0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/391 Thanks! 1 00:00:09,220 --> 00:00:11,469 So just a quick show of hands, 2 00:00:11,470 --> 00:00:13,779 who here have seen the two minute 3 00:00:13,780 --> 00:00:14,780 video? 4 00:00:16,100 --> 00:00:18,319 We've got like, yeah, that's 5 00:00:18,320 --> 00:00:20,359 a good enough percentage for now, so it's 6 00:00:20,360 --> 00:00:21,469 just going to hit it off. 7 00:00:26,660 --> 00:00:29,299 Takes a lot to make us do 8 00:00:29,300 --> 00:00:31,549 a pinch of salt and laughter 9 00:00:31,550 --> 00:00:33,979 to scoop 10 00:00:33,980 --> 00:00:36,199 up the spice, just 11 00:00:36,200 --> 00:00:37,600 love to make it. 12 00:00:54,130 --> 00:00:56,229 When it comes to me 13 00:00:57,800 --> 00:01:00,040 and her and the baby to. 14 00:01:21,190 --> 00:01:23,529 Too many good families 15 00:01:23,530 --> 00:01:25,829 like soup and everyone 16 00:01:27,070 --> 00:01:29,529 school makes an ounce 17 00:01:29,530 --> 00:01:31,959 of smile, so sweet, 18 00:01:31,960 --> 00:01:32,960 cool. 19 00:01:49,270 --> 00:01:51,610 All right, so 20 00:01:52,690 --> 00:01:54,759 for those of you who have 21 00:01:54,760 --> 00:01:56,949 no idea what you just saw, too 22 00:01:56,950 --> 00:01:59,589 many cooks in a TV skit 23 00:01:59,590 --> 00:02:02,439 that went viral a few months ago, 24 00:02:02,440 --> 00:02:04,539 and we like you should watch it 25 00:02:04,540 --> 00:02:05,889 if you have it. 26 00:02:05,890 --> 00:02:07,959 So if you've seen it, you can enjoy 27 00:02:07,960 --> 00:02:09,249 some references throughout this 28 00:02:09,250 --> 00:02:11,229 presentation. And if you haven't, then 29 00:02:11,230 --> 00:02:13,270 you can just laugh at the funny pictures. 30 00:02:15,820 --> 00:02:18,009 OK, so who are 31 00:02:18,010 --> 00:02:19,449 we? So where the Malware and 32 00:02:19,450 --> 00:02:20,769 Vulnerability Research Group at 33 00:02:20,770 --> 00:02:22,869 Checkpoint, um, 34 00:02:22,870 --> 00:02:24,049 what do we do here? 35 00:02:24,050 --> 00:02:26,259 Uh, we have this marketing 36 00:02:26,260 --> 00:02:28,669 slogan that says we secure 37 00:02:28,670 --> 00:02:30,909 the Internet and we actually try to do 38 00:02:30,910 --> 00:02:33,249 that by finding problems, telling 39 00:02:33,250 --> 00:02:34,839 the vendors and sharing them with the 40 00:02:34,840 --> 00:02:36,189 community, which is exactly what we're 41 00:02:36,190 --> 00:02:37,190 trying to do here. 42 00:02:38,070 --> 00:02:40,169 So let's talk about what's 43 00:02:40,170 --> 00:02:41,170 in store for today, 44 00:02:43,230 --> 00:02:45,299 when a very quickly go through what 45 00:02:45,300 --> 00:02:47,669 TR 69 is 46 00:02:47,670 --> 00:02:49,679 and explain a little of what we talked 47 00:02:49,680 --> 00:02:51,929 about last DEFCON, 48 00:02:51,930 --> 00:02:53,939 which will lead us to the motivation 49 00:02:53,940 --> 00:02:55,739 behind the research that we're presenting 50 00:02:55,740 --> 00:02:58,049 today. We'll talk about that. 51 00:02:58,050 --> 00:03:01,269 The TR 69 Census 2014. 52 00:03:01,270 --> 00:03:03,179 We'll give you the interesting bits of 53 00:03:03,180 --> 00:03:04,769 our research story and some technical 54 00:03:04,770 --> 00:03:06,179 details. 55 00:03:06,180 --> 00:03:08,129 Then we'll continue to show what can only 56 00:03:08,130 --> 00:03:10,289 be described as mass poonch 57 00:03:10,290 --> 00:03:12,419 and then conclude 58 00:03:12,420 --> 00:03:14,519 talking about why this won't go away 59 00:03:14,520 --> 00:03:15,520 so quickly. 60 00:03:17,230 --> 00:03:19,509 So TR 69 61 00:03:19,510 --> 00:03:22,119 TR is actually like an FC 62 00:03:22,120 --> 00:03:24,279 still stands for Technical Report 63 00:03:24,280 --> 00:03:26,500 and this is a technical report, number 69 64 00:03:27,730 --> 00:03:29,889 and this defines the C.P.E. 65 00:03:29,890 --> 00:03:32,769 when management protocol, which is 66 00:03:32,770 --> 00:03:34,719 C.P.E. is a consumer premises equipment 67 00:03:34,720 --> 00:03:36,159 that would be the home rotaries that you 68 00:03:36,160 --> 00:03:37,209 have at home. 69 00:03:37,210 --> 00:03:39,399 And this 70 00:03:39,400 --> 00:03:41,799 was you know, this was released in 2004 71 00:03:41,800 --> 00:03:43,959 by the broadband forum, which 72 00:03:43,960 --> 00:03:45,609 is a group of companies working to define 73 00:03:45,610 --> 00:03:47,349 broadband standards. 74 00:03:47,350 --> 00:03:48,759 And then there were a few amendments so 75 00:03:48,760 --> 00:03:49,659 far. 76 00:03:49,660 --> 00:03:51,789 But remember that this was released 77 00:03:51,790 --> 00:03:53,020 just 10 years ago. 78 00:03:54,280 --> 00:03:56,199 And this is what Espy's used to provision 79 00:03:56,200 --> 00:03:57,699 your device. This is what's called the 80 00:03:57,700 --> 00:03:59,949 zero touch configuration. 81 00:03:59,950 --> 00:04:02,139 It's used to monitor your device for 82 00:04:02,140 --> 00:04:04,569 false or malicious activity and 83 00:04:04,570 --> 00:04:06,639 configure anything they want in 84 00:04:06,640 --> 00:04:08,799 your home, including getting your 85 00:04:08,800 --> 00:04:10,779 Mac addresses and host names for anything 86 00:04:10,780 --> 00:04:12,339 on your network, creating additional 87 00:04:12,340 --> 00:04:14,439 Wi-Fi networks and go as 88 00:04:14,440 --> 00:04:16,209 far as deploying new firmware. 89 00:04:19,149 --> 00:04:21,789 So this is how our 69 sessions 90 00:04:21,790 --> 00:04:24,009 or provisioning sessions 91 00:04:24,010 --> 00:04:26,319 look like, so on the right side, we have 92 00:04:26,320 --> 00:04:28,659 the C.P.E. right, the consumer premises 93 00:04:28,660 --> 00:04:31,329 equipment, the TR sixty-nine client. 94 00:04:31,330 --> 00:04:33,219 That would be your home router. 95 00:04:33,220 --> 00:04:34,629 On the left side, we have the TR 96 00:04:34,630 --> 00:04:36,699 sixty-nine server, which is called 97 00:04:36,700 --> 00:04:38,949 an X or an auto configuration 98 00:04:38,950 --> 00:04:41,169 server, and 99 00:04:41,170 --> 00:04:43,509 they talk in basic SoPE, RBC, which is 100 00:04:43,510 --> 00:04:45,279 XML over HTTP. 101 00:04:45,280 --> 00:04:46,899 And it's important to mention that the 102 00:04:46,900 --> 00:04:49,029 client always initiates 103 00:04:49,030 --> 00:04:51,159 the connection, which is a single 104 00:04:51,160 --> 00:04:53,349 TCP connection over which 105 00:04:53,350 --> 00:04:54,939 RFQs are called back and forth. 106 00:04:54,940 --> 00:04:57,269 So the client begins with 107 00:04:57,270 --> 00:04:59,409 with an informant telling the server why 108 00:04:59,410 --> 00:05:01,149 this session was initiated. 109 00:05:01,150 --> 00:05:03,579 And the access follows with provisioning 110 00:05:03,580 --> 00:05:05,829 functions such as get parameter 111 00:05:05,830 --> 00:05:08,919 values and set parameter values. 112 00:05:08,920 --> 00:05:10,329 It's pretty simple when you think about 113 00:05:10,330 --> 00:05:11,330 it. 114 00:05:12,270 --> 00:05:15,029 So there is a dual authentication 115 00:05:15,030 --> 00:05:16,679 mechanism that the CPP should make sure 116 00:05:16,680 --> 00:05:18,539 that's talking to a verified ax and the 117 00:05:18,540 --> 00:05:20,729 ax should only accept sessions 118 00:05:20,730 --> 00:05:23,099 from authenticated CBS. 119 00:05:23,100 --> 00:05:25,229 And now there is there's a slight thing 120 00:05:25,230 --> 00:05:27,029 called the connection request that the ax 121 00:05:27,030 --> 00:05:28,829 can issue. And we'll talk about that. 122 00:05:30,410 --> 00:05:33,319 So talking about the fighting so far, 123 00:05:33,320 --> 00:05:35,989 we presented this at DEFCON 20 to 124 00:05:35,990 --> 00:05:37,849 our research uncovered implementation and 125 00:05:37,850 --> 00:05:40,939 configuration flaws in many Espy's 126 00:05:40,940 --> 00:05:42,229 akes deployments. 127 00:05:42,230 --> 00:05:44,569 So Accies are a single point 128 00:05:44,570 --> 00:05:46,789 of Panitch in modern ISP 129 00:05:46,790 --> 00:05:49,039 infrastructure, and many 069 130 00:05:49,040 --> 00:05:50,779 implementations just are in serious 131 00:05:50,780 --> 00:05:52,369 enough. We found vulnerabilities in 132 00:05:52,370 --> 00:05:54,589 several products and that 133 00:05:54,590 --> 00:05:56,389 leads to ISP fleet takeover. 