1 00:00:00,399 --> 00:00:09,720 *32C3 preroll music* 2 00:00:09,720 --> 00:00:13,680 Herald: The next talk is going to be “Beyond Your Cable Modem” 3 00:00:13,680 --> 00:00:17,590 – how not to do DOCSIS networks. 4 00:00:17,590 --> 00:00:21,760 Sorry, I’m not a hardware guy. But Alexander Graf is going to 5 00:00:21,760 --> 00:00:25,790 hold the talk and he has done a lot of virtualization 6 00:00:25,790 --> 00:00:29,299 and stuff other people think is too complicated. 7 00:00:29,299 --> 00:00:32,550 Now he is going to talk about 8 00:00:32,550 --> 00:00:36,740 the outside of your apartment. Give him a warm welcome. 9 00:00:36,740 --> 00:00:43,740 *applause* 10 00:00:44,850 --> 00:00:47,250 Alexander: Hi and welcome to my talk “Beyond Your Cable Modem”. 11 00:00:47,250 --> 00:00:50,390 This is going to look at what’s beyond the stuff you usually see at home 12 00:00:50,390 --> 00:00:54,420 where you just plug in a network cable and you happen to have Internet available. 13 00:00:54,420 --> 00:00:56,000 So, who am I? 14 00:00:56,000 --> 00:00:58,600 I’m Alexander Graf – I’m usually more of a virtualization developer. 15 00:00:58,600 --> 00:01:00,690 I have nothing to do with hacking in my day work, 16 00:01:00,690 --> 00:01:04,610 I don’t usually go around and hack embedded devices. 17 00:01:04,610 --> 00:01:06,440 Usually, at least. 18 00:01:06,440 --> 00:01:09,370 But, during the last year, I had a lot of spare time at night 19 00:01:09,370 --> 00:01:11,670 because the baby was crying, so I figured: 20 00:01:11,670 --> 00:01:17,010 I could as well spend that time and do something useful. 21 00:01:17,010 --> 00:01:19,930 So, what happened? We moved to a new home. 22 00:01:19,930 --> 00:01:22,790 I was living in a home where I had DSL available, 23 00:01:22,790 --> 00:01:26,540 I had a real phone line, everything was great, things were just awesome. 24 00:01:26,540 --> 00:01:32,400 But then we moved into this new home where… 25 00:01:32,400 --> 00:01:35,389 where there was no DSL available. Well, there was DSL available but there were 26 00:01:35,389 --> 00:01:39,890 different circumstances why I couldn’t use it. So instead, I figured: You know what? 27 00:01:39,890 --> 00:01:43,940 Try this cool new technology: Internet over your cable TV. 28 00:01:43,940 --> 00:01:46,100 Ehh, cable. TV cable. 29 00:01:46,100 --> 00:01:48,870 So I got myself a cable modem from the provider, 30 00:01:48,870 --> 00:01:52,690 got myself registered and now had Internet over cable TV. 31 00:01:52,690 --> 00:01:56,650 Also, along the same lines, I figured: 32 00:01:56,650 --> 00:01:59,820 Why not go and also do your phone line over that cable provider 33 00:01:59,820 --> 00:02:04,530 with your old phone number so that people still can contact you when they want to. 34 00:02:04,530 --> 00:02:08,199 Now, the thing is, when I finally received the whole package, 35 00:02:08,199 --> 00:02:12,219 I realized: Woh! Wait! Something’s wrong here! 36 00:02:12,219 --> 00:02:18,950 That’s an analogue phone line! Are we, like, in 2015 or is it 1994? 37 00:02:18,950 --> 00:02:21,660 So, instead of the usual digital stuff that I am used to, 38 00:02:21,660 --> 00:02:25,029 I just got myself an analogue phone line. 39 00:02:25,029 --> 00:02:27,880 So I had to put myself another box in there 40 00:02:27,880 --> 00:02:30,599 that would convert the analogue phone line back to a digital phone line, 41 00:02:30,599 --> 00:02:33,249 so I could route it in my house to another line, to another machine 42 00:02:33,249 --> 00:02:36,269 that would then go and route it to my phone. 43 00:02:36,269 --> 00:02:38,349 You see the problem in there? 44 00:02:38,349 --> 00:02:41,859 Yeah, that whole stuff over there just doesn’t look right, right? 45 00:02:41,859 --> 00:02:45,089 Why would you go and convert something that is obviously digital? 46 00:02:45,089 --> 00:02:48,200 I mean, the stuff that goes into your cable is obviously digital, right? 47 00:02:48,200 --> 00:02:50,149 Kind of obvious… 48 00:02:50,149 --> 00:02:52,639 and convert it back to analogue and then back to digital 49 00:02:52,639 --> 00:02:55,209 just to be able to do a phone call. 50 00:02:55,209 --> 00:02:59,989 So I called up the technicians, Support, and said: “Hey guys, you know what? 51 00:02:59,989 --> 00:03:02,519 Isn’t there a way I can, like, directly access 52 00:03:02,519 --> 00:03:07,719 whatever you have there and go and use digital throughout?” 53 00:03:07,719 --> 00:03:10,969 And the guy said: “Well, you know what? Actually, behind the scenes, 54 00:03:10,969 --> 00:03:14,389 we’re all just running SIP. It’s just a normal SIP server. 55 00:03:14,389 --> 00:03:17,360 Just normal voice-over-IP, nothing special about it. 56 00:03:17,360 --> 00:03:22,799 So, if you know what you’re doing, just go ahead and connect to it.” 57 00:03:22,799 --> 00:03:31,689 *laughter and applause* 58 00:03:31,689 --> 00:03:34,580 Challenge accepted. 59 00:03:34,580 --> 00:03:39,529 So, what we learned from Felix earlier in his car talk: 60 00:03:39,529 --> 00:03:42,220 It was: What do you do when you don’t want to brick your own system? 61 00:03:42,220 --> 00:03:45,670 Of course, you buy a new one on ebay. They’re really cheap, 62 00:03:45,670 --> 00:03:49,700 just go and get a cable modem and then you can go away and 63 00:03:49,700 --> 00:03:53,330 treat it with the kind of love that you want a device to be treated with. 64 00:03:53,330 --> 00:03:55,980 *laughter* 65 00:03:55,980 --> 00:04:00,039 Turns out, my modem is actually just running Linux. Hooh! Nice! 66 00:04:00,039 --> 00:04:02,419 That fits me pretty well! 67 00:04:02,419 --> 00:04:05,269 And it’s just a normal ARM system. 68 00:04:05,269 --> 00:04:07,449 Well, the only special thing is: It’s Big-Endian. 69 00:04:07,449 --> 00:04:11,869 But then again, I’m kind of used to ARM by now, why not just go away 70 00:04:11,869 --> 00:04:14,659 and like go around and just look at how this thing works. 71 00:04:14,659 --> 00:04:18,340 And, well, we really just want to get this voice-over-IP stuff working, 72 00:04:18,340 --> 00:04:22,340 so take a look at how this voice-over-IP stuff works on the device! 73 00:04:22,340 --> 00:04:24,480 Turns out, there’s actually a normal SIP. 74 00:04:24,480 --> 00:04:28,540 SIP works on port 5060 usually. 75 00:04:28,540 --> 00:04:33,419 Normal SIP client running on there, but this IP looks weird. 76 00:04:33,419 --> 00:04:35,490 So, my external IP looks different. 77 00:04:35,490 --> 00:04:40,920 And my internal IP is different, so where does this IP come from? 78 00:04:40,920 --> 00:04:44,130 So I looked at the IP list of my device and figured: 79 00:04:44,130 --> 00:04:47,729 Well, something’s weird here. I have a lot of IPs in there and connections 80 00:04:47,729 --> 00:04:52,960 that I really don’t know anything about. Hm. 81 00:04:52,960 --> 00:04:56,899 So down here, is obviously my phone line. 82 00:04:56,899 --> 00:05:02,849 And up here, is something else that I have no idea what this is about. 83 00:05:02,849 --> 00:05:06,749 So I figured: Let’s go and dig a bit deeper. 84 00:05:06,749 --> 00:05:09,810 And see what’s actually happening there. 85 00:05:09,810 --> 00:05:13,810 So how does DOCSIS work? This is just a small introduction, 86 00:05:13,810 --> 00:05:16,816 like high-level introduction, on how the routing runs. 87 00:05:16,816 --> 00:05:21,699 So basically, you have the cable modem that is connected using your TV cable line 88 00:05:21,699 --> 00:05:25,970 to a CMTS, just a translation service, 89 00:05:25,970 --> 00:05:29,840 that then takes all of the DOCSIC-specific stuff and just basically gives you 90 00:05:29,840 --> 00:05:35,849 an IP routing over into something- something-something behind it. 91 00:05:35,849 --> 00:05:39,500 However, it doesn’t just give you one line. It actually gives you three. 92 00:05:39,500 --> 00:05:42,689 It gives you one line for your Internet. Makes sense, right? You want 93 00:05:42,689 --> 00:05:46,279 to get online. That’s the one you actually see when you plug into the device. 94 00:05:46,279 --> 00:05:49,299 It also gives you another line for VoIP. 95 00:05:49,299 --> 00:05:51,690 And it gives you one more line that I would call the “Admin” line. 96 00:05:51,690 --> 00:05:55,710 It’s the provisioning line. 97 00:05:55,710 --> 00:05:59,549 Now, let’s start with the Admin line. That sounds the most interesting, right? 