security assessment
play

security assessment Alexey Osipov Timur Yunusov http://scadasl.org - PowerPoint PPT Presentation

Mar 18, 2024 •314 likes •1.19k views

#root via SMS: 4G access level security assessment Alexey Osipov Timur Yunusov http://scadasl.org who we are SCADAStrangeLove Timur @a66at Yunusov Sergey @scadasl Gordeychik Alex @arbitrarycode Zaitsev Alexey @GiftsUngiven Osipov Kirill

  1. #root via SMS: 4G access level security assessment Alexey Osipov Timur Yunusov http://scadasl.org

  2. who we are SCADAStrangeLove Timur @a66at Yunusov Sergey @scadasl Gordeychik Alex @arbitrarycode Zaitsev Alexey @GiftsUngiven Osipov Kirill @k_v_Nesterov Nesterov Gleb @repdet Gritsai Dmitry @_Dmit Sklyarov Dmitry Kurbatov Sergey Puzankov Pavel Novikov http://scadasl.org

  3. 3G/4G network

  4. the Evil

  5. 4G access level  Branded mobile equipment  3G/4G USB Modems  Routers / Wireless Access Point  Smartphones /Femtocell/Branded applications  (U)SIM cards  Radio/IP access network  Radio access network  IP access (GGSN, Routers, GRX)

  6. why?  we use it every day  Internet  social networks  to hack stuff  IT use it everyday  ATM  IoT  SCADA

  7. radio access network • Well researched by community – http://security.osmocom.org/trac/ • Special thanks to – Sylvain Munaut/Alexander Chemeris/Karsten Nohl/et al. http://security.osmocom.org/trac/

  8. the NET

  9. the NET

  10. thanks John http://www.shodanhq.com/

  11. by devices

  12. GPRS Tunnelling Protocol  GTP-C UDP/2123  GTP-U UDP/2152  GTP' TCP/UDP/3386

  13. Meanwhile in the real world http://blog.ptsecurity.com/2015/02/the-research-mobile-internet-traffic.html

  14. Attacks  GGSN PWN  GRX  GPRS attacks  DoS  Information leakage  Fraud  APN guessing http://blog.ptsecurity.com/2013/09/inside-mobile-internet-security.html http://bit.ly/195ZYMR

  15. Example: GTP “ Synflood ” http://blog.ptsecurity.com/2013/09/inside-mobile-internet-security.html http://bit.ly/195ZYMR

  16. We’re inside, what’s next?  All old IP stuff  traces 1.1.1.1/10.1.1.1  IP source routing  Management ports  All new IP stuff  IPv6  MPTCP  Telco specific (GTP, SCTP M3UA, DIAMETER etc) http://ubm.io/11K3yLT https://www.thc.org/thc-ipv6/

  17. Here There Be Tygers

  18. 1990th  Your balance is insufficient  Connect to your favorite UDP VPN

  19. Resume  For telcos  Please scan all your Internets!  Your subscribers network is not your internal network  For auditors  Check all states  online/blocked/roaming  Check all subscribers  APN’s, subscribers plans  Don’t hack other subscribers http://www.slideshare.net/phdays/how-to-hack-a-telecommunication-company-and-stay-alive-gordeychik/32

  20. The Device

  21. Who is mister USB-modem? Rebranded hardware platform  Linux/Android/BusyBox onboard  Multifunctional   Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Network  Remote NDIS based Internet Sharing Device  WiFi

  22. Ooooold story  Well researched  «Unlock»  «Firmware customization»  «Dashboard customization»  Some security researches http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi  http://2014.phdays.com/program/business/37688/  http://www.evilsocket.net/2015/02/01/huawei-usb-modems-authentication-bypass/  http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-360246.htm 

  23. Where’re you from?  Huawei  Quanta  ZTE  GEMTEK

  24. Developers ‘security’ path  Device «Hardening»  Disabling of local interfaces (COM)  Web-dashboards

  25. How it works (RNDIS) Broadband connection New Ethernet adapter DHCP client DHCP server DNS Web dashboard Routing/NAT

  26. Scan it

  27. S ometimes you get lucky…

  28. …other times you don’t

  29. all I need is RCE Love !  telnet/snmp?  Internal interface only  Blocked by browsers  http/UPNP?  Attack via browser (almost 0% found CSRF tokens)  broadband  Osmocomm for poor reverse engineers  still researching

  31. Basic impact  Info disclosure  Change settings  DNS (intercept traffic)  SMS Center (intercept SMS)  Manipulate (Set/Get)  SMS  Contacts  USSD  WiFi networks