134 00:06:00,380 --> 00:06:02,629 So you remember that connection 135 00:06:02,630 --> 00:06:04,729 request thing, and this 136 00:06:04,730 --> 00:06:07,129 is straight volunteer 69 specifications, 137 00:06:07,130 --> 00:06:09,529 the action at any time 138 00:06:09,530 --> 00:06:11,719 request that the CPA initiate a 139 00:06:11,720 --> 00:06:14,119 connection to the acts using 140 00:06:14,120 --> 00:06:16,279 the connection request notification 141 00:06:16,280 --> 00:06:18,529 mechanism. Support for this mechanism is 142 00:06:18,530 --> 00:06:21,079 required in a C.P.E. 143 00:06:21,080 --> 00:06:24,049 right straight from the specification. 144 00:06:24,050 --> 00:06:26,149 In fact, every 69 145 00:06:26,150 --> 00:06:28,399 client in the world is 146 00:06:28,400 --> 00:06:30,919 also a connection request server. 147 00:06:32,310 --> 00:06:34,589 On Witchboard, you ask, and as it turns 148 00:06:34,590 --> 00:06:36,689 out, I signed seven five four 149 00:06:36,690 --> 00:06:38,879 seven for all three 69 150 00:06:38,880 --> 00:06:41,309 uses and including the Connection 151 00:06:41,310 --> 00:06:43,289 Request Board and this is a widely used 152 00:06:43,290 --> 00:06:44,290 default. 153 00:06:45,200 --> 00:06:47,299 And let's talk let's look on 154 00:06:47,300 --> 00:06:49,189 some very interesting research released 155 00:06:49,190 --> 00:06:51,379 last year from the 156 00:06:51,380 --> 00:06:53,809 Zeynab guys, which is exactly the rumor, 157 00:06:53,810 --> 00:06:55,099 and his friends from University of 158 00:06:55,100 --> 00:06:57,169 Michigan, and he's talking 159 00:06:57,170 --> 00:06:59,269 like in a couple hours and 160 00:06:59,270 --> 00:07:01,399 they actually scanned two million 161 00:07:01,400 --> 00:07:03,559 random addresses on every port, up 162 00:07:03,560 --> 00:07:05,749 to almost 10000. 163 00:07:05,750 --> 00:07:07,849 And they found that sea WMP 164 00:07:07,850 --> 00:07:10,339 or the TIAR 694 port 165 00:07:10,340 --> 00:07:12,529 is in fact the second most 166 00:07:12,530 --> 00:07:15,289 popular open port in the world, 167 00:07:15,290 --> 00:07:17,929 with one point twelve percent 168 00:07:17,930 --> 00:07:21,289 of the Internet listening on that port. 169 00:07:21,290 --> 00:07:22,879 So, again, this is for a protocol that 170 00:07:22,880 --> 00:07:24,319 was invented 10 years ago. 171 00:07:24,320 --> 00:07:25,320 So think about that. 172 00:07:26,510 --> 00:07:28,759 And you know, how many how many devices 173 00:07:28,760 --> 00:07:31,129 are at one point one, two percent, 174 00:07:31,130 --> 00:07:33,469 you know, out of the public Internet. 175 00:07:33,470 --> 00:07:35,539 This is around forty five million 176 00:07:35,540 --> 00:07:37,819 devices estimated that you listen 177 00:07:37,820 --> 00:07:39,469 on seven, five, four, seven, you know, 178 00:07:39,470 --> 00:07:41,660 from a vulnerability research perspective 179 00:07:42,800 --> 00:07:45,109 and no matter how hard we looked, no 180 00:07:45,110 --> 00:07:47,419 one is talking about this service 181 00:07:47,420 --> 00:07:49,040 and there has to be something there. 182 00:07:51,430 --> 00:07:53,679 So let's review the top two 183 00:07:53,680 --> 00:07:55,299 open ports in the world, so previous 184 00:07:55,300 --> 00:07:57,219 research has given us this image. 185 00:07:57,220 --> 00:07:59,469 So and for Ed on 70 million 186 00:07:59,470 --> 00:08:01,779 devices, about 50 187 00:08:01,780 --> 00:08:03,789 percent of which are Web servers, you 188 00:08:03,790 --> 00:08:05,889 know, regular Web servers with 189 00:08:05,890 --> 00:08:07,899 about you leading the bunch, you got your 190 00:08:07,900 --> 00:08:10,149 engine X, your eyes, and then a small 191 00:08:10,150 --> 00:08:13,059 percentage for the rest, including 192 00:08:13,060 --> 00:08:15,219 light speed and the Google dedicated 193 00:08:15,220 --> 00:08:16,689 servers. 194 00:08:16,690 --> 00:08:19,209 And the other 50 percent are 195 00:08:19,210 --> 00:08:21,279 are simply those Internet of 196 00:08:21,280 --> 00:08:22,509 Things devices, right? 197 00:08:22,510 --> 00:08:23,899 Most of them are routers. 198 00:08:23,900 --> 00:08:26,079 You got your webcams, you got your voice 199 00:08:26,080 --> 00:08:27,429 over IP phones. 200 00:08:27,430 --> 00:08:29,349 And of course, let's not forget about all 201 00:08:29,350 --> 00:08:31,269 the IP for enabled toasters out there. 202 00:08:34,059 --> 00:08:35,319 So, by the way, people start 203 00:08:35,320 --> 00:08:37,629 understanding that leaving these 204 00:08:37,630 --> 00:08:39,729 things open to the when is 205 00:08:39,730 --> 00:08:40,989 dangerous. 206 00:08:40,990 --> 00:08:42,519 If no. Luckily, we're seeing more and 207 00:08:42,520 --> 00:08:45,729 more devices updated to have port access 208 00:08:45,730 --> 00:08:47,559 on the land only. 209 00:08:47,560 --> 00:08:49,659 Now, remember that not 210 00:08:49,660 --> 00:08:51,879 only there is diversity in the server 211 00:08:51,880 --> 00:08:53,919 software, it's also being used for 212 00:08:53,920 --> 00:08:55,659 different uses, serving, I mean, surfing 213 00:08:55,660 --> 00:08:57,999 websites, all sorts of cloud services 214 00:08:58,000 --> 00:08:59,589 and then management interfaces for each 215 00:08:59,590 --> 00:09:02,049 device. You know, it's a messy landscape. 216 00:09:03,500 --> 00:09:05,299 But looking at Port seven, five, four, 217 00:09:05,300 --> 00:09:07,489 seven, you know, we have 218 00:09:07,490 --> 00:09:10,249 an estimated 45 million devices 219 00:09:10,250 --> 00:09:12,439 and these are all Internet 220 00:09:12,440 --> 00:09:14,599 of Things devices, you know, listening on 221 00:09:14,600 --> 00:09:16,459 their connection, request for it. 222 00:09:16,460 --> 00:09:17,629 There's nothing else there. 223 00:09:17,630 --> 00:09:20,149 It's just devices waiting 224 00:09:20,150 --> 00:09:21,649 for connection requests. 225 00:09:22,700 --> 00:09:24,379 So this landscape is much clearer. 226 00:09:24,380 --> 00:09:26,179 And and remember, we're looking for 227 00:09:26,180 --> 00:09:28,339 security issues here 228 00:09:28,340 --> 00:09:29,749 and we're looking to find, you know, 229 00:09:29,750 --> 00:09:32,239 significant numbers affected. 230 00:09:32,240 --> 00:09:34,219 So as a first as a first step, we needed 231 00:09:34,220 --> 00:09:36,559 to stop guessing and estimated 232 00:09:36,560 --> 00:09:38,059 and estimating. 233 00:09:38,060 --> 00:09:40,669 So we conducted the 234 00:09:40,670 --> 00:09:43,969 TR 69 census 2014. 235 00:09:43,970 --> 00:09:46,159 And, you know, we scanned seven 236 00:09:46,160 --> 00:09:48,379 five four seven on the entire 237 00:09:48,380 --> 00:09:50,119 IPV for address space. 238 00:09:50,120 --> 00:09:52,369 And we did this last month 239 00:09:52,370 --> 00:09:53,989 a few times, actually, with the with the 240 00:09:53,990 --> 00:09:55,939 gracious help of some good friends over 241 00:09:55,940 --> 00:09:57,979 at Rapide seven and University of 242 00:09:57,980 --> 00:09:59,779 Michigan who contributed contributed to 243 00:09:59,780 --> 00:10:01,279 this research. So thanks, guys. 244 00:10:02,780 --> 00:10:05,209 And the results are one 245 00:10:05,210 --> 00:10:07,279 point one eight percent of the 246 00:10:07,280 --> 00:10:09,199 public Internet responds on four seven 247 00:10:09,200 --> 00:10:10,399 five four seven. 248 00:10:10,400 --> 00:10:12,799 So we actually communicated with 46 249 00:10:12,800 --> 00:10:14,959 million ninety three thousand 250 00:10:14,960 --> 00:10:17,569 seven hundred and thirty three devices 251 00:10:17,570 --> 00:10:20,089 who answered our benign requests 252 00:10:20,090 --> 00:10:21,780 for getgo. 253 00:10:23,510 --> 00:10:25,459 So these are all over the world. 254 00:10:25,460 --> 00:10:27,949 And and it's not just one country 255 00:10:27,950 --> 00:10:30,349 who accidentally left this port open. 256 00:10:30,350 --> 00:10:33,439 It's 189 countries, 257 00:10:33,440 --> 00:10:34,819 which makes sense when you remember, you 258 00:10:34,820 --> 00:10:37,399 know, it's a protocol requirement 259 00:10:37,400 --> 00:10:39,529 to leave this port open 260 00:10:39,530 --> 00:10:40,949 for the access. 