98 00:05:59,549 --> 00:06:00,920 *laughter* 99 00:06:00,920 --> 00:06:03,819 What does the Admin line do? 100 00:06:03,819 --> 00:06:09,080 Well, in the end, a modem in the DOCSIS network is just a normal client 101 00:06:09,080 --> 00:06:11,159 like in your Ethernet network. 102 00:06:11,159 --> 00:06:13,890 So the first thing it does when it gets online is: 103 00:06:13,890 --> 00:06:16,750 it does a DHCP request. And on the DHCP request 104 00:06:16,750 --> 00:06:20,229 it goes and gets an IP address and gets all the information it needs. 105 00:06:20,229 --> 00:06:25,340 And it also, well, it’s kind of sane, it’s just a normal DHCP request. 106 00:06:25,340 --> 00:06:28,949 It also, however, gets something similar to PXE booting 107 00:06:28,949 --> 00:06:32,960 where it gets usually… in PXE booting you would get an executable that you’d run, 108 00:06:32,960 --> 00:06:35,709 here, you get something different. Here, you also get a file 109 00:06:35,709 --> 00:06:39,159 that you need to download using TFTP just like with PXE. 110 00:06:39,159 --> 00:06:44,769 However, in this case, it’s a configuration file… 111 00:06:44,769 --> 00:06:46,900 – There you go – …configuration file… 112 00:06:46,900 --> 00:06:50,109 …that you just receive using PXE to your cable modem; 113 00:06:50,109 --> 00:06:52,989 and then, the cable modem is configured. 114 00:06:52,989 --> 00:06:56,680 Now what is inside this Provisioning File, that’s what I call it? Well, 115 00:06:56,680 --> 00:07:01,360 there’s interesting information like: What is your firmware update filename called? 116 00:07:01,360 --> 00:07:04,530 If you want to update your firmware or if the provider wants to have you 117 00:07:04,530 --> 00:07:09,799 update your firmware. How much bandwidth do I have? 118 00:07:09,799 --> 00:07:14,189 *laughter* 119 00:07:14,189 --> 00:07:17,370 I hear, people have been playing with that one… 120 00:07:17,370 --> 00:07:20,289 *laughter* 121 00:07:20,289 --> 00:07:23,749 And, well, since it’s just a normal TFTP request you can just do it yourself, too. 122 00:07:23,749 --> 00:07:28,499 This is my configuration. You just go, get it, and you have your configuration file. 123 00:07:28,499 --> 00:07:34,219 Now, the interesting thing that I realied when I first started doing this was: 124 00:07:34,219 --> 00:07:36,999 Sure, this is my configuration file. But what about configuration files 125 00:07:36,999 --> 00:07:42,080 from other people? Well, you go and get the MAC address, 126 00:07:42,080 --> 00:07:44,560 if you have the MAC address you just go and get it and there you go: 127 00:07:44,560 --> 00:07:47,339 You have the other people’s configuration file. 128 00:07:47,339 --> 00:07:48,460 *laughter* 129 00:07:48,460 --> 00:07:51,440 Easy as that, right? That’s the way it’s supposed to work. 130 00:07:51,440 --> 00:07:58,440 *applause* 131 00:07:59,690 --> 00:08:03,099 The actual effects of that, we’re going to come to that later. 132 00:08:03,099 --> 00:08:05,909 Let’s just declare TFTP, the whole access to that, 133 00:08:05,909 --> 00:08:08,920 as “slightly insecure” for now. 134 00:08:08,920 --> 00:08:11,840 *laughter* 135 00:08:11,840 --> 00:08:16,329 But now, if you’re an ISP, you want to monitor what your people do, right? 136 00:08:16,329 --> 00:08:18,910 So imagine, you’re the admin there. 137 00:08:18,910 --> 00:08:21,619 Just imagine, you’re one of the good guys, right? 138 00:08:21,619 --> 00:08:24,650 And you want to see what are those people on your modem doing. 139 00:08:24,650 --> 00:08:27,060 Are they, like, downloading too much content? 140 00:08:27,060 --> 00:08:32,410 Because you obviously cannot filter or find that out from the other side. 141 00:08:32,410 --> 00:08:35,890 So, what do you do? Well, you obviously send the industry standard for that: 142 00:08:35,890 --> 00:08:42,130 An SNMP request. Using a password that only you know. 143 00:08:42,130 --> 00:08:47,220 *laughter* 144 00:08:47,220 --> 00:08:50,190 Send it over to the cable modem and the cable modem then goes in 145 00:08:50,190 --> 00:08:54,010 and replies with the respective reply saying “Oh, yeah, sure, 146 00:08:54,010 --> 00:08:57,250 I got that piece of information, there you go, you have it.” 147 00:08:57,250 --> 00:09:00,580 Oh, that was too quick! 148 00:09:00,580 --> 00:09:07,580 But how does your modem actually verify that password? 149 00:09:07,940 --> 00:09:10,740 Yeah, you guessed right: Using the Provisioning File, obviously! 150 00:09:10,740 --> 00:09:12,810 *laughter* 151 00:09:12,810 --> 00:09:17,010 Once you download the Provisioning File from any random modem in there 152 00:09:17,010 --> 00:09:22,640 – including yours – you end up getting an interesting password. 153 00:09:22,640 --> 00:09:27,800 *laughter* 154 00:09:27,800 --> 00:09:30,480 However, they actually did at least one thing: 155 00:09:30,480 --> 00:09:35,150 They limited the address range you are allowed to access those devices on. 156 00:09:35,150 --> 00:09:39,540 *laughter* 157 00:09:39,540 --> 00:09:46,540 Yeah… *applause* 158 00:09:47,090 --> 00:09:50,210 As a hint for those who did not clap: 159 00:09:50,210 --> 00:09:54,740 This means, everybody who is in that network. 160 00:09:54,740 --> 00:09:57,250 But how big is this network? 161 00:09:57,250 --> 00:10:01,520 I figured: Why not just give it a try and ask some people in Hannover 162 00:10:01,520 --> 00:10:03,930 whether I could just get their MAC addresses 163 00:10:03,930 --> 00:10:06,850 and see how far I could get. 164 00:10:06,850 --> 00:10:10,920 Just send an SNMP request over, I had the password now, right? 165 00:10:10,920 --> 00:10:15,060 And ask that modem: 166 00:10:15,060 --> 00:10:18,380 “Please tell me everything you know!” 167 00:10:18,380 --> 00:10:22,770 And it replied! *laughter* 168 00:10:22,770 --> 00:10:25,130 There’s a lot of interesting information, SNMP, you wouldn’t believe it! 169 00:10:25,130 --> 00:10:28,880 So this is obviously just stuff like “Oh, yeah, I’m this and that modem!” 170 00:10:28,880 --> 00:10:31,160 But there’s more in there. There’s, for example… 171 00:10:31,160 --> 00:10:34,280 this is my public IP address! 172 00:10:34,280 --> 00:10:38,170 – in case you’re searching for someone specific. Or… 173 00:10:38,170 --> 00:10:41,250 these are my internal MAC addresses and IP addresses. 174 00:10:41,250 --> 00:10:43,790 In case you’re searching for some specific notebook that someone 175 00:10:43,790 --> 00:10:49,530 stole from you or so. *laughter* 176 00:10:49,530 --> 00:10:53,390 Or… this is my Provisioning File, in case you just happened to port scan 177 00:10:53,390 --> 00:10:56,110 all of the machines out there and ask them using the same password 178 00:10:56,110 --> 00:11:01,040 that they all share on what their Provisioning Files could be called. 179 00:11:01,040 --> 00:11:02,410 *clears throat* 180 00:11:02,410 --> 00:11:04,596 Of course, I never did that. Right? 181 00:11:04,596 --> 00:11:08,040 *laughter* 182 00:11:08,040 --> 00:11:15,040 So, I would say, the whole SNMP story isn’t “really” all that secure either. 183 00:11:15,970 --> 00:11:19,610 But at a certain point in time, like when the modem actually doesn’t work 184 00:11:19,610 --> 00:11:22,310 like the way you would envision it to be or if you just need to do 185 00:11:22,310 --> 00:11:25,990 more administrative stuff, the admin wants to have more access than just SNMP, right? 186 00:11:25,990 --> 00:11:31,020 This is kind of isolated to a few specific pieces of information. 187 00:11:31,020 --> 00:11:36,940 You want some more hardcore access. Like real go down into a real shell. 188 00:11:36,940 --> 00:11:40,430 How do you do shells in 2015? Audience: TELNET! 189 00:11:40,430 --> 00:11:44,470 Alexander: Telnet. Exactly! *laughter* 190 00:11:44,470 --> 00:11:51,470 *applause* 191 00:11:52,650 --> 00:11:58,820 We’ll actually get to the point why Telnet was a good idea later, but… 192 00:11:58,820 --> 00:12:04,260 that’s 30 slides down or so. 193 00:12:04,260 --> 00:12:07,420 We already managed to get an SNMP connection working to a different modem, 194 00:12:07,420 --> 00:12:12,660 let’s just try the same with Telnet and see how far we can get. 195 00:12:12,660 --> 00:12:19,090 We can go in and just Telnet in and it replies and says “please give me a login” 196 00:12:19,090 --> 00:12:23,930 Hm. Now where do I get this login from? 197 00:12:23,930 --> 00:12:26,160 *laughter* 198 00:12:26,160 --> 00:12:29,900 Turns out, the administrator needs to provide that password just the same 199 00:12:29,900 --> 00:12:33,100 to the modem, which needs to verify it. 200 00:12:33,100 --> 00:12:37,550 Based on configuration. Which it gets from the Provisioning File. That… 201 00:12:37,550 --> 00:12:41,490 I think you see the point. 