  32. Advanced impact  Self-service portal access  XSS (SMS) to “ pwn ” browser  CSRF to send “password reset” USSD  XSS to transfer password to attacker  “Brick”  PIN/PUK “ bruteforce ”  Wrong IP settings  Spy device

  33. DEMO

  34. “hidden” firmware uploads

  35. Cute, but…  You need to have firmware  Sometimes you get lucky…  …other times you don’t  Integrity control  At least should be…  CRC16  Crypto Functions (ok, then we just delete checksum.sh)

  36. dig deeper…  Direct shell calls  awk to calculate Content-Length  Other trivial RCE

  37. Getting the shell

  38. 6month’s homework: NSA at home  You can rent the modem for 1 week  You can use RCE and CSRF for local remote infection of the system  Return it to the store  You can spy with opensource products (http://opencellid.org/ etc) via CellID and WiFi  You can intercept HTTP/HTTPS via DNS spoofing  Maybe more?  Do not hack other subscribers!

  39. I’m watching you…

  40. Stat (1 week of detecting) Modem Vulnerabilities Total A 1411 RCE CSRF XSS WiFi Access B 1250 RCE CSRF XSS C 1409 RCE CSRF D 946 ”Not vulnerable”  1 step to 4000+ infected modems

  41. Cute, but…  Get firmware?  Yes it nice.  Find more bugs?  We have enough…  Get SMS, send USSD?  Can be done via CSRF/XSS…  PWN the subscriber?

  42. RCE+CD-ROM Interface=Host infection  Maybe we’ll wrote our own “diagnostic tool for YOUR modem xxx”

  43. It still in USB!

  44. It still in (bad) USB! https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

  45. USB gadgets & Linux • drivers/usb/gadget/* • Composite framework – allows multifunctional gadgets – implemented in composite.c

  46. Android gadget driver • Implemented in android.c • Composite driver wrapper with some UI • /sys/class/android_usb/android0 – enabled – functions – Class/Protocol/SubClass etc. – List of supported functions • Your favorite phone can become audio_source instead of mass storage

  47. What about HID device? • Patch kernel, compile, flash new kernel => BORING!!!

  48. What about HID device? • Android gadget driver works with supported_functions • We can patch it in runtime! – Add new hid function in supported_functions array – Restart device – … – PROFIT

  49. Sad Linux • By default kernel doesn’t have g_hid support • Hard to build universal HID driver for different versions – vermagic – Function prototypes/structures changes over time – Different CPU • Vendors have a hobby – rewrite kernel at unexpected places • Fingerprint device before hack it!

  50. DEMO

  51. Some Huawei ― Hisilicon hi6920 ― ARM ― Linux box ― Stack overflow ― Remote firmware upload

  52. Unexpected VxWorks ― dmesg ― [000003144ms] his_modem_load_vxworks:164: >>loading:vxworks.....

  53. Baseband reversing ― Network stack protocol • ASN1 hell • Lots 3GPP ― RTOS ― Debug can be hard

  54. VxWorks on baseband ― Loaded by Linux ― Packed on flash ― dmesg => load vxworks ok, entey 0x50d10000 ― CShell • OS communication • Builtin debuger ― Nearly all names of objects/functions ― POSIX + documentation

  56. Resume  For telcos  Do not try to reinvent the wheel webserver  All your 3/4G modems/routers are 5/\>< belong to us  For everybody  Please don’t plug computers into your USB  Even if it’s your harmless network printer 4G modem

  57. The Chip

  58. What is SIM: for hacker ― Microcontroller • Own OS • Own file system • Application platform and API ― Used in different phones (even after upgrade) ― OS in independent, but can kill all security • Baseband access • OS sandbox bypass

  59. What has Karsten taught us?  There are applications on SIM card  Operator can access you SIM card by means of binary SMS  Identifier for accessing such applications is TAR (Toolkit Application Reference)

  60. What has Karsten taught us?  Not all TARs are equally secure  If you are lucky enough you could find something to bruteforce  If you are even more lucky you can crack some keys  Or some TARs would accept commands without any crypto at all https://srlabs.de/rooting-sim-cards/

  61. Getting the keys  Either using rainbow tables or by plain old DES cracking  We've chosen the way of brute force  Existing solutions were too slow for us  So why not to build something new?

  62. Getting the keys  So why not to build something new?  Bitcoin mining business made another twist  Which resulted in a number of affordable FPGAs on the market  So…

  63. The rig  Here’s what we’ve done – proto #1

  64. The rig  Here’s what we’ve done – proto #2

  65. The rig  Here’s what we’ve done – “final” edition

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1.