261 00:10:40,950 --> 00:10:43,549 Um, and and just a small note, not 262 00:10:43,550 --> 00:10:45,679 to the point, zero six percent 263 00:10:45,680 --> 00:10:48,139 increase from last year is actually 264 00:10:48,140 --> 00:10:49,999 two point two million devices added in a 265 00:10:50,000 --> 00:10:52,249 year, which is showing 266 00:10:52,250 --> 00:10:53,839 us a nice trend. And numbers are still on 267 00:10:53,840 --> 00:10:54,840 the rise. 268 00:10:57,680 --> 00:10:59,929 So we're set on finding an issue 269 00:10:59,930 --> 00:11:02,029 with TIAR, Sixty-nine, Clydeside 270 00:11:02,030 --> 00:11:04,219 implementations, and 271 00:11:04,220 --> 00:11:06,049 the natural thing to do at this point is 272 00:11:06,050 --> 00:11:08,389 look at what implementations we're seeing 273 00:11:08,390 --> 00:11:09,390 out there. 274 00:11:11,540 --> 00:11:14,329 So we categorize the responses 275 00:11:14,330 --> 00:11:16,669 and sum up the numbers and we get this. 276 00:11:20,860 --> 00:11:23,079 So we have five main connection request 277 00:11:23,080 --> 00:11:25,209 servers out there, but it's very 278 00:11:25,210 --> 00:11:27,549 clear that this thing called 279 00:11:27,550 --> 00:11:29,679 Rampage Pager, you know, is leading 280 00:11:29,680 --> 00:11:31,959 the pack and I 281 00:11:31,960 --> 00:11:34,059 think that means that we got 282 00:11:34,060 --> 00:11:35,060 ourselves the target. 283 00:11:38,610 --> 00:11:40,889 So what is rampage here? 284 00:11:40,890 --> 00:11:43,109 It's an embedded HTP server by 285 00:11:43,110 --> 00:11:46,049 Alliegro Software, it's the Massachusetts 286 00:11:46,050 --> 00:11:48,359 based company that's optimized 287 00:11:48,360 --> 00:11:50,129 for minimal environments. 288 00:11:50,130 --> 00:11:51,839 It's a small, binary, small memory 289 00:11:51,840 --> 00:11:53,369 requirements. 290 00:11:53,370 --> 00:11:55,500 It was first introduced in 1996. 291 00:11:57,270 --> 00:11:59,129 And, you know, there's been many versions 292 00:11:59,130 --> 00:12:01,220 since. The conversion is five point four. 293 00:12:02,610 --> 00:12:04,169 But then, you know, now that we've 294 00:12:04,170 --> 00:12:05,819 decided that we're going after this front 295 00:12:05,820 --> 00:12:08,489 page, we need to see what versions 296 00:12:08,490 --> 00:12:09,749 are out there. 297 00:12:09,750 --> 00:12:13,139 And this will help us focus our efforts. 298 00:12:13,140 --> 00:12:14,909 So we run the short script again. 299 00:12:14,910 --> 00:12:17,189 And, you know, we actually see 300 00:12:17,190 --> 00:12:19,589 just four different rampages, 301 00:12:19,590 --> 00:12:21,779 rampage versions out there, 302 00:12:21,780 --> 00:12:23,339 you know, and you'd expect this sort of 303 00:12:23,340 --> 00:12:25,919 normal distribution of this versions 304 00:12:25,920 --> 00:12:27,059 in the wild. 305 00:12:27,060 --> 00:12:29,220 And instead we get this 306 00:12:30,420 --> 00:12:32,489 so. So ninety eight 307 00:12:32,490 --> 00:12:34,829 point zero four percent 308 00:12:34,830 --> 00:12:36,929 of the identified devices 309 00:12:36,930 --> 00:12:40,229 are version four point seven, 310 00:12:40,230 --> 00:12:41,669 which is a pretty old version, too. 311 00:12:41,670 --> 00:12:43,859 So, you know, this 312 00:12:43,860 --> 00:12:44,999 is where I grew suspicious. 313 00:12:45,000 --> 00:12:46,290 Right. I mean, 314 00:12:47,400 --> 00:12:49,409 what can explain this incredible 315 00:12:49,410 --> 00:12:52,289 popularity of a single version? 316 00:12:52,290 --> 00:12:53,969 And how could it be like a batch of old 317 00:12:53,970 --> 00:12:56,219 devices at a single ISP or something? 318 00:12:56,220 --> 00:12:58,809 Which is which is don't know it yet. 319 00:12:58,810 --> 00:13:00,359 And this really piques our interest. 320 00:13:00,360 --> 00:13:01,370 So we have to find out. 321 00:13:03,940 --> 00:13:06,009 So we went ahead and we bought 322 00:13:06,010 --> 00:13:08,439 a new a new puling Crowder, 323 00:13:08,440 --> 00:13:10,539 and we we unbox it, we plug it in, 324 00:13:10,540 --> 00:13:12,849 we connect it to our network, you know, 325 00:13:12,850 --> 00:13:15,099 and it's running rampage 326 00:13:15,100 --> 00:13:16,100 of four 07. 327 00:13:17,860 --> 00:13:19,599 So we thought, you know, maybe this is an 328 00:13:19,600 --> 00:13:20,829 old version of the device. 329 00:13:20,830 --> 00:13:22,809 You know, it's it has it's like an old 330 00:13:22,810 --> 00:13:24,459 version of Ron Page or so. 331 00:13:24,460 --> 00:13:26,619 We downloaded the latest firmware 332 00:13:26,620 --> 00:13:27,879 from the TPE Link website. 333 00:13:27,880 --> 00:13:30,159 You know, we flash it, we reboot, and 334 00:13:30,160 --> 00:13:32,530 it's still Ron Pager for 07. 335 00:13:34,260 --> 00:13:35,340 So, I mean, 336 00:13:36,570 --> 00:13:38,669 what, um, you know, at 337 00:13:38,670 --> 00:13:41,909 this point, we start understanding 338 00:13:41,910 --> 00:13:44,339 the popularity of the four points. 339 00:13:44,340 --> 00:13:46,229 I mean, the four 07 version, I mean, we 340 00:13:46,230 --> 00:13:48,869 have no idea why it's there 341 00:13:48,870 --> 00:13:51,299 yet. But but if it's somehow embedded 342 00:13:51,300 --> 00:13:53,699 into brand new devices off the shelf, 343 00:13:53,700 --> 00:13:56,249 you know, with the most recent firmware, 344 00:13:56,250 --> 00:13:58,409 then that could certainly explain, you 345 00:13:58,410 --> 00:14:00,059 know, why we're seeing so many of them. 346 00:14:02,100 --> 00:14:04,169 But let's try something here. 347 00:14:04,170 --> 00:14:05,999 Does anyone in the audience happen to 348 00:14:06,000 --> 00:14:09,239 have an unopened brand new router 349 00:14:09,240 --> 00:14:10,240 anyway? 350 00:14:10,560 --> 00:14:12,839 Oh, what a coincidence. 351 00:14:12,840 --> 00:14:13,769 What a coincidence. 352 00:14:13,770 --> 00:14:14,939 Thank you. 353 00:14:14,940 --> 00:14:16,049 Thank you. 354 00:14:16,050 --> 00:14:17,429 Thank you very much. 355 00:14:17,430 --> 00:14:18,659 Oh, wow. 356 00:14:18,660 --> 00:14:19,859 I thank you. 357 00:14:19,860 --> 00:14:20,860 Kind stranger. 358 00:14:22,840 --> 00:14:24,369 You're very nice. 359 00:14:24,370 --> 00:14:27,259 You don't work for me at all, so 360 00:14:27,260 --> 00:14:29,529 I'm going to I'm going to do something 361 00:14:29,530 --> 00:14:30,530 with that later. 362 00:14:35,470 --> 00:14:37,569 OK, so, you know, we dove 363 00:14:37,570 --> 00:14:40,239 into this around page 407 364 00:14:40,240 --> 00:14:42,669 and this this was released 2002, 365 00:14:44,560 --> 00:14:46,479 so, you know, it seems to run a whole 366 00:14:46,480 --> 00:14:48,759 bunch of devices and, 367 00:14:48,760 --> 00:14:50,769 you know, we return to our scan data and 368 00:14:50,770 --> 00:14:52,689 we start counting. 369 00:14:52,690 --> 00:14:54,969 And so we have two 370 00:14:54,970 --> 00:14:57,069 point two million devices 371 00:14:57,070 --> 00:14:59,379 serving rampage for 07 372 00:14:59,380 --> 00:15:01,629 on board eighty and eleven 373 00:15:01,630 --> 00:15:03,879 point three million devices 374 00:15:03,880 --> 00:15:05,769 on four seven five, four, seven. 375 00:15:07,190 --> 00:15:09,140 And, you know, suddenly we're like. 376 00:15:10,230 --> 00:15:12,699 In a week, there are 12 million 377 00:15:12,700 --> 00:15:14,949 devices out there with this 378 00:15:14,950 --> 00:15:17,409 very specific version, 379 00:15:17,410 --> 00:15:19,359 you know, of a Web server that was 380 00:15:19,360 --> 00:15:21,609 released in 2002 381 00:15:21,610 --> 00:15:23,949 listening on the Wen. 382 00:15:23,950 --> 00:15:25,999 Yes, I mean, yes, this is like this is 383 00:15:26,000 --> 00:15:27,939 the perfect vulnerability research 384 00:15:27,940 --> 00:15:28,940 candidate 385 00:15:30,910 --> 00:15:33,190 and, you know, zooming out for a moment, 386 00:15:34,330 --> 00:15:36,009 this is, to the best of our knowledge, 387 00:15:36,010 --> 00:15:38,349 the most popular specific version 388 00:15:38,350 --> 00:15:40,899 of any network application service 389 00:15:40,900 --> 00:15:43,209 currently available online on the public 390 00:15:43,210 --> 00:15:44,210 Internet. 391 00:15:45,220 --> 00:15:46,539 You know, this specific version is 392 00:15:46,540 --> 00:15:49,809 deployed on 200 different devices 393 00:15:49,810 --> 00:15:51,699 from 50 different brands. 394 00:15:53,440 --> 00:15:55,749 We are going to do whatever 395 00:15:55,750 --> 00:15:58,359 it takes to Poun Ron Page, Ron page 396 00:15:58,360 --> 00:15:59,360 for 07. 