202 00:12:41,490 --> 00:12:44,680 So in the same Provisioning File that you can obviously again download for every 203 00:12:44,680 --> 00:12:49,880 single user in the network you also have the password. 204 00:12:49,880 --> 00:12:52,980 In plaintext. 205 00:12:52,980 --> 00:12:56,250 That’s the part that actually took me the longest in this whole thing. 206 00:12:56,250 --> 00:12:59,980 I spent weeks trying to figure out what hash this is. 207 00:12:59,980 --> 00:13:05,210 *raging laughter* 208 00:13:05,210 --> 00:13:11,550 *big applause* 209 00:13:11,550 --> 00:13:15,880 So if we try to log in to the server using those credentials we got, 210 00:13:15,880 --> 00:13:18,200 we get greeted with a nice command line interface 211 00:13:18,200 --> 00:13:22,180 for poor Mr. Admin at our provider’s side. 212 00:13:22,180 --> 00:13:26,540 But I don’t really like those, like, boiled-down interfaces. 213 00:13:26,540 --> 00:13:29,210 I want a real shell. I want to load kernel modules. 214 00:13:29,210 --> 00:13:31,730 I want to filter all my network traffic. 215 00:13:31,730 --> 00:13:35,730 I want to reroute everything that modem does to a different machine. 216 00:13:35,730 --> 00:13:41,110 I want to rewrite the VoIP client to instead do… either way! 217 00:13:41,110 --> 00:13:44,520 So I want to do something real. Let’s do the help command 218 00:13:44,520 --> 00:13:47,480 and it tells us that there’s a cool command called “shell”. 219 00:13:47,480 --> 00:13:49,550 *laughter* 220 00:13:49,550 --> 00:13:52,890 Ah yeah, there you go, got a shell! 221 00:13:52,890 --> 00:13:57,070 By now, at that point, I can actually go and do anything I want to that modem. 222 00:13:57,070 --> 00:14:01,760 I got full root access. By the way, all the modems run every single 223 00:14:01,760 --> 00:14:05,390 piece of software running on there, including your web server and your 224 00:14:05,390 --> 00:14:11,280 SIP server and anything as UID 0. Which is a good idea, right? 225 00:14:11,280 --> 00:14:14,680 So, I now got shell access so I can do anything I want. 226 00:14:14,680 --> 00:14:18,510 I can re-route all your traffic, I don’t, obviously, but 227 00:14:18,510 --> 00:14:21,980 this is basically where we went half a year ago. 228 00:14:21,980 --> 00:14:25,390 Another thing to note is that – since it’s so annoying to generate 229 00:14:25,390 --> 00:14:29,660 different passwords for different devices… 230 00:14:29,660 --> 00:14:31,780 Yeah, yeah, I know. 231 00:14:31,780 --> 00:14:36,080 You just use one password for all, right? It’s good enough. 232 00:14:36,080 --> 00:14:42,620 So you don’t even have to read your other person’s Provisioning File, 233 00:14:42,620 --> 00:14:45,040 you can just use your own password that is in your own Provisioning File 234 00:14:45,040 --> 00:14:50,330 which you already have on your modem because you’re provisioned yourself. 235 00:14:50,330 --> 00:14:54,300 The only notable exception that I found to this whole scheme 236 00:14:54,300 --> 00:14:57,690 – I mean, you could basically go and log in to any modem out there, 237 00:14:57,690 --> 00:15:02,140 except for Fritz!Boxes. *applause* 238 00:15:02,140 --> 00:15:07,920 Yeah, congratulations everyone! Kudos! 239 00:15:07,920 --> 00:15:11,570 So, apparently, AVM are the only ones who did not follow the standard scheme 240 00:15:11,570 --> 00:15:15,480 from my provider and instead said: “No no no, guys! You don’t do the firmware. 241 00:15:15,480 --> 00:15:20,170 WE do the firmware”, and they just don’t like to enable Telnet. Apparently 242 00:15:20,170 --> 00:15:25,430 there are people in that company that actually know what they’re doing. 243 00:15:25,430 --> 00:15:31,010 So, I would say the whole Telnet access thing isn’t exactly… 244 00:15:31,010 --> 00:15:36,660 I wouldn’t mark it “secure” either. Naahhh… naaah… 245 00:15:36,660 --> 00:15:39,240 But we didn’t really come here for the Admin network, right? 246 00:15:39,240 --> 00:15:45,020 I was just… it happened to be around. I just looked at it and… njeeeeeh. 247 00:15:45,020 --> 00:15:48,420 We wanted to go and do voice-over-IP! Hah! 248 00:15:48,420 --> 00:15:52,030 Yeah, so how does VoIP look like? It’s kind of similar. 249 00:15:52,030 --> 00:15:54,130 It also does a DHCP request in the beginning. 250 00:15:54,130 --> 00:15:59,600 DHCP is usually fine, I mark it with a green tick here. 251 00:15:59,600 --> 00:16:04,770 I’ll leave it to others to further dig down into that part. 252 00:16:04,770 --> 00:16:09,690 It does the same TFTP bit so if you just go and – instead of downloading your 253 00:16:09,690 --> 00:16:16,660 Provisioning File from your own modem, from the RAN, from the admin network – 254 00:16:16,660 --> 00:16:23,200 you just go and get it from the other MAC address and there you go, you have it. 255 00:16:23,200 --> 00:16:29,250 Nicely enough, all those cable providers registered consecutive MAC addresses, 256 00:16:29,250 --> 00:16:35,770 so if you have one, you also have the others. 257 00:16:35,770 --> 00:16:40,070 Just… You basically just ask a friend: “Give me your MAC address that’s 258 00:16:40,070 --> 00:16:44,090 written on the box” and you basically have everything you need. 259 00:16:44,090 --> 00:16:46,760 SNMP is the same thing. You can access it using SNMP. 260 00:16:46,760 --> 00:16:49,280 The really nice thing about SNMP here is that the box also 261 00:16:49,280 --> 00:16:53,980 tells you the other accesses it has, so if you only have one IP address, or… 262 00:16:53,980 --> 00:16:57,950 I also have a nice DNS service internally that tells you what the IP address is 263 00:16:57,950 --> 00:17:01,210 to a certain MAC address, so you just ask the DNS for the MAC address of 264 00:17:01,210 --> 00:17:09,409 the VoIP access, then you go and SNMP, ask it for the IP address 265 00:17:09,409 --> 00:17:14,169 of the admin network, and there you go. You’re in the box. 266 00:17:14,169 --> 00:17:17,940 However, the really interesting bit on the voice-over-IP network is SIP. 267 00:17:17,940 --> 00:17:22,330 Since… you want to do VoIP, right? That’s what the whole thing is about. 268 00:17:22,330 --> 00:17:28,330 So VoIP basically works… the way that your modem wants to go and do a phone call. 269 00:17:28,330 --> 00:17:30,730 So how do you do a phone call with SIP? 270 00:17:30,730 --> 00:17:38,690 You need to provide data like credentials, like, tell the other side, the server, 271 00:17:38,690 --> 00:17:40,470 how you authenticate yourself. 272 00:17:40,470 --> 00:17:43,890 Which, obviously, is written in your Provisioning File. 273 00:17:43,890 --> 00:17:47,640 So, you use those and tell the server: “I want to do a phone call” 274 00:17:47,640 --> 00:17:49,580 and there you go: You do a phone call. 275 00:17:49,580 --> 00:17:54,000 Now if we look at this Provisioning File, you can see that it contains your server 276 00:17:54,000 --> 00:17:57,560 and your user name and your phone number 277 00:17:57,560 --> 00:18:03,870 and your… well, basically everything you’d need to log in into an SIP server. 278 00:18:03,870 --> 00:18:10,310 Now, since I can read, anybody else’s Provisioning Files, … 279 00:18:10,310 --> 00:18:11,590 *laughter* 280 00:18:11,590 --> 00:18:16,440 So, imagine I’m this user up there. Right? 281 00:18:16,440 --> 00:18:21,400 And I’m just doing a normal call as this phone number up there. 282 00:18:21,400 --> 00:18:24,330 Well, maybe there’s this other guy in the network 283 00:18:24,330 --> 00:18:27,700 who just goes in and downloads your Provisioning File 284 00:18:27,700 --> 00:18:31,070 and, well, he gets all the credentials he would need, so he gets 285 00:18:31,070 --> 00:18:35,870 the same phone number and then he can just go and do a call. 286 00:18:35,870 --> 00:18:46,800 Hm. Yeah. Maybe I should have registered a few 0900 numbers. 