wimax hacking 2010
play

WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON - PowerPoint PPT Presentation

Feb 16, 2023 •632 likes •983 views

WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON 18 Updated slides, code, and discussion at https://groups.google.com/group/wimax-hacking The Technology WiMAX: a broadband wireless Internet technology 802.16, similar

  1. WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON 18 Updated slides, code, and discussion at https://groups.google.com/group/wimax-hacking

  2. The Technology ●WiMAX: a broadband wireless Internet technology ●802.16, similar to 802.11 (IEEE control) ●Competing with LTE ●Large network being deployed by Clearwire

  3. Network Deployment ●Clear has the most widely deployed WiMAX network in the US, as such, it is the focus of our research efforts ●Currently deployed in 79 markets across 21 states ●An additional 22 markets are expected to be deployed in the next 3 months, including: New York, NY Denver, CO Nashville, TN Los Angeles, CA Boston, MA Minneapolis, MN San Francisco, CA Miami, FL Philadelphia, PA ● Coverage planned for most major US cities by 2012 ●Operates on frequencies in the 2.5-2.6 GHz range

  4. Other Services using Clear's Network ●Time Warner Cable ○Roadrunner Mobile ●Comcast ○High-speed 2 go ●Sprint Nextel ○4G Service ○HTC EVO All of these services are placed onto the same physical network infrastructure, with small differences in provider portal pages

  5. Official Clear coverage map taken from clear.com/coverage Green = Current Market Grey = Future Market (map does not show all of them)

  6. Captive Portal Bypass Last years vulnerability: ●OpenVPN over UDP/53 Their fix: ●Block large UDP/53 packets Counter fix: ●OpenVPN over UDP/53, fragmented packets (1024 bytes) OpenVPN Options to add: tun-mtu 1500 mssfix 1024

  7. Example OpenVPN Config client dev tun proto udp remote vpn.server.com 53 tun-mtu 1500 mssfix 1024 resolv-retry infinite nobind persist-tun tls-client ca ca.crt cert vpn.server.com.crt key client.key dh dh2048.pem keepalive 20 200 cipher BF-CBC cipher AES-256-CBC tls-remote vpngate ns-cert-type server route-delay 2 redirect-gateway def1 ...............

  8. Echo Peak Hardware & Software ●WiMAX gear from Intel ●www.linuxwimax.org ●5150, 5350 are best supported ●Buy on eBay ($80) ●Get a USB-PCIe cradle ($40) ●PCIe cards might work in some thinkpads

  9. Home Device Hard Hacks CPEi25150 CPEi25750 Got root?

  10. Home Device Specs Motorola CPE 150/750 ●64MiB RAM ●32MiB flash ●Beceem 802.16 ●Texas Instruments TNETV1061 ○213 MHz ○MIPS32 4KEc ○Chip debugging via EJTAG ○Linux

  11. Logic Probe The magic wand of hardware hacking

  12. CPE 150 (CPEi25150)

  13. http://bit.ly/bqEBND

  14. aSmig's first JTAG interface

  15. B0011620: .....C..........TOOLS_USER.0.BOO B0011640: TLOADER.0x90000000,0x90020000.IM B0011660: AGE_A.0x90040000,0x90C40000.CONF B0011680: IG_A.0x90C40000,0x90C60000.CONFI B00116A0: G_B.0x90C60000,0x90C80000.IMAGE_ B00116C0: B.0x90CE0000,0x918E0000.FNE_CERT B00116E0: S.0x90C80000,0x90CA0000.DEV_CERT B0011700: S.0x90CA0000,0x90CC0000.FACTORY_ B0011720: DEF.0x90CC0000,0x90CE0000.JFFS2. B0011740: 0x918E0000,0x92000000.RESET_CAUS B0011760: E.0.PartNumber.SGDN5313AA.Produc B0011780: tID.CPEi25725.HWRevision.REV.D.S B00117A0: erialNumber.TS199X0YKY.HWA_1.00: B00117C0: 23:EE:**:**:**.GATEWAY_MAC_ADDRE B00117E0: SS.00:23:EE:**:**:**.FingerPrint B0011800: .63F7FED52*****EB2E76B7F35B***** B0011820: E1EC*****.HWA_0.00:24:A0:**:**:* B0011840: *.FactoryProvision.Complete.CONS B0011860: OLE_STATE.locked................