397 00:16:02,350 --> 00:16:04,359 Let me let me hand it over to Lewa. 398 00:16:07,310 --> 00:16:09,569 OK, oh, so 399 00:16:09,570 --> 00:16:11,989 hi, my name is the author, and 400 00:16:11,990 --> 00:16:14,269 I will walk you through the process of 401 00:16:14,270 --> 00:16:16,549 how I analyze the rampage 402 00:16:16,550 --> 00:16:18,889 is humor and some interesting 403 00:16:18,890 --> 00:16:20,190 results I found on the way. 404 00:16:21,320 --> 00:16:23,389 So at the beginning, I only have the 405 00:16:23,390 --> 00:16:25,609 Fumer file itself, which was 406 00:16:25,610 --> 00:16:27,649 downloaded from the event, a website. 407 00:16:27,650 --> 00:16:29,809 In our case, it was tippling, 408 00:16:29,810 --> 00:16:31,949 a on first glance, the human 409 00:16:31,950 --> 00:16:34,339 face looking like a big blob of 410 00:16:34,340 --> 00:16:35,509 compressed data. 411 00:16:35,510 --> 00:16:37,639 And as any rookie female only 412 00:16:37,640 --> 00:16:39,799 knows the first the first thing you need 413 00:16:39,800 --> 00:16:41,719 to do is to Benwell. 414 00:16:41,720 --> 00:16:43,069 Your friend will be OK. 415 00:16:43,070 --> 00:16:45,109 Is this great tool developed by that 416 00:16:45,110 --> 00:16:47,389 device Zero, which recognized 417 00:16:47,390 --> 00:16:49,519 in Ampex most of the 418 00:16:49,520 --> 00:16:50,869 common female files. 419 00:16:50,870 --> 00:16:53,329 So luckily for us, a bit easily 420 00:16:53,330 --> 00:16:56,000 recognized and extracted for files. 421 00:16:57,050 --> 00:16:59,209 So we have the bootloader, we 422 00:16:59,210 --> 00:17:02,089 have the Vendel logo in the GIF images 423 00:17:02,090 --> 00:17:03,730 and the main binary. 424 00:17:06,470 --> 00:17:08,389 So after I got the first female, I 425 00:17:08,390 --> 00:17:10,338 decided I needed some more Fenmore, which 426 00:17:10,339 --> 00:17:12,559 contained grumped you're a four zero 427 00:17:12,560 --> 00:17:14,868 seven. So I downloaded some more 428 00:17:14,869 --> 00:17:17,118 and some more and some more. 429 00:17:17,119 --> 00:17:19,338 And I see that each and every one of them 430 00:17:19,339 --> 00:17:21,078 had the same Zino etc. 431 00:17:21,079 --> 00:17:23,149 and also the same architecture, 432 00:17:23,150 --> 00:17:24,679 which was me. 433 00:17:24,680 --> 00:17:27,709 So while this Rampage 047 434 00:17:27,710 --> 00:17:29,869 looks so similar at this point, 435 00:17:29,870 --> 00:17:32,659 I have no idea whatsoever, 436 00:17:32,660 --> 00:17:34,909 eh? So one 437 00:17:34,910 --> 00:17:36,979 may ask himself, what is 438 00:17:36,980 --> 00:17:38,449 this with? 439 00:17:38,450 --> 00:17:39,709 We are seeing all the females. 440 00:17:39,710 --> 00:17:41,929 So Zino is a an 441 00:17:41,930 --> 00:17:44,059 embedded a w created by Zinsser, 442 00:17:44,060 --> 00:17:46,909 which is a major Taiwanese DSL vendor, 443 00:17:46,910 --> 00:17:48,949 is you know, this is an article with a 444 00:17:48,950 --> 00:17:51,349 real time OS, which means it's 445 00:17:51,350 --> 00:17:53,749 a very basic operating system without 446 00:17:53,750 --> 00:17:56,449 any filesystem or permissions mechanism. 447 00:17:56,450 --> 00:17:58,639 Just one big binary file responsible 448 00:17:58,640 --> 00:17:59,640 for everything. 449 00:18:00,620 --> 00:18:02,509 When you Google Apps in OS, you also see 450 00:18:02,510 --> 00:18:04,579 the GENOWAYS is very interesting on 451 00:18:04,580 --> 00:18:06,889 four rom zero vulnerability 452 00:18:06,890 --> 00:18:08,989 discovered last year, which allow an 453 00:18:08,990 --> 00:18:11,689 attacker to get to the router credentials 454 00:18:11,690 --> 00:18:14,329 by downloading the entire AI, 455 00:18:14,330 --> 00:18:16,759 the entire sorry, 456 00:18:16,760 --> 00:18:18,619 by downloading the entire configuration 457 00:18:18,620 --> 00:18:21,139 file from the router without 458 00:18:21,140 --> 00:18:22,759 any authorization. 459 00:18:22,760 --> 00:18:24,929 All it takes for the weapon to be open, 460 00:18:24,930 --> 00:18:27,439 importante and the 461 00:18:27,440 --> 00:18:29,499 attacker just simply getting the password 462 00:18:29,500 --> 00:18:30,679 and the username. 463 00:18:30,680 --> 00:18:32,929 And one point two million devices 464 00:18:32,930 --> 00:18:35,659 were affected by this vulnerability. 465 00:18:35,660 --> 00:18:36,660 This is a lot. 466 00:18:38,160 --> 00:18:39,849 So before we start analyzing the film 467 00:18:39,850 --> 00:18:42,119 itself, let's see what our attack surface 468 00:18:42,120 --> 00:18:43,120 look like. 469 00:18:43,810 --> 00:18:45,909 So we thought it was a we are 470 00:18:45,910 --> 00:18:48,049 getting an unauthorized response, which 471 00:18:48,050 --> 00:18:50,289 just has to for the credential, and since 472 00:18:50,290 --> 00:18:51,879 we don't know them, we are getting these 473 00:18:51,880 --> 00:18:54,349 instead in four, 474 00:18:54,350 --> 00:18:56,439 seven, five or seven, we 475 00:18:56,440 --> 00:18:58,299 are getting, albeit not found for any 476 00:18:58,300 --> 00:19:00,879 path except for the correct connection 477 00:19:00,880 --> 00:19:02,079 request path. 478 00:19:02,080 --> 00:19:04,209 For now, we assume that we do not 479 00:19:04,210 --> 00:19:05,619 know the correct path. 480 00:19:07,190 --> 00:19:10,309 So before I actually dove into the code, 481 00:19:10,310 --> 00:19:12,289 I did some basic fighting over the 482 00:19:12,290 --> 00:19:14,659 headers, suddenly I managed 483 00:19:14,660 --> 00:19:16,809 to correct the router by sending 484 00:19:16,810 --> 00:19:18,949 a digest username by overflowing to 485 00:19:18,950 --> 00:19:21,169 the user name header, which 486 00:19:21,170 --> 00:19:22,609 led me to the first vulnerability. 487 00:19:24,260 --> 00:19:26,599 So to understand why this is happening, 488 00:19:26,600 --> 00:19:29,089 let's explore some of of code 489 00:19:29,090 --> 00:19:31,219 when you see what you see here is 490 00:19:31,220 --> 00:19:33,769 a function responsible for initializing 491 00:19:33,770 --> 00:19:35,779 the handler structure. 492 00:19:35,780 --> 00:19:37,939 Each entry consists of the HTP header 493 00:19:37,940 --> 00:19:39,619 and then, as you can see here, and the 494 00:19:39,620 --> 00:19:41,809 relevant handler function to pass this 495 00:19:41,810 --> 00:19:43,219 header. 496 00:19:43,220 --> 00:19:45,749 So let's take a look on the function that 497 00:19:45,750 --> 00:19:47,209 they just use a name. 498 00:19:47,210 --> 00:19:49,249 So can you see what caused the 499 00:19:49,250 --> 00:19:50,929 vulnerability? 500 00:19:50,930 --> 00:19:52,009 Yes. 501 00:19:52,010 --> 00:19:54,259 And and protect the status, if you like. 502 00:19:54,260 --> 00:19:56,389 But what actually caused it to 503 00:19:56,390 --> 00:19:57,559 crash? 504 00:19:57,560 --> 00:19:59,629 Because we have no simple and no 505 00:19:59,630 --> 00:20:02,449 dynamic analysis capability whatsoever. 506 00:20:02,450 --> 00:20:03,739 It's very difficult to know. 507 00:20:05,770 --> 00:20:07,869 So because we had 508 00:20:07,870 --> 00:20:10,339 no dynamic and has capabilities, 509 00:20:10,340 --> 00:20:12,399 I open up the router and start 510 00:20:12,400 --> 00:20:13,659 looking for geotag. 511 00:20:13,660 --> 00:20:15,399 So for those of you who don't know, is 512 00:20:15,400 --> 00:20:17,499 this interface designed to 513 00:20:17,500 --> 00:20:19,779 do how the verification and 514 00:20:19,780 --> 00:20:21,929 debugging for embedded devices? 515 00:20:21,930 --> 00:20:24,249 So I open up the router, but I couldn't 516 00:20:24,250 --> 00:20:26,709 find any connectors. 517 00:20:26,710 --> 00:20:28,269 But I did found something that looked 518 00:20:28,270 --> 00:20:30,789 like a series about a USB port. 519 00:20:30,790 --> 00:20:33,039 So I did some soldiering and 520 00:20:33,040 --> 00:20:35,199 they connected. They're connected to 521 00:20:35,200 --> 00:20:37,589 the router itself and use 522 00:20:37,590 --> 00:20:39,789 Buspar, which is a USB 523 00:20:39,790 --> 00:20:41,919 serial to use with a 524 00:20:41,920 --> 00:20:44,439 adapter to connect it to my computer. 