287 00:18:46,800 --> 00:18:50,500 Now the really interesting part here is – it also works the other way! 288 00:18:50,500 --> 00:18:53,900 You register for it and if you’re the fastest one registering it, 289 00:18:53,900 --> 00:18:58,580 the other modem doesn’t get the chance to receive calls which means 290 00:18:58,580 --> 00:19:02,360 now you receive the calls and then you can just tell the other modem that there was 291 00:19:02,360 --> 00:19:06,910 a call, just that, by now, you actually route all the traffic through your modem 292 00:19:06,910 --> 00:19:13,000 and you can listen to all the voice data that there is on the line. Yay! 293 00:19:14,450 --> 00:19:18,260 Yeah… *laughter* 294 00:19:18,260 --> 00:19:22,160 Not sure it’d be a good idea to talk to your lawyer around… 295 00:19:22,160 --> 00:19:27,030 Using this line for secure stuff is probably not the best. 296 00:19:27,030 --> 00:19:33,080 I wouldn’t mark SIP as secure on this thing, either. 297 00:19:33,080 --> 00:19:38,240 But at this point, so on the Telnet access and on all the other parts, 298 00:19:38,240 --> 00:19:40,870 I was, like, sure, I can fix it for myself. 299 00:19:40,870 --> 00:19:44,230 I’m an egoist, right? I can fix it for myself. 300 00:19:44,230 --> 00:19:46,650 I don’t care about the rest of mankind… 301 00:19:46,650 --> 00:19:51,270 I do, but I can claim that! 302 00:19:51,270 --> 00:19:54,490 I can just as well ignore all the others and say: I fix it for myself. 303 00:19:54,490 --> 00:19:58,420 But for voice-over-IP, I can’t. Because I’m completely out of the loop. 304 00:19:58,420 --> 00:20:05,090 This other guy, he could just go and steal my credentials, because he can… 305 00:20:05,090 --> 00:20:07,050 and there’s nothing I can do about it. 306 00:20:07,050 --> 00:20:12,080 So at that point, I was kind of scared that someone would be able to hack me. 307 00:20:12,080 --> 00:20:17,120 So I started to think about how to fix this thing. 308 00:20:17,120 --> 00:20:22,540 Now, the first thing that comes to mind is obviously: You as a user 309 00:20:22,540 --> 00:20:28,910 go and pick up the phone and call the service line from your provider. 310 00:20:28,910 --> 00:20:31,540 *laughter* 311 00:20:31,540 --> 00:20:34,410 Yeah, I don’t think, that’s a good idea. *laughter* 312 00:20:34,410 --> 00:20:38,590 Nah, no I didn’t want to go down that road, nah… So, instead, I figured, 313 00:20:38,590 --> 00:20:41,730 I’m going to call someone else. I’m going to call a couple friends. 314 00:20:41,730 --> 00:20:44,250 *laughter and applause* 315 00:20:44,250 --> 00:20:50,960 *applause* 316 00:20:50,960 --> 00:20:54,430 Gonna call a couple of friends from Heise, thanks to my Linux work, I knew 317 00:20:54,430 --> 00:20:59,640 a few of those, and they also tend to do security, which kind of falls into 318 00:20:59,640 --> 00:21:02,160 this whole thing and used them as a proxy. 319 00:21:02,160 --> 00:21:09,160 So that nobody could actually go and sue me until things were public. 320 00:21:11,690 --> 00:21:15,100 So, imagine what the provider would do when he hears 321 00:21:15,100 --> 00:21:19,229 that I hacked into their Telnet account. 322 00:21:19,229 --> 00:21:23,670 Sure, you’d do the obvious thing: You’d replace Telnet with SSH, right? 323 00:21:23,670 --> 00:21:26,350 It’s what everybody would do. It’s the first thing. You look at this and think, 324 00:21:26,350 --> 00:21:29,610 like, “Oh my god, this is 2015, why would you be doing Telnet?” 325 00:21:29,610 --> 00:21:35,720 Well, the answer is pretty simple. Emm… *laughter* 326 00:21:35,720 --> 00:21:38,989 Take a look again. It’s not as simple as you think. Take a look at it again, 327 00:21:38,989 --> 00:21:43,060 there’s this Provisioning File. SSH actually gets different credentials! 328 00:21:43,060 --> 00:21:46,790 So, the SSH credentials are actually down here. 329 00:21:46,790 --> 00:21:49,530 And the password is different from the one on the top. 330 00:21:49,530 --> 00:21:51,410 I don’t know what the password is. 331 00:21:51,410 --> 00:21:56,310 But I can tell you that the password hash is really cool! 332 00:21:56,310 --> 00:21:59,890 So, the password hash is something that comes from VxWorks, so I’m pretty 333 00:21:59,890 --> 00:22:04,390 sure that there are more devices out there that might be interesting to look at. 334 00:22:04,390 --> 00:22:06,970 The VxWorks hash actually works in a really simple way: 335 00:22:06,970 --> 00:22:12,850 It creates a checksum of your input that lies somewhere between those 2 numbers 336 00:22:12,850 --> 00:22:16,940 and then creates a fancy String out of them based on some heuristics. 337 00:22:16,940 --> 00:22:21,860 But essentially, the whole password down there boils down to just a single number 338 00:22:21,860 --> 00:22:26,740 that is basically, in a realistic case, the upper limit is 40 characters, 339 00:22:26,740 --> 00:22:28,980 so you’re not going to see a password that long, 340 00:22:28,980 --> 00:22:33,280 realistically you basically check around 100 passwords and any hash out there, 341 00:22:33,280 --> 00:22:37,460 any password that’s available, you already cracked it. Which means, 342 00:22:37,460 --> 00:22:41,580 there are so many collisions in this hash, which I wouldn’t even call a hash, 343 00:22:41,580 --> 00:22:44,390 that I don’t know what the original password is like… I don’t know. 344 00:22:44,390 --> 00:22:47,380 But this one works pretty well! 345 00:22:47,380 --> 00:22:50,730 *laughter and applause* 346 00:22:50,730 --> 00:22:56,940 *applause* 347 00:22:56,940 --> 00:23:00,750 So we go ahead and we log into this machine and we type in our collision 348 00:23:00,750 --> 00:23:04,080 and… there you go! We got the same thing as before! 349 00:23:04,080 --> 00:23:07,900 So we told them again: “Guys, look, it’s not as easy as that. 350 00:23:07,900 --> 00:23:10,860 You should probably take a bit deeper breath and take a look 351 00:23:10,860 --> 00:23:14,390 at how things actually are broken.” 352 00:23:14,390 --> 00:23:18,030 Which, turns out, they did! So what happened next? 353 00:23:18,030 --> 00:23:24,010 We had this whole huge mess with lots of services that are all attackable 354 00:23:24,010 --> 00:23:27,210 and everything’s just wholly broken. 355 00:23:27,210 --> 00:23:31,960 That was two months ago. 356 00:23:31,960 --> 00:23:35,530 There were some circumstances why we just couldn’t tell them earlier. 357 00:23:35,530 --> 00:23:39,780 And we basically told them: “Guys, you know, in 2 months’ time we’re going to do 358 00:23:39,780 --> 00:23:43,050 a talk here and everything’s going to be public so you might want to fix 359 00:23:43,050 --> 00:23:46,840 your network until then.” *laughter* 360 00:23:46,840 --> 00:23:51,660 So the first thing that they did is: They added a check to their TFTP server 361 00:23:51,660 --> 00:23:56,630 to verify whether you’re actually eligible to download this Provisioning File. 362 00:23:56,630 --> 00:24:01,770 *applause* 363 00:24:01,770 --> 00:24:04,720 So now, you can only download your own Provisioning File. Which is great… 364 00:24:04,720 --> 00:24:09,330 finally! I mean, this is the obvious thing to do. So that one’s fixed. 365 00:24:09,330 --> 00:24:13,180 Then, they went ahead and said: Well, there’s no real reason why one modem 366 00:24:13,180 --> 00:24:16,280 should do SNMP traffic with another. So they just added a firewall, saying, 367 00:24:16,280 --> 00:24:19,570 we’re blocking SNMP traffic between different machines 368 00:24:19,570 --> 00:24:22,610 – problem solved! 369 00:24:22,610 --> 00:24:26,780 *applause* 370 00:24:26,780 --> 00:24:30,439 The same for SSH – they went ahead and said: There’s no reason why you should 371 00:24:30,439 --> 00:24:34,120 be doing TCP between one modem and another. 372 00:24:34,120 --> 00:24:36,360 Problem solved! 373 00:24:36,360 --> 00:24:39,610 *applause* 374 00:24:39,610 --> 00:24:44,610 And because the VoIP access credentials 375 00:24:44,610 --> 00:24:47,910 are actually part of your Provisioning File which you can now 376 00:24:47,910 --> 00:24:51,140 no longer download from somebody else, that one is fixed too. 377 00:24:51,140 --> 00:24:56,689 Awesome! *shy applause* Go ahead, go ahead, clap! It’s awesome! 378 00:24:56,689 --> 00:25:00,210 *applause* 379 00:25:00,210 --> 00:25:04,809 Thank you, ISPs. So after two months, you actually managed to limit me 380 00:25:04,809 --> 00:25:07,900 into the borders that I was supposed to be in, in the beginning. 