  16. Double-Take B0011840: 5.FactoryProvision.Complete.CONS B0011860: OLE_STATE.locked................

  17. Road map - Thanks bootloader! BOOTLOADER 0x90000000 0x90020000 BootLoader Config 0x90020000 0x90040000 IMAGE_A 0x90040000 0x90C40000 CONFIG_A 0x90C40000 0x90C60000 CONFIG_B 0x90C60000 0x90C80000 FNE_CERTS 0x90C80000 0x90CA0000 DEV_CERTS 0x90CA0000 0x90CC0000 FACTORY_DEF 0x90CC0000 0x90CE0000 IMAGE_B 0x90CE0000 0x918E0000 JFFS2 0x918E0000 0x92000000

  18. So what about the root? Yeah, yeah.

  19. /usr/bin/bd_chk $ strings usr/bin/bd_chk /lib/ld-uClibc.so.0 ... _end /pstore/dbg_tools/bd_open2 CONSOLE_STATE unlocked Lock Serial Console echo "unsetpermenv CONSOLE_STATE" > /proc/ticfg/env; echo "setpermenv CONSOLE_STATE locked" > /proc/ticfg/env CONSOLE_STATE not found

  20. /pstore/dbg_tools/bd_open2 Magical debug tools file! ●CONSOLE_STATE is left alone ●file is executed on every boot! ○change your passwords ○re-crypt your keys ○adjust your firewall ○kill SNMPd

  21. Shell Fun # ssh Admin@192.168.15.1 (Pass: Tools) dbgcli> shell BusyBox v0.61.pre (2009.09.14-12:29+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # export PATH=/bin:/sbin:/usr/bin:/usr/sbin Now you can use tab complete for a list of system binaries. There is too much information to cover here, but some highlights include access to iptables and the dbg/cpe cli tools.

  22. Home Device Auth Bypass There is a hidden administrative account on the home CPE device. We can use it to bypass the login on the web interface if the user changed the default. ->

  23. Clear Mobile ●Mobile 4g ●Mobile 3g/4g ○sprint ●Clearspot ○password is last three bytes in mac address

  24. Clear Mobile Hard Hacks Clear Spot ●16MiB RAM ●4MiB flash ●Mini PCI w/ Atheros WiFi card ●Ubicom IP3023 - MASI 250MHz ○M ultithreaded A rchitecture for S oftware I /O ○Chip debugging via proprietary SPI (not JTAG) ○Proprietary instruction set ○NOT Linux

  25. Clear Spot CradlePoint PHS300

  26. It's only a 48 pin TSOP

  27. SB5120 is good for something after all ●MIPS32 ●EJTAG ●TTL UART

  28. Clear "Stick" (USB Modem) Mod and photo by Loki

  29. HTC EVO ●sequans ●getprop/setprop ●Diagnostic apks ●WiMAX tether ●deactivated evo ●2.1 (fresh or damage control) ●2.2 cyanogen (toastcfh and maejrep)

  30. Location Based Services Service Types: ●Client/Server (AJAX) - "Where am I?" ○http://developer.clear.com/ClearLocationDemo.html ●Server/Server (Parlay X) - "Where are they?" ○x.509 cert & key required Interfaces ●AJAX ○Web browser friendly, uses Google Maps ●Parlay X ○Uses SOAP specification, POSTed in XML format ○Query by IP, MAC ( phone number or e-mail )

  31. Location Based Services (Parlay X) Currently ● Location / Range are determined by tower and antenna Current Accuracy: Predefined ranges (in meters) ● 160, 241, 321, 402, 482, 563, 643, 724, 804, 885, 965, 1126, 1448 Down the road ● Multiple towers used to increase accuracy of location and range ● No known ETA

  32. Privacy Problems with LBS ●Opt-IN is the DEFAULT ○ Customer's have no option to Opt-OUT online ○ Registered and Unregistered devices are traceable ● Who's Affected? ○ EVERYONE that uses WiMAX ■ Clear, Sprint, Comcast, Time Warner, etc ● How to Opt-OUT ○ Contact the Engineering Department to have it disabled ○ This prevent's both AJAX and Parlay X queries ● Random dead spots

  33. The Future ●Open source firmware ●OpenWRT on a home device ●802.16m provides 100 Mbit/s mobile & 1 Gbit/s fixed ●Better privacy?

  34. Mad Gr33tz SophSec, Janus Privacy Solutions, Aardvark, Snoop Security, Lookout, xda-developers, theorie, rumple, tokiestar, iviatticus, i0n, osirisx11, caboose, and busticati everywhere. Clearwire and Sprint Technical Development Resources http://2md.hosted.panopto.com/CourseCast/Viewer/ Default.aspx?id=1cd37bbb-d822-4637-bf18-2a254282e688 WiMAX Hacking Group https://groups.google.com/group/wimax-hacking AJAX LBS Demo http://developer.clear.com/ClearLocationDemo.html

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March

WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March

PBL-02- BASIC CONCEPTS WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March 2017 1. WiMAX is short for W orldwide I nteroperability for M icrowave A ccess. 2. WiMAX is a metropolitan wireless

784 views • 34 slides
The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution

The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution

WiMAX Evaluation: The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution Strategy Department PT Comunicaes Workshop on Mobile WiMAX - Towards Ubiquitous Internet ISCTE, LISBON 27th September 2007