525 00:20:44,440 --> 00:20:46,449 And when I put up when I put up the 526 00:20:46,450 --> 00:20:48,189 router, I could see some very nice 527 00:20:48,190 --> 00:20:49,419 debugging info. 528 00:20:49,420 --> 00:20:51,009 So it was very cool. 529 00:20:51,010 --> 00:20:52,809 But what happens when I try to correct 530 00:20:52,810 --> 00:20:55,029 the router? So this 531 00:20:55,030 --> 00:20:57,279 is what I got a very nice looking 532 00:20:57,280 --> 00:20:58,329 dump with. 533 00:20:58,330 --> 00:21:00,489 You see, I hear the beeps registers 534 00:21:00,490 --> 00:21:01,929 and they stack them up. 535 00:21:01,930 --> 00:21:04,509 And also on the top, you can see 536 00:21:04,510 --> 00:21:06,849 this one. This is the APC, which is the 537 00:21:06,850 --> 00:21:08,559 MIPS instruction pointer. 538 00:21:08,560 --> 00:21:10,869 As you can see here, it was a overeaten 539 00:21:10,870 --> 00:21:13,089 with my input that this 540 00:21:13,090 --> 00:21:15,249 is mean. This means that we actually in 541 00:21:15,250 --> 00:21:16,839 control of the instruction pointer. 542 00:21:18,100 --> 00:21:20,259 Yeah, so, uh, 543 00:21:20,260 --> 00:21:22,509 some further analysis of the crash then 544 00:21:22,510 --> 00:21:24,189 allowed me to fully understand the 545 00:21:24,190 --> 00:21:25,449 vulnerability. 546 00:21:25,450 --> 00:21:27,519 So that's why cause us to 547 00:21:27,520 --> 00:21:29,889 overwrite a function pointer, 548 00:21:29,890 --> 00:21:32,169 which conveniently lays five hundred 549 00:21:32,170 --> 00:21:34,419 eighty four exabyte before after the user 550 00:21:34,420 --> 00:21:36,519 name. So this 551 00:21:36,520 --> 00:21:38,619 is pretty simple. Just send out you 552 00:21:38,620 --> 00:21:41,139 the name, override the function pointer 553 00:21:41,140 --> 00:21:43,449 with a pointer to your code 554 00:21:43,450 --> 00:21:45,519 and you can run remote control and you 555 00:21:45,520 --> 00:21:47,379 have a remote exclusion. 556 00:21:47,380 --> 00:21:49,729 So it sounds way too easy. 557 00:21:49,730 --> 00:21:50,730 Any problems? 558 00:21:52,150 --> 00:21:54,519 So, yep, we have a slight problem 559 00:21:54,520 --> 00:21:56,589 of all the vulnerable, a female 560 00:21:56,590 --> 00:21:58,359 female, I was in a west base. 561 00:21:58,360 --> 00:21:59,979 Each one is looking a bit different in 562 00:21:59,980 --> 00:22:02,319 terms of memory layout, and 563 00:22:02,320 --> 00:22:04,089 it even challenges between different 564 00:22:04,090 --> 00:22:06,459 fumer version of the same model. 565 00:22:06,460 --> 00:22:08,709 This mean we cannot we cannot 566 00:22:08,710 --> 00:22:10,209 know the correct position of our Chalco 567 00:22:10,210 --> 00:22:12,369 in the memory and therefore we don't know 568 00:22:12,370 --> 00:22:14,619 with which value we need to overwrite 569 00:22:14,620 --> 00:22:15,620 the function pointer. 570 00:22:18,150 --> 00:22:20,229 Of course, if you knew the answer, 571 00:22:20,230 --> 00:22:21,709 of course, if you knew the exact memory 572 00:22:21,710 --> 00:22:23,859 layout of your victim, you can easily 573 00:22:23,860 --> 00:22:25,959 a run code on the router and 574 00:22:25,960 --> 00:22:27,859 without any problem. 575 00:22:27,860 --> 00:22:29,919 It's also important to know that 576 00:22:29,920 --> 00:22:32,139 a once in a thicker 577 00:22:32,140 --> 00:22:34,389 and thicker has only one chance to 578 00:22:34,390 --> 00:22:36,339 attack router because if it causes the 579 00:22:36,340 --> 00:22:38,439 crash, then they're out there getting up 580 00:22:38,440 --> 00:22:40,869 because of the dynamic application. 581 00:22:40,870 --> 00:22:42,999 So a potential solution for 582 00:22:43,000 --> 00:22:45,249 this whole problem would be just to 583 00:22:45,250 --> 00:22:47,529 find some info like vulnerability that 584 00:22:47,530 --> 00:22:49,509 would disclose the memory layout. 585 00:22:49,510 --> 00:22:51,729 But it seems like way too much work 586 00:22:51,730 --> 00:22:54,009 for now. So that just let's keep looking 587 00:22:54,010 --> 00:22:55,010 for something else. 588 00:22:55,870 --> 00:22:58,089 So because I had no way of debugging, 589 00:22:58,090 --> 00:23:00,099 I had to use some very primitive 590 00:23:00,100 --> 00:23:02,319 debugging capabilities that were built 591 00:23:02,320 --> 00:23:05,049 into one pager, into the Beuttler 592 00:23:05,050 --> 00:23:07,329 loader, through the serial port, 593 00:23:07,330 --> 00:23:09,549 which allows me to patch the female 594 00:23:09,550 --> 00:23:11,199 before it was being loaded. 595 00:23:11,200 --> 00:23:13,659 So it was very handy, but very tedious 596 00:23:13,660 --> 00:23:14,859 process. 597 00:23:14,860 --> 00:23:17,079 So after way too many of the resets, 598 00:23:17,080 --> 00:23:18,639 I found that there is a hidden talent 599 00:23:18,640 --> 00:23:21,159 command in Zenovich which lets you 600 00:23:21,160 --> 00:23:23,979 patch the brutal memory online. 601 00:23:23,980 --> 00:23:26,379 So this led to the creation of Zahedan, 602 00:23:26,380 --> 00:23:28,479 which is a Zinah remote debugger 603 00:23:28,480 --> 00:23:29,739 of a net. 604 00:23:29,740 --> 00:23:31,929 And the result on you can set 605 00:23:31,930 --> 00:23:34,209 breakpoints view and edit memory and 606 00:23:34,210 --> 00:23:35,889 also read and write register value 607 00:23:35,890 --> 00:23:38,439 online. Dismayed at the Namik analysis, 608 00:23:38,440 --> 00:23:40,200 a way more convenient. 609 00:23:41,350 --> 00:23:43,479 So using my brand new Dibango, I was able 610 00:23:43,480 --> 00:23:45,159 to understand much better the nuts and 611 00:23:45,160 --> 00:23:47,469 bolts of a page which eventually, 612 00:23:47,470 --> 00:23:48,819 eventually led me to the second 613 00:23:48,820 --> 00:23:50,049 vulnerability. 614 00:23:50,050 --> 00:23:52,179 You see, front page has no dynamic 615 00:23:52,180 --> 00:23:54,909 memory allocation capabilities, so each 616 00:23:54,910 --> 00:23:57,099 request is handled in a pre allocated 617 00:23:57,100 --> 00:23:59,499 structure a 618 00:23:59,500 --> 00:24:01,749 without, with or without up 619 00:24:01,750 --> 00:24:03,339 to three request handled at the same 620 00:24:03,340 --> 00:24:05,559 time. So if you send 621 00:24:05,560 --> 00:24:07,749 three consecutive request, you 622 00:24:07,750 --> 00:24:09,819 can override the header structure, which 623 00:24:09,820 --> 00:24:10,749 we saw earlier. 624 00:24:10,750 --> 00:24:12,849 This is also caused by an unprotected 625 00:24:12,850 --> 00:24:13,850 FDCPA. 626 00:24:14,860 --> 00:24:17,079 So again, we can control 627 00:24:17,080 --> 00:24:18,390 over the APC. 628 00:24:19,540 --> 00:24:21,099 So can it be exploited? 629 00:24:21,100 --> 00:24:23,439 Well, theoretically you can blindly 630 00:24:23,440 --> 00:24:25,599 a do a memory read of 631 00:24:26,650 --> 00:24:28,509 a memory addresses by changing the 632 00:24:28,510 --> 00:24:30,939 pointer of some HTP header name. 633 00:24:30,940 --> 00:24:33,009 But at the end 634 00:24:33,010 --> 00:24:35,079 I decided to leave this vulnerability 635 00:24:35,080 --> 00:24:37,209 because it only works on both 80 636 00:24:37,210 --> 00:24:39,369 and we already have room zero for 637 00:24:39,370 --> 00:24:40,269 that. 638 00:24:40,270 --> 00:24:42,279 So moving on to over now, that number 639 00:24:42,280 --> 00:24:43,280 three. 640 00:24:45,760 --> 00:24:48,549 So Rump, I just about cookies, 641 00:24:48,550 --> 00:24:51,069 because rampages, as you remember, 642 00:24:51,070 --> 00:24:53,309 does not have any a dynamic 643 00:24:53,310 --> 00:24:55,479 reallocation, it's all an internal 644 00:24:55,480 --> 00:24:57,849 cookies array for each request 645 00:24:57,850 --> 00:25:00,159 without 10 cookies, a 646 00:25:00,160 --> 00:25:02,409 Adira and up to 40 Bitanga 647 00:25:02,410 --> 00:25:04,579 each each cookie a 648 00:25:04,580 --> 00:25:06,069 the cookie names are a constant. 649 00:25:06,070 --> 00:25:08,139 So it's C zero three nine 650 00:25:08,140 --> 00:25:10,869 C, C, Wannsee two after C, nine 651 00:25:10,870 --> 00:25:13,299 M and Declan. 652 00:25:13,300 --> 00:25:15,099 This is an example of a client sending 653 00:25:15,100 --> 00:25:16,329 one of these cookies. You can see here 654 00:25:16,330 --> 00:25:18,069 this is zero cookie. 655 00:25:18,070 --> 00:25:20,229 So let's take a look 656 00:25:20,230 --> 00:25:22,139 on the cookie handler to see how wrong 657 00:25:22,140 --> 00:25:24,429 pager actually stole the cookies. 