381 00:25:07,900 --> 00:25:11,800 It’s cool! So what do we have… 382 00:25:11,800 --> 00:25:16,110 Please guard your networks even if you believe that somebody couldn’t go in 383 00:25:16,110 --> 00:25:17,970 – they probably will. 384 00:25:17,970 --> 00:25:22,930 Because, as soon as a customer can access your device physically, 385 00:25:22,930 --> 00:25:26,290 which kind of happens to be the case with a modem that’s sitting 386 00:25:26,290 --> 00:25:31,920 in your apartment, 387 00:25:31,920 --> 00:25:35,020 that guy can access your network. There’s no way you can prevent it. 388 00:25:35,020 --> 00:25:38,950 So don’t believe that the border of your network is the home. 389 00:25:38,950 --> 00:25:43,980 The border of your network is the cable going into that home. 390 00:25:43,980 --> 00:25:46,640 The same way goes the other way around: If an ISP gives you a device, 391 00:25:46,640 --> 00:25:48,590 don’t trust that thing. 392 00:25:48,590 --> 00:25:51,030 Seriously. They can do anything they like. 393 00:25:51,030 --> 00:25:55,230 And sometimes, somebody else can, too. 394 00:25:55,230 --> 00:26:02,510 In this case, according to my provider, I was able to access 3 million devices. 395 00:26:02,510 --> 00:26:05,405 *applause* That’s quite some number. 396 00:26:05,405 --> 00:26:10,590 *applause* 397 00:26:10,590 --> 00:26:16,730 Also, the press is your friend. If you are afraid of revealing something, 398 00:26:16,730 --> 00:26:18,680 tell someone who can do it for you 399 00:26:18,680 --> 00:26:25,130 and usually, things go out well. Let’s hope for the best. 400 00:26:25,130 --> 00:26:29,110 And then, this whole thing went online in the beginning of the week 401 00:26:29,110 --> 00:26:32,640 and there were a couple of questions on the forums that I read 402 00:26:32,640 --> 00:26:35,880 and I just wanted to take the time to reply to those. 403 00:26:35,880 --> 00:26:38,200 First thing that always comes up is: “Is this a conspiracy?” 404 00:26:38,200 --> 00:26:41,270 Like “Oh my god, this is the NSA backdoor!” 405 00:26:41,270 --> 00:26:44,710 No way. I mean, seriously, those guys are not that stupid. 406 00:26:44,710 --> 00:26:47,990 They have their own front doors, they don’t need backdoors. 407 00:26:47,990 --> 00:26:50,080 *laughter* 408 00:26:50,080 --> 00:26:54,549 This really is just a case of “If we don’t secure things, it’s going to be easier 409 00:26:54,549 --> 00:26:59,630 for us.” Njee, it was easier for everybody, 410 00:26:59,630 --> 00:27:03,070 including the ones who shouldn’t have access. 411 00:27:03,070 --> 00:27:07,930 So, no, this is not a conspiracy. This is not some backdoor from some agency. 412 00:27:07,930 --> 00:27:13,110 This is really just a matter of a company not doing their homework. 413 00:27:13,110 --> 00:27:15,970 The same thing goes for other providers. 414 00:27:15,970 --> 00:27:20,360 My cable just wasn’t long enough to connect to some other country 415 00:27:20,360 --> 00:27:24,310 so I don’t know whether other DOCSIS networks are affected. 416 00:27:24,310 --> 00:27:30,540 From the best of my knowledge: Yes, they are. 417 00:27:30,540 --> 00:27:33,639 I’m not allowed to tell you to check. 418 00:27:33,639 --> 00:27:37,049 But if you happen to have that idea on your own… 419 00:27:37,049 --> 00:27:40,480 *laughter and applause* 420 00:27:40,480 --> 00:27:47,480 *applause* 421 00:27:47,480 --> 00:27:50,269 No animals were hurt during the production of this movie. 422 00:27:50,269 --> 00:27:51,320 *laughter* 423 00:27:51,320 --> 00:27:55,330 All the passwords were changed, so if you happen to know the real passwords, 424 00:27:55,330 --> 00:27:58,049 you probably had a good laugh during the presentation. 425 00:27:58,049 --> 00:28:03,660 If you don’t know the real passwords, njeeee, they are different. 426 00:28:03,660 --> 00:28:07,130 To the best of my knowledge, all of that knowledge that I just gave you is 427 00:28:07,130 --> 00:28:13,810 completely useless to you, because all the issues are fixed. 428 00:28:13,810 --> 00:28:16,630 Thank you. 429 00:28:16,630 --> 00:28:32,020 *applause* 430 00:28:32,020 --> 00:28:33,690 Herald [to Alexander]: Q&A? [Alexander nodding] 431 00:28:33,690 --> 00:28:36,009 Alexander: So now we can go for questions if you like. 432 00:28:36,009 --> 00:28:39,399 So please… or… you go ahead and announce it. 433 00:28:39,399 --> 00:28:43,650 Herald: So if you have questions, run towards a microphone and 434 00:28:43,650 --> 00:28:49,020 stand behind it visibly. The first one was on number 4. 435 00:28:49,020 --> 00:28:54,430 Q: You were talking about taking a couple of weeks to get to know 436 00:28:54,430 --> 00:28:57,990 that the password wasn’t hashed but plaintext. 437 00:28:57,990 --> 00:29:02,500 So how long did this whole exchange in total go on? 438 00:29:02,500 --> 00:29:07,010 How much facepalming and how many hours did it take for you? 439 00:29:07,010 --> 00:29:10,070 A: So I didn’t spend full time on it, I really literally just whenever 440 00:29:10,070 --> 00:29:14,250 the baby was crying I just went up and figured “I can do something”. 441 00:29:14,250 --> 00:29:21,550 It’s not… I basically got cable access two years ago. 442 00:29:21,550 --> 00:29:25,210 I first got into the modem about one year ago, I think. 443 00:29:25,210 --> 00:29:31,610 That’s when I started looking for real. 444 00:29:31,610 --> 00:29:34,670 I basically ended up digging deeper and deeper, right? It’s not… 445 00:29:34,670 --> 00:29:38,840 VoIP, for example, I only realized the whole voice-over-IP story in August. 446 00:29:38,840 --> 00:29:42,650 Since I just didn’t look before. I was like so excited to see all the other bits. 447 00:29:42,650 --> 00:29:44,250 *shy laughter* 448 00:29:44,250 --> 00:29:46,350 Just didn’t look. 449 00:29:46,350 --> 00:29:48,900 Herald: Now number 1, please. 450 00:29:48,900 --> 00:29:54,220 Q: Are you really sure that the TFTP Provisioning File fetching is secure now? 451 00:29:54,220 --> 00:30:01,429 Because… do they do some MAC integrity tests for MAC spoofing? 452 00:30:01,429 --> 00:30:04,670 A: Yeaaaaah… 453 00:30:04,670 --> 00:30:09,259 *laughter* 454 00:30:09,259 --> 00:30:13,870 The problem is the law, right? I’m not allowed to tell you to try it yourself, 455 00:30:13,870 --> 00:30:18,580 I’m not allowed to tell you that I don’t think that anything on the physical layer 456 00:30:18,580 --> 00:30:23,089 is insecure. I’m not allowed to tell you that… I mean there’s so many things 457 00:30:23,089 --> 00:30:29,109 I’m not allowed to tell you about this whole network… I haven’t tried. 458 00:30:29,109 --> 00:30:36,109 I really just went in and said “TFTP Fetch and see whether I can get it.” 459 00:30:36,109 --> 00:30:41,080 *laughter and applause* 460 00:30:41,080 --> 00:30:45,760 *applause* 461 00:30:45,760 --> 00:30:48,690 Herald: Number 7 up there on the balcony. 462 00:30:48,690 --> 00:30:52,309 Q: Hello. My question is, in the beginning in your config files, 463 00:30:52,309 --> 00:30:56,870 I think there was something about traffic priority or network priority as well. 464 00:30:56,870 --> 00:31:00,760 Did you play around with that one as well? Is that something about Net Neutrality, 465 00:31:00,760 --> 00:31:03,180 maybe? A: Ahh, that’s an interesting… 466 00:31:03,180 --> 00:31:05,390 OK, so, it’s not about Net Neutrality at all. 467 00:31:05,390 --> 00:31:11,240 It’s about QoS of different services, so they basically say that 468 00:31:11,240 --> 00:31:15,110 VoIP traffic gets higher priority than the other bits 469 00:31:15,110 --> 00:31:18,200 since you want to have low latency on voice-over-IP traffic, obviously. 470 00:31:18,200 --> 00:31:20,860 So that has nothing to do with Net Neutrality in this thing at all. 471 00:31:20,860 --> 00:31:28,210 I did play around with those settings, just because… 472 00:31:28,210 --> 00:31:31,410 coincidentally, right the day after the Fahrplan got released, 473 00:31:31,410 --> 00:31:35,230 my account got throttled to 80 kBit/s. 474 00:31:35,230 --> 00:31:38,130 I don’t know why. Could be related, could be not. 475 00:31:38,130 --> 00:31:43,400 But I figured, “I’m paying for 100 MBit/s” so I should probably get 100 MBit/s 476 00:31:43,400 --> 00:31:46,330 and started to look at those things. 477 00:31:46,330 --> 00:31:50,280 I did not manage to actually convince my modem to get me more. 478 00:31:50,280 --> 00:31:52,820 Q: Did you change the bandwidth in the settings? 