Security Assessment Technique for SDN greenkim@konkuk.ac.kr Contents 1. Introduction 2. Security Analyses of SDN 3. Security Assessment Technique for SDN 3.1 Taxonomy of issues 3.2 Assessment technique 4. Case study of IMECA

223 views • 19 slides
ACF food security assessment in Hodeida and Hajjah governorates Presentation at the Food Security

ACF food security assessment in Hodeida and Hajjah governorates Presentation at the Food Security

ACF food security assessment in Hodeida and Hajjah governorates Presentation at the Food Security &amp; Agriculture Cluster 15 th Jan 2013 Assessment location 15 Jan 2013 1 Assessment tools District # Households Market Key informant Focus

515 views • 6 slides
Southwest Virginias Community Food Security Assessment: An Appalachian Foodshed Project

Southwest Virginias Community Food Security Assessment: An Appalachian Foodshed Project

Southwest Virginias Community Food Security Assessment: An Appalachian Foodshed Project Initiative Phil DAdamo-Damery Kim Niewolny Kelli Scott Jerry Moles Why do a community food security assessment? To develop strategic plans for

364 views • 11 slides
Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami R&amp;D Team Member @ viaForensics I work mainly on Android/iOS The Problem We want to trace the code in mobile applications that we

632 views • 48 slides
Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking

Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking

Introduction VXLAN prototype Security assessment Q&amp;A Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam February 5, 2014 Guido Pineda Reyes Security

430 views • 32 slides
HOWDY! DSA IT Liaisons Communications Committee 6/2/2020 Agenda Annual Security Assessment

HOWDY! DSA IT Liaisons Communications Committee 6/2/2020 Agenda Annual Security Assessment

HOWDY! DSA IT Liaisons Communications Committee 6/2/2020 Agenda Annual Security Assessment Update Annual Microsoft License Enrollment DSA Pilot Group Update This month in DoIT Q&amp;A Annual IT Security Risk Assessment

446 views • 18 slides
A Briefing on the Outcome of the 2019 Post Gu Seasonal Food Security and Nutrition Assessment A

A Briefing on the Outcome of the 2019 Post Gu Seasonal Food Security and Nutrition Assessment A

A Briefing on the Outcome of the 2019 Post Gu Seasonal Food Security and Nutrition Assessment A Presentation by FSNAU/FEWS NET to All Stakeholders 2 September 2019, Mogadishu 2019 Post- Gu Assessment, Analysis and Vetting Process Assessment,

543 views • 21 slides
SPF, DKIM and DMARC SPF stands for Sender Policy Framework, a record on the DNS which

SPF, DKIM and DMARC SPF stands for Sender Policy Framework, a record on the DNS which

4/30/2019 (515) 229-5674 kkothari@sgcsecure.com Cheap Solutions to Cybersecurity Kaushal Kothari Audit Secure Guard Consulting Internal Security Assessment (515) 229-5674 External Security Assessment and External Penetration Testing

62 views • 3 slides
OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System System Overview Purpose To provide a framework for security assessors to correlate and

438 views • 12 slides
Cyber Security Assessment Tool Overview FEDERAL DEPOSIT INSURANCE CORPORATION 1 Objectives

Cyber Security Assessment Tool Overview FEDERAL DEPOSIT INSURANCE CORPORATION 1 Objectives

Cyber Security Assessment Tool Overview FEDERAL DEPOSIT INSURANCE CORPORATION 1 Objectives Cybersecurity Discuss the Evolution of Data Security Define Cybersecurity Review Threat Environment Discuss Information Security

557 views • 40 slides
Assessment, and Implementation Plan May 11, 2018 The Homeland Security Systems Engineering and

Assessment, and Implementation Plan May 11, 2018 The Homeland Security Systems Engineering and

Cyber Risk Metrics Survey, Assessment, and Implementation Plan May 11, 2018 The Homeland Security Systems Engineering and Development Institute (HSSEDI) is a trademark of the U.S. Department of Homeland Security (DHS). The HSSEDI FFRDC is

151 views • 13 slides
ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT

ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT

REFSQ17, Essen, Germany March 2nd, 2017 ON THE EQUIVALENCE BETWEEN GRAPHICAL AND TABULAR REPRESENTATIONS FOR SECURITY RISK ASSESSMENT Katsiaryna Labunets 1 , Fabio Massacci 1 , Federica Paci 2 1 University of Trento, Italy

482 views • 13 slides
Modelling Security of Critical Infrastructures: A Survivability Assessment guez , Jos e

Modelling Security of Critical Infrastructures: A Survivability Assessment guez , Jos e

Modelling Security of Critical Infrastructures: A Survivability Assessment guez , Jos e Merseguer , Simona Bernardi Ricardo J. Rodr { rjrodriguez, jmerse, simonab } @unizar.es All wrongs reversed Dpto. de Inform

983 views • 39 slides
Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum, Hyperledger Fabric and Corda Marie-Jeanne Lagarde, Master's thesis 2018-2019 Agenda Introduction Motivation 1. Scope 2. Research Questions 3.