658 00:25:25,890 --> 00:25:28,079 So you can see on the top the trumpeter's 659 00:25:28,080 --> 00:25:30,209 checks, the cookie, the cookie name 660 00:25:30,210 --> 00:25:32,369 for it will say at the beginning, 661 00:25:32,370 --> 00:25:34,619 if so, then it will convert 662 00:25:34,620 --> 00:25:36,419 the rest of the cookie name into an 663 00:25:36,420 --> 00:25:38,549 integer and use this 664 00:25:38,550 --> 00:25:40,649 integer as an index for the 665 00:25:40,650 --> 00:25:41,999 cookie array. 666 00:25:42,000 --> 00:25:44,639 OK, so, 667 00:25:44,640 --> 00:25:46,859 yeah, it will it will show 668 00:25:46,860 --> 00:25:49,469 that it will multiply 669 00:25:49,470 --> 00:25:51,689 S3 three, which is the index by 40, and 670 00:25:51,690 --> 00:25:53,849 then use it as in the destination 671 00:25:53,850 --> 00:25:54,930 for the RNC to. 672 00:25:56,520 --> 00:25:57,520 Yep. 673 00:25:58,500 --> 00:26:00,899 So here you can see more easily. 674 00:26:00,900 --> 00:26:03,209 So basically this give me 675 00:26:03,210 --> 00:26:04,439 an arbitrary memory. 676 00:26:04,440 --> 00:26:06,779 Right. A right for it from a relative, 677 00:26:06,780 --> 00:26:08,339 a position in the rampage, your internal 678 00:26:08,340 --> 00:26:10,499 structure, which means we 679 00:26:10,500 --> 00:26:12,929 can pretty much control everything a 680 00:26:12,930 --> 00:26:14,639 wrong pager does. 681 00:26:14,640 --> 00:26:16,619 So a very nice bonuses that we can 682 00:26:16,620 --> 00:26:19,319 overflow the thirty two bit integer 683 00:26:19,320 --> 00:26:21,449 to get to a negative offset in 684 00:26:21,450 --> 00:26:22,589 the structure. 685 00:26:22,590 --> 00:26:24,719 So let's take a look on that. 686 00:26:24,720 --> 00:26:27,089 On some non harmful a 687 00:26:27,090 --> 00:26:29,189 cookie instead of C 688 00:26:29,190 --> 00:26:31,259 zero C one we are sending this 689 00:26:32,310 --> 00:26:35,129 with the index is pointing exactly 690 00:26:35,130 --> 00:26:37,219 at the request request best 691 00:26:37,220 --> 00:26:38,309 field. 692 00:26:38,310 --> 00:26:40,529 We can see that we can now set this 693 00:26:40,530 --> 00:26:42,869 path to anything we like and 694 00:26:42,870 --> 00:26:45,089 in this case, we'll get this. 695 00:26:45,090 --> 00:26:47,579 So we were able to override the 696 00:26:47,580 --> 00:26:51,099 request with our own input. 697 00:26:51,100 --> 00:26:53,429 Uh, but this actually has far 698 00:26:53,430 --> 00:26:55,229 worse consequences. 699 00:26:55,230 --> 00:26:57,389 So I will need to mention 700 00:26:57,390 --> 00:26:59,999 this technique will work on any model, 701 00:27:00,000 --> 00:27:02,189 on any brand that we have legal 702 00:27:02,190 --> 00:27:03,190 access to. 703 00:27:04,450 --> 00:27:05,450 You see 704 00:27:06,850 --> 00:27:08,919 with a few magic cookies added 705 00:27:08,920 --> 00:27:11,229 to your request, you can bypass 706 00:27:11,230 --> 00:27:13,659 authentication and browse the 707 00:27:13,660 --> 00:27:16,029 configuration interface as admin 708 00:27:16,030 --> 00:27:18,159 from any port. 709 00:27:18,160 --> 00:27:20,649 So to prove this insane claim, 710 00:27:20,650 --> 00:27:21,970 let's go straight to the demo. 711 00:27:23,910 --> 00:27:26,279 Sorry, no, wait a sec, I'll fix 712 00:27:26,280 --> 00:27:27,280 it. 713 00:27:57,350 --> 00:27:58,699 Yes, we are ready. 714 00:27:58,700 --> 00:27:59,700 I think. 715 00:28:03,540 --> 00:28:05,789 Next, yes, 716 00:28:05,790 --> 00:28:07,979 OK, so, uh, we actually have 717 00:28:07,980 --> 00:28:10,169 a video recorded and then 718 00:28:10,170 --> 00:28:12,119 we're going to try the live demo, we 719 00:28:12,120 --> 00:28:13,889 prayed to the demo gods earlier, so 720 00:28:13,890 --> 00:28:16,109 hopefully things will work there 721 00:28:16,110 --> 00:28:16,439 as well. 722 00:28:16,440 --> 00:28:18,089 But first, let's look at the demo that 723 00:28:18,090 --> 00:28:20,339 will really, I think, 724 00:28:20,340 --> 00:28:21,340 explain. 725 00:28:22,120 --> 00:28:24,010 The issue here, right? 726 00:28:25,650 --> 00:28:28,169 So we enter the router, 727 00:28:28,170 --> 00:28:30,269 it shows us, you know, username, password 728 00:28:30,270 --> 00:28:32,339 login, um, 729 00:28:32,340 --> 00:28:35,129 we can also try to 730 00:28:35,130 --> 00:28:37,119 see what's available on seven, five, 731 00:28:37,120 --> 00:28:39,089 four, seven. Of course, we get the object 732 00:28:39,090 --> 00:28:41,429 found. Then we use our Chrome 733 00:28:41,430 --> 00:28:42,430 plugin. 734 00:29:07,330 --> 00:29:09,549 Let's actually try this live and 735 00:29:09,550 --> 00:29:11,259 really hope that it works. 736 00:29:11,260 --> 00:29:12,260 Let's see now. 737 00:29:13,290 --> 00:29:15,149 We've got all right, so we get the 738 00:29:15,150 --> 00:29:16,289 authentication required. 739 00:29:17,730 --> 00:29:19,450 Oh, you're not seeing like. 740 00:29:20,750 --> 00:29:21,750 Here you go. 741 00:29:22,460 --> 00:29:25,279 Well, it's it's a bit small, but still 742 00:29:25,280 --> 00:29:26,479 so we're getting the authentication 743 00:29:26,480 --> 00:29:27,919 required. 744 00:29:27,920 --> 00:29:29,630 We're going to go to the. 745 00:29:30,930 --> 00:29:32,970 Misfortune kookie out of Perner 746 00:29:34,860 --> 00:29:37,469 and try that again, 747 00:29:37,470 --> 00:29:38,519 see if it works. 748 00:29:38,520 --> 00:29:40,409 Hopefully it works. 749 00:29:40,410 --> 00:29:41,409 It doesn't. 750 00:29:41,410 --> 00:29:42,959 Oh, wait a sec, wait a sec. 751 00:29:42,960 --> 00:29:43,980 We're going to try that again. 752 00:29:46,830 --> 00:29:48,539 Now, it's like an internal thing, don't 753 00:29:48,540 --> 00:29:49,540 worry about it. 754 00:29:52,730 --> 00:29:54,200 Oh, it doesn't matter what for we are. 755 00:29:58,560 --> 00:29:59,629 Will this work? 756 00:29:59,630 --> 00:30:00,630 Yeah. 757 00:30:07,070 --> 00:30:08,070 This is. 758 00:30:10,330 --> 00:30:12,489 You know, this this is what we got 759 00:30:12,490 --> 00:30:13,989 at the store. This is brand new. 760 00:30:13,990 --> 00:30:15,759 This is a device that was manufactured 761 00:30:15,760 --> 00:30:16,809 2014. 762 00:30:16,810 --> 00:30:19,480 This is very interesting. 763 00:30:22,210 --> 00:30:23,380 OK, so. 764 00:30:25,190 --> 00:30:26,509 Back to our presentation, 765 00:30:28,220 --> 00:30:29,989 we set up this nice website and it 766 00:30:29,990 --> 00:30:32,959 explains kind of the core issue here, 767 00:30:32,960 --> 00:30:35,119 and then we try to see which 768 00:30:35,120 --> 00:30:37,669 countries were affected by this. 769 00:30:37,670 --> 00:30:40,009 And, you know, again, this vulnerability 770 00:30:40,010 --> 00:30:42,499 affects devices in a hundred 771 00:30:42,500 --> 00:30:43,999 and eighty nine countries all over the 772 00:30:44,000 --> 00:30:45,139 world. 773 00:30:45,140 --> 00:30:47,209 And in some countries, this 774 00:30:47,210 --> 00:30:49,339 is an incredibly popular 775 00:30:49,340 --> 00:30:51,679 affecting up to 50 776 00:30:51,680 --> 00:30:54,229 percent of the IP addresses 777 00:30:54,230 --> 00:30:56,059 in use in that country. 778 00:30:56,060 --> 00:30:57,799 I'm not joking. That's one out of every 779 00:30:57,800 --> 00:31:00,439 two IP addresses in that country 780 00:31:00,440 --> 00:31:01,789 are vulnerable to this. 781 00:31:02,930 --> 00:31:04,609 And that's that's a few countries and 782 00:31:04,610 --> 00:31:07,189 certainly some big names in 783 00:31:07,190 --> 00:31:09,499 the country list that you didn't expect 784 00:31:09,500 --> 00:31:10,500 to see there. 785 00:31:11,240 --> 00:31:13,429 Yeah, uh, Smartphone's 786 00:31:13,430 --> 00:31:14,630 happy about that as well. 787 00:31:17,690 --> 00:31:19,579 I know what you're thinking. 788 00:31:19,580 --> 00:31:21,769 I have to turn this off 789 00:31:21,770 --> 00:31:24,139 on my device right now. 790 00:31:24,140 --> 00:31:25,849 I should not have seven, five, four, 791 00:31:25,850 --> 00:31:28,099 seven listening on my 792 00:31:28,100 --> 00:31:30,889 you know, on my public IP address. 793 00:31:30,890 --> 00:31:32,839 And as soon as you get home, you know, 794 00:31:32,840 --> 00:31:34,249 you'll enter your configuration in your 795 00:31:34,250 --> 00:31:36,799 face and you'll find the 796 00:31:36,800 --> 00:31:38,869 settings, you know, and you'll 797 00:31:38,870 --> 00:31:41,119 deactivate it and 798 00:31:41,120 --> 00:31:43,009 you hit save. 799 00:31:43,010 --> 00:31:45,529 And it doesn't do anything because 800 00:31:45,530 --> 00:31:47,329 it's seven five, four seven is still 801 00:31:47,330 --> 00:31:48,330 open. 802 00:31:48,890 --> 00:31:51,589 That's right. There is no legitimate 803 00:31:51,590 --> 00:31:53,689 way for you to turn this 804 00:31:53,690 --> 00:31:56,150 off even as admin. 