479 00:31:52,820 --> 00:31:55,140 Herald: No dialogues, please. 480 00:31:55,140 --> 00:31:59,670 A: Yes, I did change the bandwidth. It’s not… my guess is, 481 00:31:59,670 --> 00:32:02,359 they’re also QoS’ing on the other side. But if you want to 482 00:32:02,359 --> 00:32:05,260 verify it, I’m not telling you not to. 483 00:32:05,260 --> 00:32:07,600 *laughter* 484 00:32:07,600 --> 00:32:09,309 Herald: Number 2, please. 485 00:32:09,309 --> 00:32:12,370 Q: Yes. So at first, thank you for the nice insights. 486 00:32:12,370 --> 00:32:15,140 I’m a cable user, so I’m interested here. 487 00:32:15,140 --> 00:32:19,219 And I want to, again, make a statement on the Provisioning File. 488 00:32:19,219 --> 00:32:23,940 You should have told them that the Provisioning File fetching in this way 489 00:32:23,940 --> 00:32:26,210 isn’t a good idea anyway. 490 00:32:26,210 --> 00:32:30,460 And I personally would believe if they do not can transfer it 491 00:32:30,460 --> 00:32:36,490 via a completely different channel, it will not get really secure. 492 00:32:36,490 --> 00:32:39,869 A: They can not do it differently because it’s part of a standard. 493 00:32:39,869 --> 00:32:42,849 There’s a DOCSIS standard which all the modems have to adhere to 494 00:32:42,849 --> 00:32:46,259 and that’s part of the standard. They cannot do it differently. 495 00:32:46,259 --> 00:32:48,350 If you want to have it done differently, you have to tell 496 00:32:48,350 --> 00:32:53,310 the DOCSIS standardization committee which is in India. 497 00:32:53,310 --> 00:32:56,910 Q: Yes, so I’ll talk to them. Thanks! 498 00:32:56,910 --> 00:33:00,159 Herald: Now, we’ll have a question from the Internet. 499 00:33:00,159 --> 00:33:03,650 Q: Could two modems be programmed to talk among 500 00:33:03,650 --> 00:33:07,169 themselves directly, bypassing the ISP firewall? 501 00:33:07,169 --> 00:33:09,109 A: Say it again. 502 00:33:09,109 --> 00:33:15,270 *Signal Angel repeats question more slowly* 503 00:33:15,270 --> 00:33:17,110 A: You mean with the new scheme or with the old scheme? 504 00:33:17,110 --> 00:33:21,150 With the old scheme, it was… you could just go and route through it. 505 00:33:21,150 --> 00:33:29,200 With the new scheme… you… not with the official modems. 506 00:33:29,200 --> 00:33:33,450 *laughter and applause* 507 00:33:33,450 --> 00:33:39,060 *applause* 508 00:33:39,060 --> 00:33:42,860 Herald: And number 8 on the balcony. 509 00:33:42,860 --> 00:33:47,199 Q: Did you find any traces of TR-069 in this thing? 510 00:33:47,199 --> 00:33:52,450 A: I did on the AVM boxes that were secure, yeah. 511 00:33:52,450 --> 00:33:55,939 So that was the only bit that actually ended up making a lot of sense. 512 00:33:55,939 --> 00:33:59,470 TR-069 is a pretty nice standard. You basically have authenticated 513 00:33:59,470 --> 00:34:03,090 – I think it was even HTTPS – traffic that basically goes and pokes the server 514 00:34:03,090 --> 00:34:07,899 to get you a firmware update. It’s a perfectly nice way of provisioning 515 00:34:07,899 --> 00:34:10,728 such a system. It’s definitely a lot different from the usual way 516 00:34:10,728 --> 00:34:15,409 so on those DOCSIS modems, the usual way to tell it to get a new “firmware” is 517 00:34:15,409 --> 00:34:19,469 either to tell it to reboot and get a new file from the provisioning server or 518 00:34:19,469 --> 00:34:24,679 to just poke directly through SNMP to tell it: “Go to this TFTP server over there 519 00:34:24,679 --> 00:34:27,879 with this file name and flash it onto your Flash.” 520 00:34:27,879 --> 00:34:29,179 *laughter* 521 00:34:29,179 --> 00:34:35,039 No, I have not tried to spoof the privileged IP address range. 522 00:34:35,039 --> 00:34:38,610 *laughter* 523 00:34:38,610 --> 00:34:41,099 Herald: Now it’s number 4 again. 524 00:34:41,099 --> 00:34:45,328 Q: The question I have is: 525 00:34:45,328 --> 00:34:49,259 When you tried to first contact them via Heise, 526 00:34:49,259 --> 00:34:54,339 was there any way they might have tried to 527 00:34:54,339 --> 00:34:58,470 convince you to not do the talk and if so, 528 00:34:58,470 --> 00:35:02,460 would there be an itch on your head? 529 00:35:02,460 --> 00:35:07,229 A: They did not try in any way whatsoever. Zero. 530 00:35:07,229 --> 00:35:10,319 Q: Do you think that was due to the credibility or do you think 531 00:35:10,319 --> 00:35:13,580 they thought “Oh, we screwed up”? 532 00:35:13,580 --> 00:35:20,190 A: I don’t know. I don’t think they thought any other way would work at that 533 00:35:20,190 --> 00:35:24,009 point in time. Since the press was already involved, they are not gonna pull back 534 00:35:24,009 --> 00:35:28,099 their story, there’s nothing else they can do. 535 00:35:28,099 --> 00:35:29,470 Q: Thank you again. 536 00:35:29,470 --> 00:35:34,339 Herald: Before I hand the microphone, do you want to do the entire 24 537 00:35:34,339 --> 00:35:38,009 remaining minutes Q&A or do you want to put a limit? 538 00:35:38,009 --> 00:35:41,660 Graf: No, I think 24 minutes Q&A is fine. We can always cap it later on, right? 539 00:35:41,660 --> 00:35:44,399 Just go and ask. Ask as much as you like. 540 00:35:44,399 --> 00:35:50,749 *applause* 541 00:35:50,749 --> 00:35:53,570 Herald: The Internet, again. 542 00:35:53,570 --> 00:35:57,499 Q: How much of this would have been possible if the modem had been 543 00:35:57,499 --> 00:36:01,729 in bridge mode? A: My modem was in bridge mode. 544 00:36:01,729 --> 00:36:04,529 *laughter* 545 00:36:04,529 --> 00:36:07,060 Herald: And number 6. 546 00:36:07,060 --> 00:36:12,049 Q: Do you have an idea how long this has been that way? 547 00:36:12,049 --> 00:36:16,180 And do you have any specific reasons to believe 548 00:36:16,180 --> 00:36:20,759 what group of people 549 00:36:20,759 --> 00:36:25,499 might have abused these problems? 550 00:36:25,499 --> 00:36:29,289 A: I don’t know. I did not see anybody else on the network but it’s really hard 551 00:36:29,289 --> 00:36:33,819 to see someone in a sea of 3 million devices. 552 00:36:33,819 --> 00:36:38,329 I am not aware of anybody exploiting this, 553 00:36:38,329 --> 00:36:41,940 so I can only state what Vodafone said. 554 00:36:41,940 --> 00:36:45,880 And they said that nobody else did exploit those problems. 555 00:36:45,880 --> 00:36:49,660 According… as far as time… and I believe that one actually… it’s… 556 00:36:49,660 --> 00:36:51,709 I don’t think that anybody did. Which is surprising 557 00:36:51,709 --> 00:36:55,169 since this whole stuff was kind of obvious 558 00:36:55,169 --> 00:36:59,209 but apparently nobody thought of digging into their modem before. 559 00:36:59,209 --> 00:37:03,149 The one thing about the timing is: 560 00:37:03,149 --> 00:37:05,489 Apparently, they already, Kabel Deutschland, 561 00:37:05,489 --> 00:37:08,649 basically already does Internet for 10 years by now 562 00:37:08,649 --> 00:37:13,690 and there’s very little reason to believe it’s been different in the beginning. 563 00:37:13,690 --> 00:37:18,740 So it was probably vulnerable for about ten years. 564 00:37:18,740 --> 00:37:22,330 That said, in the beginning, they were not even using DOCSIS 3.0, 565 00:37:22,330 --> 00:37:25,619 which did not really do real encryption, so at the end of the day you could 566 00:37:25,619 --> 00:37:29,640 just do whatever, any ways on the network. 567 00:37:29,640 --> 00:37:35,440 Back in the day. By now, it’s only halfway complicated. 568 00:37:35,440 --> 00:37:37,999 Herald: Now number 1. 569 00:37:37,999 --> 00:37:40,779 Q: Yes, thank you for the talk, too. 570 00:37:40,779 --> 00:37:47,040 So it’s completely possible that they may have not found out that somebody else 571 00:37:47,040 --> 00:37:52,189 accessed this before and maybe already flashed a lot of devices with another 572 00:37:52,189 --> 00:37:55,760 firmware which is still listening to his commands? 573 00:37:55,760 --> 00:37:59,270 With the new setup. Because he changed the firmware. 574 00:37:59,270 --> 00:38:03,769 A: They did not… okay, they did update the firmware at that one point in time 575 00:38:03,769 --> 00:38:06,210 when I showed that they switched to SSH. 576 00:38:06,210 --> 00:38:08,949 They did not change the firmware ever since. So 577 00:38:08,949 --> 00:38:13,679 all the services that I was talking about, they are still running on your modem. 