual way, at least
the Linux based firmware
-
works on those systems is
that there’s TI creating a BSP
-
then they give it out to Motorola.
Then Motorola gives it out to CBN.
-
Then CBN gives it out
to Kabel Deutschland.
-
And then, each party of those
adds a few pieces of stuff.
-
That’s the usual way it
works in those devices.
-
Whereas in the AVM boxes,
things looked vastly different.
-
There was one firmware image
that even contained information
-
for some Austrian provider.
-
So instead of giving full
control to the cable provider,
-
AVM kept control on their own and actually
audited the stuff they were doing.
-
That’s the major difference.
-
applause
-
Herald: One more question
from the Internet.
-
Q: Do you know if they
still use unencrypted SIP?
-
A: Oh yeah. chuckles
slight laughter
-
A: Oh yeah.
loud laughter
-
A: Nothing in the protocols
changed at all, whatsoever.
-
They really just added a few firewalls.
-
So once you are on the physical layer,
you can read everything you like, yes.
-
Well, and you break through
the DOCSIS encryption, obviously.
-
Herald: Now the newly adjusted number 2.
-
Q: Thank you. Mine is
not so much a question
-
as I’d like to add some insight
and perspective to this.
-
I, myself, worked for several ISPs
-
and the… we… actually
I worked for an ISP
-
that had not this particular
issue, but a similar issue.
-
The way that it was fixed and
-
– you can look me up, I’ve worked
for several ISPs, you won’t know
-
which one had this problem –
-
but what was actually the fix
was a simple IP check.
-
So once you downloaded
from the TFTP server,
-
it was just checked if you did it
from the IP that was suspected.
-
So this issue may actually be
reproducible if you can somehow
-
get hold of an IP [address]
you weren’t supposed to have.
-
Like, say, spoof MAC address
or something like that.
-
That being said, I’d like to attach
a comment to the whole SIP thing, too.
-
You indicated that it’d be possible
to silently intercept the conversations
-
which is not necessarily the issue
because many SIP servers
-
can be configured
to allow multiple endpoints
-
so as the
– what’d you call it? –
-
the bad guy would be able
to pick up your calls,
-
you would also hear you
phone calling yourself.
-
A: Right, and if your phone picks
up within 0.01 microseconds,
-
then, yeah, there’s nothing
you can do about it.
-
It just rings again.
That’s the point about it.
-
Also, the other bit that
you have on the SIP server
-
is that that particular server actually
only allowed one endpoint
-
to be registered at a time.
At least from what I could tell.
-
It was some Huawei
box. I don’t know.
-
Herald: Number 3, please.
-
Q: Yeah, I attended this talk today
-
because I know that at the beginning,
when DOCSIS was introduced,
-
the modem were asking
for the configuration file
-
also over the Ethernet
port which is great.
-
And my question is:
-
Is there a way within the DOCSIS standard
so that the ISP can verify their hardware?
-
I mean, you… I have seen
the type and the vendor name
-
and the SNMP but you can
obviously spoof that.
-
Of course, firmware
binaries won’t run on the
-
wrong hardware, but…
-
A: I’m not quite sure
I’m getting what you’re…
-
Q: The question is: Is there
a way to control for the ISP
-
which hardware there is they’re using?
-
A: So I come from a
virtualization background.
-
And in my world, there is
no such thing. It doesn’t exist.
-
slight laughter
-
Sorry. If you can somehow
abstract it, you can abstract it.
-
Q:OK.
Herald: 8, please.
-
Q: Hi. I wanted to add on the
part with the MAC spoofing.
-
Because I had a modem
like that, like 5 years ago,
-
and actually I never went
inside the modem,
-
but I had some applications where
I needed a new IP address
-
in a short period of time…
-
loud laughter
-
And I remember that actually… the thing…
-
if you told the modem your MAC
address, a different MAC address,
-
you got different external
IP addresses back then.
-
I don’t know if things have changed
because it was 5 years ago
-
but… yeah… after what
I’ve heard from you,
-
I’m kind of unsure that things changed.
-
A: No, I’m fairly sure this is actually
accurate. From what I understand,
-
I never did that myself but I
heard from people who did,
-
the MAC address check and the
certificate check are actually separate.
-
So that if you own a valid certificate
from some random dude who happens to
-
actually pay for the service,
and you get that certificate,
-
and you’re not on the
same CMTS as that guy,
-
then you can actually go and, well,
-
basically say that you’re him even if
you have a different MAC address.
-
Which then, again, implies that if you
change the MAC address, you can just
-
be somebody else. Which
then again implies that…
-
maybe you can actually go and get
somebody else’s Provisioning Files, yeah.
-
slight laughter
-
Q: Well, yeah… not up to you.
-
A: Not going to try out.
-
Herald: Number 2, please.
-
Q: Yeah, you had this one
with one particular provider
-
and I happen to know that
there’s a second provider
-
using the same technology in Germany:
were they somehow involved in this loop?
-
I mean, it took Kabel Deutschland
two months to fix this and…
-
A: No, but they better hurry up!
-
laughter and applause
-
Q: Thanks!
applause
-
A: And, quite frankly, I do not believe
-
that this is limited to Germany
at all, whatsoever.
-
So… Yeah. Let’s see who’s faster.
-
Alright, end of questions, right?
Or is there any…?
-
Herald: It looks like we’re
at the end of questions.
-
The Internet maybe…?
-
No, the Internet doesn’t
have any questions.
-
There are 8 empty microphones.
-
So thank you very much for your talk
and thank you very much for the Q&A.
-
applause
-
postroll music
-
Subtitles created by c3subtitles.de
in 2016. Join and help us!