805 00:31:58,190 --> 00:31:59,839 I don't know if to laugh or to cry, I 806 00:31:59,840 --> 00:32:01,609 don't know. So what can you do? 807 00:32:01,610 --> 00:32:02,899 You can cancel your Internet 808 00:32:02,900 --> 00:32:04,109 subscription? 809 00:32:04,110 --> 00:32:06,589 Um, of course, I mean, the technical 810 00:32:06,590 --> 00:32:08,599 users, hopefully that's you guys. 811 00:32:08,600 --> 00:32:11,059 You can flash alternative firmware. 812 00:32:11,060 --> 00:32:13,189 So you have both tea and 813 00:32:13,190 --> 00:32:14,929 opened up your tea, which are which you 814 00:32:14,930 --> 00:32:16,319 just don't have rampages, pagers. 815 00:32:16,320 --> 00:32:17,609 You can take your chances on whatever 816 00:32:17,610 --> 00:32:18,499 they have there. 817 00:32:18,500 --> 00:32:20,689 Um, but it's not the 818 00:32:20,690 --> 00:32:22,469 the, you know, the old version of Ron 819 00:32:22,470 --> 00:32:24,709 Pager and, you know, don't buy 820 00:32:24,710 --> 00:32:26,899 these models until they're fixed. 821 00:32:26,900 --> 00:32:28,969 And the suspect, a vulnerable model, 822 00:32:28,970 --> 00:32:30,889 is on the website and we, uh, 823 00:32:30,890 --> 00:32:31,939 occasionally update that. 824 00:32:34,580 --> 00:32:36,949 All right. So so let's understand, 825 00:32:36,950 --> 00:32:38,719 you know, let's understand the supply 826 00:32:38,720 --> 00:32:39,720 chain here. 827 00:32:40,430 --> 00:32:42,889 Um, Alegra, soft 828 00:32:42,890 --> 00:32:45,709 provided rampage pager at one point 829 00:32:45,710 --> 00:32:48,499 to a certain chipset vendor, 830 00:32:48,500 --> 00:32:50,179 and this chipset vendor implemented the 831 00:32:50,180 --> 00:32:52,279 TR six nine functionality and 832 00:32:52,280 --> 00:32:54,469 bundled this into their SDK 833 00:32:54,470 --> 00:32:55,640 as a bonus feature. 834 00:32:56,930 --> 00:32:58,519 Now, this SDK was provided to 835 00:32:58,520 --> 00:33:00,709 manufacturers who compiled 836 00:33:00,710 --> 00:33:02,899 their firmware is for each product, 837 00:33:02,900 --> 00:33:04,099 series and model. 838 00:33:04,100 --> 00:33:05,479 And just to make it a bit more 839 00:33:05,480 --> 00:33:07,759 complicated, the Espy's customized 840 00:33:07,760 --> 00:33:10,069 the firmware to include brand 841 00:33:10,070 --> 00:33:12,589 logos, you know, default configurations 842 00:33:12,590 --> 00:33:14,899 and deploy these versions to consumate 843 00:33:14,900 --> 00:33:15,900 devices. 844 00:33:16,790 --> 00:33:18,859 So you can start to and 845 00:33:18,860 --> 00:33:21,109 understand this 846 00:33:21,110 --> 00:33:23,299 this incredibly complex 847 00:33:23,300 --> 00:33:25,159 behind the scenes chain. 848 00:33:25,160 --> 00:33:26,719 And think about what this means for 849 00:33:26,720 --> 00:33:29,239 security updates, because 850 00:33:29,240 --> 00:33:31,339 the update propagation chain here is 851 00:33:31,340 --> 00:33:33,739 incredibly slow, if not 852 00:33:33,740 --> 00:33:35,479 nonexistent. 853 00:33:35,480 --> 00:33:37,759 Allegro self-test to provide a fixed 854 00:33:37,760 --> 00:33:40,009 version to the chipset vendor, 855 00:33:40,010 --> 00:33:41,839 which then has to incorporate this into 856 00:33:41,840 --> 00:33:43,849 the SDK, which has to be given to 857 00:33:43,850 --> 00:33:45,769 manufacturers who have to recompile 858 00:33:45,770 --> 00:33:47,839 firmware for every product line 859 00:33:47,840 --> 00:33:49,879 and every product model which have to 860 00:33:49,880 --> 00:33:51,859 give it to Espy's, which have to 861 00:33:51,860 --> 00:33:53,179 recompile it. 862 00:33:53,180 --> 00:33:54,769 The, you know, to to recompile the 863 00:33:54,770 --> 00:33:56,989 framers and the updated version 864 00:33:56,990 --> 00:33:59,209 using their customization. 865 00:33:59,210 --> 00:34:01,519 And now this thing has to be deployed 866 00:34:01,520 --> 00:34:02,520 on every device. 867 00:34:03,740 --> 00:34:05,419 This is a nightmare. 868 00:34:05,420 --> 00:34:07,579 And, you know, in this 869 00:34:07,580 --> 00:34:09,738 in this case, we can truly say 870 00:34:09,739 --> 00:34:11,859 that too many cooks do spoil the broth. 871 00:34:12,889 --> 00:34:14,270 And thank you. 872 00:34:21,320 --> 00:34:23,129 You know, you know, this is the good case 873 00:34:23,130 --> 00:34:25,419 we're describing here, because, you know, 874 00:34:25,420 --> 00:34:27,629 your device is controlled by your ISP 875 00:34:27,630 --> 00:34:28,799 because if you just bought your home 876 00:34:28,800 --> 00:34:30,869 router off the shelf, you 877 00:34:30,870 --> 00:34:32,939 know, most people never upgrade 878 00:34:32,940 --> 00:34:34,289 the router firmware. 879 00:34:34,290 --> 00:34:36,589 And, you know, anyway, 880 00:34:36,590 --> 00:34:38,428 this vulnerability will be here for 881 00:34:38,429 --> 00:34:39,718 months and years to come. 882 00:34:41,889 --> 00:34:43,300 So vendor communication, 883 00:34:44,710 --> 00:34:46,839 we contacted Alliegro soft 884 00:34:46,840 --> 00:34:49,779 and all the major affected vendors, 885 00:34:49,780 --> 00:34:51,158 we provided full description of the 886 00:34:51,159 --> 00:34:53,289 vulnerability and non harmful on the 887 00:34:53,290 --> 00:34:54,908 policy to trigger it. 888 00:34:54,909 --> 00:34:56,859 You know, despite some broken English, 889 00:34:56,860 --> 00:34:59,409 the message did get through 890 00:34:59,410 --> 00:35:01,299 at least most of the time. 891 00:35:01,300 --> 00:35:03,609 We have some patched firmware already 892 00:35:03,610 --> 00:35:06,459 out, at least from from Huawei, 893 00:35:06,460 --> 00:35:08,559 who actually they were they were 894 00:35:08,560 --> 00:35:10,109 the best responders so far. 895 00:35:10,110 --> 00:35:11,320 Very clear communication 896 00:35:12,850 --> 00:35:14,949 and, you know, electro soft released a 897 00:35:14,950 --> 00:35:17,049 statement saying that, 898 00:35:17,050 --> 00:35:19,679 no, we can't force any vendor to upgrade 899 00:35:19,680 --> 00:35:21,369 to the latest version. 900 00:35:21,370 --> 00:35:24,159 And we actually provided a Pashto version 901 00:35:24,160 --> 00:35:26,259 in 2005. 902 00:35:26,260 --> 00:35:27,819 So think about this. 903 00:35:27,820 --> 00:35:30,489 If code from 2005 904 00:35:30,490 --> 00:35:32,919 still did not make it through the chain 905 00:35:32,920 --> 00:35:34,509 and we actually know we did not make it 906 00:35:34,510 --> 00:35:35,909 even one step into the chain, 907 00:35:37,120 --> 00:35:38,349 something is wrong here. 908 00:35:40,810 --> 00:35:43,029 So just a few very frequently asked 909 00:35:43,030 --> 00:35:44,559 questions that we've been getting in the 910 00:35:44,560 --> 00:35:47,019 week that this is out, you know, 911 00:35:47,020 --> 00:35:49,749 it's rampage your bad no. 912 00:35:49,750 --> 00:35:50,829 You know, there were actually very 913 00:35:50,830 --> 00:35:52,779 responsive. There were security aware. 914 00:35:52,780 --> 00:35:54,969 They caught this bug in internal code 915 00:35:54,970 --> 00:35:56,889 review. They did. They just didn't know 916 00:35:56,890 --> 00:35:57,939 what it meant. 917 00:35:57,940 --> 00:35:59,199 When we explained it to them. 918 00:35:59,200 --> 00:36:00,099 They were. 919 00:36:00,100 --> 00:36:01,119 I know there was. 920 00:36:01,120 --> 00:36:03,039 I heard the jaws drop over the phone 921 00:36:03,040 --> 00:36:04,040 line. Um, 922 00:36:05,110 --> 00:36:06,339 and, you know, we just happened to 923 00:36:06,340 --> 00:36:07,569 research an old version of their 924 00:36:07,570 --> 00:36:08,589 software. 925 00:36:08,590 --> 00:36:11,139 I think any code written in 2002 926 00:36:11,140 --> 00:36:12,250 might have been, you know, 927 00:36:13,510 --> 00:36:14,510 secure the same. 928 00:36:15,460 --> 00:36:17,559 And, you know, we don't think 929 00:36:17,560 --> 00:36:19,659 this is intentionally please back door. 930 00:36:19,660 --> 00:36:21,459 It doesn't look like one. 931 00:36:21,460 --> 00:36:23,649 We will not be sharing the exploit. 