578 00:38:13,679 --> 00:38:17,789 Q: Okay, but they can’t be sure that there is another firmware by somebody else 579 00:38:17,789 --> 00:38:23,190 on routers running. If somebody else maybe thought of making a bot net, 580 00:38:23,190 --> 00:38:26,239 before all of this came up, in the last 5 years or 10 years, 581 00:38:26,239 --> 00:38:28,459 and already controls some devices 582 00:38:28,459 --> 00:38:32,170 and they can’t be sure that their firmware is not running on those devices. 583 00:38:32,170 --> 00:38:35,739 There can be still devices somewhere controlled by somebody else. 584 00:38:35,739 --> 00:38:38,439 A: Sure. You have to, obviously, fake all the information they receive 585 00:38:38,439 --> 00:38:40,999 from the modem pretty well, otherwise they get you onto the 586 00:38:40,999 --> 00:38:46,450 security block that I am on. But if you do that correctly, 587 00:38:46,450 --> 00:38:49,089 you can probably just replace all the pieces of firmware, 588 00:38:49,089 --> 00:38:53,459 just ignore all the updates and try to behave the same way as they’d expect 589 00:38:53,459 --> 00:38:55,570 and then hope that nobody finds out. 590 00:38:55,570 --> 00:38:58,360 It’s entirely possible – I don’t think it’s very likely 591 00:38:58,360 --> 00:38:59,869 but it is definitely entirely possible. 592 00:38:59,869 --> 00:39:03,269 Q: Let’s hope there are no more networks like this out there. 593 00:39:03,269 --> 00:39:07,099 Herald: Usually, there are no 2nd questions, 594 00:39:07,099 --> 00:39:11,139 so… we still got comfortable time 595 00:39:11,139 --> 00:39:15,089 but try to limit yourself to one question. 596 00:39:15,089 --> 00:39:17,179 Now it’s number 2. 597 00:39:17,179 --> 00:39:21,029 Q: Have you tried to change your MAC address on the DOCSIS level 598 00:39:21,029 --> 00:39:22,710 or also for the DHCP request 599 00:39:22,710 --> 00:39:25,999 or how do they do authentication of the modem over the network? 600 00:39:25,999 --> 00:39:30,279 A: So, the authentication works using certificates. 601 00:39:30,279 --> 00:39:34,389 I’m actually not sure, I haven’t read the standard on that side 602 00:39:34,389 --> 00:39:38,039 whether the MAC address is part of the certificate. I don’t know. 603 00:39:38,039 --> 00:39:42,539 If it’s not, you can easily just change it. I haven’t tried. 604 00:39:42,539 --> 00:39:49,289 But then again, the modems are – what? – 8 Euros? 605 00:39:49,289 --> 00:39:51,219 Herald: Number 7. 606 00:39:51,219 --> 00:39:55,529 Q: What other recommendations do you have 607 00:39:55,529 --> 00:40:00,309 – if someone were to have a suspicion about a vulnerability – 608 00:40:00,309 --> 00:40:05,729 for the research part and for the disclosure part? 609 00:40:05,729 --> 00:40:09,669 A: What do you have to do… I can’t give you any legal or any advice on that one. 610 00:40:09,669 --> 00:40:13,089 I can tell you that getting somebody involved 611 00:40:13,089 --> 00:40:16,129 that has done this before is a really smart idea. 612 00:40:16,129 --> 00:40:18,909 Because they’ve gone through a lot of pain points. 613 00:40:18,909 --> 00:40:22,430 The press is even better because they have a really, really big lever 614 00:40:22,430 --> 00:40:25,780 nobody wants to be in the press for 2 months or whatever 615 00:40:25,780 --> 00:40:31,169 just on negative news that there was somebody who was legitimately trying 616 00:40:31,169 --> 00:40:35,360 to tell them to improve their network and they sued them. 617 00:40:35,360 --> 00:40:39,729 So there’s a really good chance that going via the press is going to keep 618 00:40:39,729 --> 00:40:43,959 problems away from you, but there’s no guarantee. 619 00:40:43,959 --> 00:40:50,049 I cannot give you real – I mean legal or any coherent – advice on that one. 620 00:40:50,049 --> 00:40:53,589 I would… I mean, if I would find such a thing again, I would definitely go 621 00:40:53,589 --> 00:40:57,139 the same route. I would just call up Heise and tell them and… 622 00:40:57,139 --> 00:41:00,259 That went pretty smoothly. 623 00:41:00,259 --> 00:41:03,609 And if… I mean, the really cool thing is, they actually listen to the press. 624 00:41:03,609 --> 00:41:05,630 If I had gone to the service, they would have just said 625 00:41:05,630 --> 00:41:10,800 “Sorry, wrong number, I can’t help you.” 626 00:41:10,800 --> 00:41:13,519 Herald: Now the Internet. 627 00:41:13,519 --> 00:41:17,199 Q: How did you obtain the original data? Did you use JTAG 628 00:41:17,199 --> 00:41:22,470 or dump the device’s firmware and run it virtualized? 629 00:41:22,470 --> 00:41:27,779 A: Ahhhhh. Not sure how much of that I should actually tell everybody. 630 00:41:27,779 --> 00:41:30,909 Let’s say, I replaced… 631 00:41:30,909 --> 00:41:34,150 You can actually see this on the slide, wait. 632 00:41:34,150 --> 00:41:39,049 *makes “Tchtchtchtchtch” sound* 633 00:41:39,049 --> 00:41:42,250 Oh my god, this is going to take forever. 634 00:41:42,250 --> 00:41:46,980 Okay, dududum, where’s my mouse cursor? There it is. 635 00:41:46,980 --> 00:41:50,960 Okay… So, I got a picture of the modem… 636 00:41:50,960 --> 00:41:55,820 …here. There you go. So… 637 00:41:55,820 --> 00:41:59,799 …what you can see here, down there, the white and the yellow cables, 638 00:41:59,799 --> 00:42:02,250 those are the serial port. 639 00:42:02,250 --> 00:42:06,130 And the IDE cable up there that’s where the flash chip was 640 00:42:06,130 --> 00:42:09,499 before I started fiddling with the modem. *laughter* 641 00:42:09,499 --> 00:42:12,039 Now, the flash chip is actually in that socket up there. 642 00:42:12,039 --> 00:42:15,569 Which means I could swap the flash chip between a device I own 643 00:42:15,569 --> 00:42:18,050 – BeagleBone Black, for example, that’s a really nice spy interface 644 00:42:18,050 --> 00:42:20,479 that you could just use to write those 645 00:42:20,479 --> 00:42:22,170 – and then plug it back into the modem. 646 00:42:22,170 --> 00:42:28,049 So I could replace the firmware and get myself an initial shell. 647 00:42:28,049 --> 00:42:32,989 As I mentioned earlier, I really do not like to lose Internet access. 648 00:42:32,989 --> 00:42:37,790 So this is not the modem that I was actually using at home. 649 00:42:37,790 --> 00:42:40,769 Instead, I just used that modem to fetch a firmware image 650 00:42:40,769 --> 00:42:44,719 so I could then look and see whether there might be other bugs 651 00:42:44,719 --> 00:42:48,829 that you could use. 652 00:42:48,829 --> 00:42:51,520 Herald: Now number 8. 653 00:42:51,520 --> 00:42:54,789 Q: Earlier, you’ve said that – who was it… – 654 00:42:54,789 --> 00:42:59,469 Fritz!Box was more secure and they didn’t have the same vulnerabilities. 655 00:42:59,469 --> 00:43:03,079 Do you think they simply didn’t use hardcoded passwords and stuff. 656 00:43:03,079 --> 00:43:07,099 So do you think they’ll be vulnerable to similar attacks and that someone 657 00:43:07,099 --> 00:43:10,670 probably, like you wouldn’t tell them, but maybe they should look into it 658 00:43:10,670 --> 00:43:14,499 or do you think that it isn’t possible and someone should, like, prove you wrong. 659 00:43:14,499 --> 00:43:17,999 A: From all I can tell, but this is… I mean, just a gut feeling that I get 660 00:43:17,999 --> 00:43:20,469 from looking at different firmware files, 661 00:43:20,469 --> 00:43:22,789 the usual way, at least the Linux based firmware 662 00:43:22,789 --> 00:43:28,629 works on those systems is that there’s TI creating a BSP 663 00:43:28,629 --> 00:43:31,920 then they give it out to Motorola. Then Motorola gives it out to CBN. 664 00:43:31,920 --> 00:43:35,729 Then CBN gives it out to Kabel Deutschland. 665 00:43:35,729 --> 00:43:40,829 And then, each party of those adds a few pieces of stuff. 666 00:43:40,829 --> 00:43:44,519 That’s the usual way it works in those devices. 667 00:43:44,519 --> 00:43:47,559 Whereas in the AVM boxes, things looked vastly different. 668 00:43:47,559 --> 00:43:49,559 There was one firmware image that even contained information 669 00:43:49,559 --> 00:43:51,970 for some Austrian provider. 670 00:43:51,970 --> 00:43:58,040 So instead of giving full control to the cable provider, 671 00:43:58,040 --> 00:44:04,860 AVM kept control on their own and actually audited the stuff they were doing. 672 00:44:04,860 --> 00:44:07,639 That’s the major difference. 