224 views • 19 slides
IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo

IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo

I nternational Telecom m unication Union ITU-T IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo Nohara KDDI Corp., IEEE802.16 Relay TG Chair I TU-T W orkshop NGN and its Transport Netw

388 views • 15 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email:

Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email:

Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email: czhu@ieee.org What is mobile WiMAX? Mobile broadband wireless access Defined by IEEE and WiMAX Forum. IEEE 802.16e_2005: wireless MAN-OFDMA

480 views • 26 slides
Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group Meeting : August 10, 2010 Wireless Networks Today Mobile network High latency (100 - 200 ms) Low bandwidth Good coverage WLAN/WiFi

677 views • 21 slides
Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon

Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon

Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon Kim and In-Cheol Park Division of Electrical Engineering Division of Electrical Engineering KAIST Introduction to Turbo Codes Introduction to Turbo

279 views • 13 slides
Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li, Department of Electrical Computer Engineering University of Toronto WiMAX MBS IWQoS 2009: Cooperative Multicast Scheduling with Random Network Coding in

856 views • 53 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security

682 views • 44 slides
Lord of the Bing Taking Back Search Engine Hacking From Google and Bing 29 July 2010 Presented

Lord of the Bing Taking Back Search Engine Hacking From Google and Bing 29 July 2010 Presented

Lord of the Bing Taking Back Search Engine Hacking From Google and Bing 29 July 2010 Presented by: Francis Brown and Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Introduction Advanced Attacks

780 views • 53 slides
A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY

A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY

A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY Vivien NGUYEN Masood KHOSROSHAHY Vivien NGUYEN RMOB Project RMOB Project April 2006 April 2006 Project supervisor: Project

741 views • 40 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These

Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These

Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These slides have used resources (presentations, documents, pictures) available on the web. Special thanks are given to Dr. Liang Cheng and Dr. Shalinee Kishore

503 views • 27 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Intro Hardware Security Platform Security Hacking Q&A Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at Hamburg & Dublin City University 2010-12-16 1 / 54 Intro Hardware Security

974 views • 79 slides
OpenPrinting OpenPrinting By: Glen W. P By: Glen W. Petr trie Senior Softw Senior Software A

OpenPrinting OpenPrinting By: Glen W. P By: Glen W. Petr trie Senior Softw Senior Software A

OpenPrinting OpenPrinting By: Glen W. P By: Glen W. Petr trie Senior Softw Senior Software A re Architect chitect EPSON EPSON 1 15-17 November 2004 Free Standard Group: OpenPrinting Agenda Introduction Working Group Reviews

1.24k views • 105 slides
The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

870 views • 76 slides
Downloading and preparing survey data using the Qualtrics API in the Stata ecosystem Danial

Downloading and preparing survey data using the Qualtrics API in the Stata ecosystem Danial

Downloading and preparing survey data using the Qualtrics API in the Stata ecosystem Danial Hoepfner Gibson Consulting Group dhoepfner@gibsonconsult.com danial.hoepfner@gmail.com July 31, 2020 Outline Motivation qualtrics.ado

479 views • 16 slides
Using itsunix.albany.edu for Windows: 1) Download PuTTY at

Using itsunix.albany.edu for Windows: 1) Download PuTTY at

Using itsunix.albany.edu for Mac: 1) Open the Terminal. Searching terminal on Spotlight can open the terminal. This will allow you to use the command line on the Mac. 2) To connect to itsunix.albany.edu type the following command: ssh X

162 views • 4 slides
Preview question In the Unix access control model, subjects are primarily identified by their:

Preview question In the Unix access control model, subjects are primarily identified by their:

Preview question In the Unix access control model, subjects are primarily identified by their: CSci 5271 A. email address Introduction to Computer Security Day 9: OS security basics B. username Stephen McCamant C. executable inode

462 views • 6 slides
ECE 7970 Advanced Cryptography Applications in Emerging Wireless Networks Chapter 0:

ECE 7970 Advanced Cryptography Applications in Emerging Wireless Networks Chapter 0:

ECE 7970 Advanced Cryptography Applications in Emerging Wireless Networks Chapter 0: Important information Dr. Mohamed Mahmoud http://iweb.tntech.edu/mmahmoud/ mmahmoud@tntech.edu 1 - Course I nform ation I nstructor : Dr. Mohamed M. E.

426 views • 13 slides
+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An

+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An

+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An Exercise in Cyber Security n Your identity is a valuable thing that is worth stealing. n Previous courses: how to protect yourself n This

324 views • 15 slides
Identity in the Browser 2011 Michael Hanson, Dan Mills, Ben Adida A quick history - current and

Identity in the Browser 2011 Michael Hanson, Dan Mills, Ben Adida A quick history - current and

Identity in the Browser 2011 Michael Hanson, Dan Mills, Ben Adida A quick history - current and proposed browser identity features Password store & sync Account Manager authentication and session metaprotocol Contacts API

483 views • 10 slides

More recommend