467 views • 35 slides
Key Findings from the 2013-14 Post Deyr Seasonal Food Security and Nutrition Assessment in

Key Findings from the 2013-14 Post Deyr Seasonal Food Security and Nutrition Assessment in

Information for Better Livelihoods Key Findings from the 2013-14 Post Deyr Seasonal Food Security and Nutrition Assessment in Somalia 3 February 2014, Nairobi FSNAU Post Deyr 2013/14 Seasonal Assessment Timeline : November-December (for Field

438 views • 33 slides
DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security Information Assessment Brand Operation Consultancy &amp; Security Protection Penetration Awareness Centre Testing External Networks

474 views • 44 slides
Microwave Instrument Update Bjorn Lambrigtsen Frank Sun Steve Broberg Jet Propulsion Laboratory

Microwave Instrument Update Bjorn Lambrigtsen Frank Sun Steve Broberg Jet Propulsion Laboratory

National Aeronautics and Space Administration Jet Propulsion Laboratory California Institute of Technology Pasadena, California Microwave Instrument Update Bjorn Lambrigtsen Frank Sun Steve Broberg Jet Propulsion Laboratory California

1.09k views • 63 slides
Making Decisions via Simulation Factor Screening [Law, Ch. 10], [Handbook of Sim. Opt.], [Haas,

Making Decisions via Simulation Factor Screening [Law, Ch. 10], [Handbook of Sim. Opt.], [Haas,

Making Decisions via Simulation Overview Making Decisions via Simulation Factor Screening [Law, Ch. 10], [Handbook of Sim. Opt.], [Haas, Sec. 6.3.6] Continuous Stochastic Optimization Robbins-Monro Algorithm Derivative Estimation Peter J.

216 views • 10 slides
W3C Web Cryptography Next Steps Workshop Natasha Rooney, GSMA @thisNatasha GSMA: Telecoms

W3C Web Cryptography Next Steps Workshop Natasha Rooney, GSMA @thisNatasha GSMA: Telecoms

W3C Web Cryptography Next Steps Workshop Natasha Rooney, GSMA @thisNatasha GSMA: Telecoms Association @thisNatasha GSMA: Telecoms Association Personal Data Programme Digital Commerce Programme WebWG @thisNatasha @thisNatasha

371 views • 10 slides
Benchmarking: The Way Forward for Software Evolution Susan Elliott Sim University of

Benchmarking: The Way Forward for Software Evolution Susan Elliott Sim University of

Benchmarking: The Way Forward for Software Evolution Susan Elliott Sim University of California, Irvine ses@ics.uci.edu Background Developed a theory of benchmarking based on own experience and historical research Successful

730 views • 35 slides
Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and Ron Rothblum Interactive Proofs for NP Interactive Proof (GMR85, Babai85) ? , P V accept Security Against Malicious

515 views • 35 slides
Simulated Annealing Simulated annealing is a probabilistic search algorithm. The

Simulated Annealing Simulated annealing is a probabilistic search algorithm. The

Simulated Annealing Simulated Annealing Simulated annealing is a probabilistic search algorithm. The terminology is borrowed from the physics literature. For the simulated annealing algorithm we need a scoring function, a move

668 views • 12 slides
Performance Portable Supernode-based Sparse Triangular Solver for Manycore Architecture Ichitaro

Performance Portable Supernode-based Sparse Triangular Solver for Manycore Architecture Ichitaro

Performance Portable Supernode-based Sparse Triangular Solver for Manycore Architecture Ichitaro Yamazaki, Sivasankaran Rajamanickam, and Nathan David Ellingwood Sandia National Laboratories, Albuquerque, New Mexico, USA International Conference

433 views • 11 slides
Temporal Consistency of Integrity-Ensuring Computations and Applications to Embedded Systems

Temporal Consistency of Integrity-Ensuring Computations and Applications to Embedded Systems

Temporal Consistency of Integrity-Ensuring Computations and Applications to Embedded Systems Security Karim Eldefrawy Xavier Carpent Norrathep (Oak) Rattanavipanon Gene Tsudik University of California, Irvine SRI International Agenda

409 views • 38 slides

More recommend