673 00:44:07,639 --> 00:44:13,420 *applause* 674 00:44:13,420 --> 00:44:16,620 Herald: One more question from the Internet. 675 00:44:16,620 --> 00:44:20,499 Q: Do you know if they still use unencrypted SIP? 676 00:44:20,499 --> 00:44:24,119 A: Oh yeah. *chuckles* *slight laughter* 677 00:44:24,119 --> 00:44:27,320 A: Oh yeah. *loud laughter* 678 00:44:27,320 --> 00:44:29,519 A: Nothing in the protocols changed at all, whatsoever. 679 00:44:29,519 --> 00:44:32,329 They really just added a few firewalls. 680 00:44:32,329 --> 00:44:37,759 So once you are on the physical layer, you can read everything you like, yes. 681 00:44:37,759 --> 00:44:42,189 Well, and you break through the DOCSIS encryption, obviously. 682 00:44:42,189 --> 00:44:45,019 Herald: Now the newly adjusted number 2. 683 00:44:45,019 --> 00:44:47,889 Q: Thank you. Mine is not so much a question 684 00:44:47,889 --> 00:44:51,149 as I’d like to add some insight and perspective to this. 685 00:44:51,149 --> 00:44:54,549 I, myself, worked for several ISPs 686 00:44:54,549 --> 00:44:57,500 and the… we… actually I worked for an ISP 687 00:44:57,500 --> 00:45:01,350 that had not this particular issue, but a similar issue. 688 00:45:01,350 --> 00:45:04,159 The way that it was fixed and 689 00:45:04,159 --> 00:45:07,030 – you can look me up, I’ve worked for several ISPs, you won’t know 690 00:45:07,030 --> 00:45:08,679 which one had this problem – 691 00:45:08,679 --> 00:45:13,709 but what was actually the fix was a simple IP check. 692 00:45:13,709 --> 00:45:17,820 So once you downloaded from the TFTP server, 693 00:45:17,820 --> 00:45:21,519 it was just checked if you did it from the IP that was suspected. 694 00:45:21,519 --> 00:45:26,910 So this issue may actually be reproducible if you can somehow 695 00:45:26,910 --> 00:45:30,429 get hold of an IP [address] you weren’t supposed to have. 696 00:45:30,429 --> 00:45:34,580 Like, say, spoof MAC address or something like that. 697 00:45:34,580 --> 00:45:39,860 That being said, I’d like to attach a comment to the whole SIP thing, too. 698 00:45:39,860 --> 00:45:45,439 You indicated that it’d be possible to silently intercept the conversations 699 00:45:45,439 --> 00:45:50,039 which is not necessarily the issue because many SIP servers 700 00:45:50,039 --> 00:45:52,860 can be configured to allow multiple endpoints 701 00:45:52,860 --> 00:45:55,879 so as the – what’d you call it? – 702 00:45:55,879 --> 00:45:58,419 the bad guy would be able to pick up your calls, 703 00:45:58,419 --> 00:46:01,209 you would also hear you phone calling yourself. 704 00:46:01,209 --> 00:46:04,500 A: Right, and if your phone picks up within 0.01 microseconds, 705 00:46:04,500 --> 00:46:06,970 then, yeah, there’s nothing you can do about it. 706 00:46:06,970 --> 00:46:10,070 It just rings again. That’s the point about it. 707 00:46:10,070 --> 00:46:13,609 Also, the other bit that you have on the SIP server 708 00:46:13,609 --> 00:46:17,309 is that that particular server actually only allowed one endpoint 709 00:46:17,309 --> 00:46:20,690 to be registered at a time. At least from what I could tell. 710 00:46:20,690 --> 00:46:25,170 It was some Huawei box. I don’t know. 711 00:46:25,170 --> 00:46:28,630 Herald: Number 3, please. 712 00:46:28,630 --> 00:46:30,669 Q: Yeah, I attended this talk today 713 00:46:30,669 --> 00:46:36,720 because I know that at the beginning, when DOCSIS was introduced, 714 00:46:36,720 --> 00:46:39,960 the modem were asking for the configuration file 715 00:46:39,960 --> 00:46:44,899 also over the Ethernet port which is great. 716 00:46:44,899 --> 00:46:48,339 And my question is: 717 00:46:48,339 --> 00:46:54,479 Is there a way within the DOCSIS standard so that the ISP can verify their hardware? 718 00:46:54,479 --> 00:47:00,209 I mean, you… I have seen the type and the vendor name 719 00:47:00,209 --> 00:47:06,349 and the SNMP but you can obviously spoof that. 720 00:47:06,349 --> 00:47:11,490 Of course, firmware binaries won’t run on the 721 00:47:11,490 --> 00:47:15,360 wrong hardware, but… 722 00:47:15,360 --> 00:47:17,349 A: I’m not quite sure I’m getting what you’re… 723 00:47:17,349 --> 00:47:21,889 Q: The question is: Is there a way to control for the ISP 724 00:47:21,889 --> 00:47:25,639 which hardware there is they’re using? 725 00:47:25,639 --> 00:47:27,929 A: So I come from a virtualization background. 726 00:47:27,929 --> 00:47:31,629 And in my world, there is no such thing. It doesn’t exist. 727 00:47:31,629 --> 00:47:33,159 *slight laughter* 728 00:47:33,159 --> 00:47:38,940 Sorry. If you can somehow abstract it, you can abstract it. 729 00:47:38,940 --> 00:47:42,839 Q:OK. Herald: 8, please. 730 00:47:42,839 --> 00:47:48,189 Q: Hi. I wanted to add on the part with the MAC spoofing. 731 00:47:48,189 --> 00:47:52,129 Because I had a modem like that, like 5 years ago, 732 00:47:52,129 --> 00:47:55,709 and actually I never went inside the modem, 733 00:47:55,709 --> 00:47:59,959 but I had some applications where I needed a new IP address 734 00:47:59,959 --> 00:48:02,639 in a short period of time… 735 00:48:02,639 --> 00:48:06,779 *loud laughter* 736 00:48:06,779 --> 00:48:10,339 And I remember that actually… the thing… 737 00:48:10,339 --> 00:48:16,830 if you told the modem your MAC address, a different MAC address, 738 00:48:16,830 --> 00:48:20,979 you got different external IP addresses back then. 739 00:48:20,979 --> 00:48:24,359 I don’t know if things have changed because it was 5 years ago 740 00:48:24,359 --> 00:48:28,180 but… yeah… after what I’ve heard from you, 741 00:48:28,180 --> 00:48:30,619 I’m kind of unsure that things changed. 742 00:48:30,619 --> 00:48:33,579 A: No, I’m fairly sure this is actually accurate. From what I understand, 743 00:48:33,579 --> 00:48:37,670 I never did that myself but I heard from people who did, 744 00:48:37,670 --> 00:48:42,789 the MAC address check and the certificate check are actually separate. 745 00:48:42,789 --> 00:48:47,910 So that if you own a valid certificate from some random dude who happens to 746 00:48:47,910 --> 00:48:52,529 actually pay for the service, and you get that certificate, 747 00:48:52,529 --> 00:48:55,609 and you’re not on the same CMTS as that guy, 748 00:48:55,609 --> 00:48:59,219 then you can actually go and, well, 749 00:48:59,219 --> 00:49:03,269 basically say that you’re him even if you have a different MAC address. 750 00:49:03,269 --> 00:49:06,260 Which then, again, implies that if you change the MAC address, you can just 751 00:49:06,260 --> 00:49:09,060 be somebody else. Which then again implies that… 752 00:49:09,060 --> 00:49:13,609 maybe you can actually go and get somebody else’s Provisioning Files, yeah. 753 00:49:13,609 --> 00:49:15,449 *slight laughter* 754 00:49:15,449 --> 00:49:18,409 Q: Well, yeah… not up to you. 755 00:49:18,409 --> 00:49:20,459 A: Not going to try out. 756 00:49:20,459 --> 00:49:22,319 Herald: Number 2, please. 757 00:49:22,319 --> 00:49:28,009 Q: Yeah, you had this one with one particular provider 758 00:49:28,009 --> 00:49:30,389 and I happen to know that there’s a second provider 759 00:49:30,389 --> 00:49:36,019 using the same technology in Germany: were they somehow involved in this loop? 760 00:49:36,019 --> 00:49:40,260 I mean, it took Kabel Deutschland two months to fix this and… 761 00:49:40,260 --> 00:49:42,109 A: No, but they better hurry up! 762 00:49:42,109 --> 00:49:45,870 *laughter and applause* 763 00:49:45,870 --> 00:49:48,130 Q: Thanks! *applause* 764 00:49:48,130 --> 00:49:53,689 A: And, quite frankly, I do not believe 765 00:49:53,689 --> 00:49:58,489 that this is limited to Germany at all, whatsoever. 766 00:49:58,489 --> 00:50:06,949 So… Yeah. Let’s see who’s faster. 767 00:50:06,949 --> 00:50:08,950 Alright, end of questions, right? Or is there any…? 768 00:50:08,950 --> 00:50:11,359 Herald: It looks like we’re at the end of questions. 769 00:50:11,359 --> 00:50:13,279 The Internet maybe…? 770 00:50:13,279 --> 00:50:15,520 No, the Internet doesn’t have any questions. 771 00:50:15,520 --> 00:50:17,730 There are 8 empty microphones. 772 00:50:17,730 --> 00:50:24,800 So thank you very much for your talk and thank you very much for the Q&A. 773 00:50:24,800 --> 00:50:30,954 *applause* 774 00:50:30,954 --> 00:50:34,904 *postroll music* 775 00:50:34,904 --> 00:50:41,841 Subtitles created by c3subtitles.de in 2016. Join and help us!