932 00:36:23,650 --> 00:36:25,989 Uh, no, sorry about that. 933 00:36:25,990 --> 00:36:28,359 Um, you know, 934 00:36:28,360 --> 00:36:30,429 some bodies have approached 935 00:36:30,430 --> 00:36:32,739 me and and they're asking 936 00:36:32,740 --> 00:36:34,509 about, you know, the IPS that are 937 00:36:34,510 --> 00:36:35,619 affecting their country. 938 00:36:35,620 --> 00:36:37,149 And I'm saying, you know, you have to 939 00:36:37,150 --> 00:36:38,150 scan it yourself 940 00:36:39,340 --> 00:36:41,139 and and listen to the numbers here are 941 00:36:41,140 --> 00:36:43,299 lying because some ISPs actually, 942 00:36:43,300 --> 00:36:44,709 you know, don't use the default 943 00:36:44,710 --> 00:36:45,729 yardsticks. And I'm sure they use 944 00:36:45,730 --> 00:36:47,289 something else. I mean, at least we know 945 00:36:47,290 --> 00:36:49,029 that in Israel we use something else. 946 00:36:49,030 --> 00:36:51,249 Um, and when you 947 00:36:51,250 --> 00:36:52,809 scan in these sports, you get very 948 00:36:52,810 --> 00:36:54,999 different numbers. So that's important 949 00:36:55,000 --> 00:36:56,000 point to mention. 950 00:36:57,500 --> 00:36:59,239 Uh, short recap, 951 00:37:00,710 --> 00:37:03,529 we found a pretty serious vulnerability 952 00:37:03,530 --> 00:37:05,569 in the most popular service exposed in 953 00:37:05,570 --> 00:37:07,699 IPV for at least as far as we 954 00:37:07,700 --> 00:37:09,949 know, do challenge us if 955 00:37:09,950 --> 00:37:11,389 you think otherwise. 956 00:37:11,390 --> 00:37:13,909 And, uh, hey, industry 957 00:37:13,910 --> 00:37:14,910 fix this. 958 00:37:17,180 --> 00:37:18,209 Thank you very much. 959 00:37:18,210 --> 00:37:19,929 I would love to have your questions. 960 00:37:31,950 --> 00:37:34,589 Well, thank you so much. 961 00:37:34,590 --> 00:37:36,869 Actually, I have the honor 962 00:37:36,870 --> 00:37:39,119 to mediate a similar 963 00:37:39,120 --> 00:37:41,249 lecture this morning at 11 thirty by 964 00:37:41,250 --> 00:37:43,349 an Irish man who showed us 965 00:37:43,350 --> 00:37:45,359 that the switches that the main energy 966 00:37:45,360 --> 00:37:47,459 providers actually you can 967 00:37:47,460 --> 00:37:49,439 just download the image and upload it 968 00:37:49,440 --> 00:37:51,760 when you've patched it into the room. 969 00:37:52,860 --> 00:37:54,479 This is a bit more complicated, but it's 970 00:37:54,480 --> 00:37:56,939 basically the same thing actually scares 971 00:37:56,940 --> 00:37:57,969 the shit out of me. 972 00:37:57,970 --> 00:37:59,289 It's you should be scared. 973 00:37:59,290 --> 00:38:01,059 OK, we'll be taking questions. 974 00:38:01,060 --> 00:38:03,179 I can blow up 975 00:38:04,260 --> 00:38:05,339 if you guys want to know. 976 00:38:05,340 --> 00:38:07,739 So we'll do one, 977 00:38:07,740 --> 00:38:08,939 two, one, two. 978 00:38:08,940 --> 00:38:09,940 Is that OK with you? 979 00:38:10,890 --> 00:38:11,819 OK, here you go. 980 00:38:11,820 --> 00:38:12,719 Number one. 981 00:38:12,720 --> 00:38:14,879 OK, so I'd 982 00:38:14,880 --> 00:38:16,459 like to know a bit more about the 983 00:38:16,460 --> 00:38:18,359 universe because at home I have. 984 00:38:18,360 --> 00:38:20,999 Can you people please, when you leave, 985 00:38:21,000 --> 00:38:22,799 leave quietly. 986 00:38:22,800 --> 00:38:24,149 Some people still want to listen. 987 00:38:24,150 --> 00:38:24,899 I'm sorry. 988 00:38:24,900 --> 00:38:27,149 Yeah. So have that 989 00:38:27,150 --> 00:38:29,549 delaying yourself because you would be 990 00:38:29,550 --> 00:38:31,679 which is in your list and 991 00:38:31,680 --> 00:38:33,839 it's OK to put tweet because it's 992 00:38:33,840 --> 00:38:36,359 quite quick and 993 00:38:36,360 --> 00:38:38,709 it's one of the Linux, but it's 994 00:38:38,710 --> 00:38:41,069 looks like before it went the Linux, 995 00:38:41,070 --> 00:38:43,259 it was something else which 996 00:38:43,260 --> 00:38:44,669 had a double. 997 00:38:44,670 --> 00:38:47,039 And I don't know if it matches 998 00:38:47,040 --> 00:38:49,739 the newest, if it's some kind of pre 999 00:38:49,740 --> 00:38:51,929 Linux is or how 1000 00:38:51,930 --> 00:38:52,919 does it work. 1001 00:38:52,920 --> 00:38:55,349 OK, so we don't know that device 1002 00:38:55,350 --> 00:38:57,119 because we don't have access to every 1003 00:38:57,120 --> 00:38:59,429 single device that we saw on the list. 1004 00:38:59,430 --> 00:39:01,499 But we didn't we didn't try to exploit 1005 00:39:01,500 --> 00:39:03,179 everything on the Internet. 1006 00:39:03,180 --> 00:39:05,279 Only thing devices that we could have 1007 00:39:05,280 --> 00:39:07,439 legal access to would be I 1008 00:39:07,440 --> 00:39:09,419 mean, we would love to talk about this 1009 00:39:09,420 --> 00:39:11,489 later. And if you can share some details 1010 00:39:11,490 --> 00:39:12,899 with us, then maybe we can look into 1011 00:39:12,900 --> 00:39:13,769 this. 1012 00:39:13,770 --> 00:39:15,539 But we don't have anything to add about 1013 00:39:15,540 --> 00:39:15,749 this. 1014 00:39:15,750 --> 00:39:17,219 And so now just 1015 00:39:18,270 --> 00:39:20,579 it it may be that the 1016 00:39:20,580 --> 00:39:22,829 device noise, which 1017 00:39:22,830 --> 00:39:24,060 then starts Linux, 1018 00:39:25,350 --> 00:39:26,339 you know. 1019 00:39:26,340 --> 00:39:28,169 Sorry, I don't know. OK, we got to think 1020 00:39:28,170 --> 00:39:29,929 this if I think. 1021 00:39:29,930 --> 00:39:30,930 OK, thank you. 1022 00:39:31,980 --> 00:39:34,889 There's somebody waiting to go ahead. 1023 00:39:34,890 --> 00:39:37,379 When you originally published this issue 1024 00:39:37,380 --> 00:39:39,959 as Miss Fortune Cookie, 1025 00:39:39,960 --> 00:39:42,059 you recommend it to home 1026 00:39:42,060 --> 00:39:44,249 users to install sound alarm as 1027 00:39:44,250 --> 00:39:46,349 a protective measure and 1028 00:39:46,350 --> 00:39:47,599 computers. 1029 00:39:47,600 --> 00:39:49,679 Could you explain how it's installing a 1030 00:39:49,680 --> 00:39:50,789 personal firewall? 1031 00:39:50,790 --> 00:39:52,379 Would protect me from router. 1032 00:39:52,380 --> 00:39:54,839 Panitch So all I can definitely explain 1033 00:39:54,840 --> 00:39:57,149 how this helps if your router gets boned. 1034 00:39:57,150 --> 00:39:58,649 But it's definitely not what I want to 1035 00:39:58,650 --> 00:40:00,299 talk about. 1036 00:40:00,300 --> 00:40:02,429 And we can we can talk about this later. 1037 00:40:02,430 --> 00:40:03,430 OK, thank you. 1038 00:40:05,330 --> 00:40:07,429 Yes, more quick next 1039 00:40:07,430 --> 00:40:09,709 question mark, when you 1040 00:40:09,710 --> 00:40:11,959 mentioned the it appear, at 1041 00:40:11,960 --> 00:40:13,699 least for country, please, can you have 1042 00:40:13,700 --> 00:40:15,499 can we have some quiet, please? 1043 00:40:16,670 --> 00:40:19,099 You mentioned getting on the list of the 1044 00:40:19,100 --> 00:40:21,019 IP addresses for our country. 1045 00:40:21,020 --> 00:40:22,579 Just one request. Please talk to the 1046 00:40:22,580 --> 00:40:24,469 charitable foundation because they have 1047 00:40:24,470 --> 00:40:26,539 the daily methods 1048 00:40:26,540 --> 00:40:28,909 of scanning for these kind of issues 1049 00:40:28,910 --> 00:40:31,189 and send out the list of 1050 00:40:31,190 --> 00:40:33,109 IP addresses to all national search all 1051 00:40:33,110 --> 00:40:33,989 over the world. 1052 00:40:33,990 --> 00:40:37,009 So is the foundation 1053 00:40:37,010 --> 00:40:37,909 we can donate them. 1054 00:40:37,910 --> 00:40:39,109 OK, so talk to you later. 1055 00:40:39,110 --> 00:40:41,989 Sure, yes. 1056 00:40:41,990 --> 00:40:44,249 OK, we'll stick to the mike. 1057 00:40:44,250 --> 00:40:45,139 No, there is nobody. 1058 00:40:45,140 --> 00:40:46,159 Is there somebody over there. 1059 00:40:47,990 --> 00:40:49,469 Oh, I come up front. 1060 00:40:49,470 --> 00:40:51,799 Oh do I look that scary. 1061 00:40:51,800 --> 00:40:52,949 Do they look that scary. 1062 00:40:52,950 --> 00:40:54,049 It's us. It's us. 1063 00:40:54,050 --> 00:40:56,399 I mean to you folks ok. 1064 00:40:56,400 --> 00:40:57,319 Yeah. 1065 00:40:57,320 --> 00:40:59,749 Yeah. Now um did 1066 00:40:59,750 --> 00:41:01,999 you think you could speak 1067 00:41:02,000 --> 00:41:03,259 into the mic please. 1068 00:41:03,260 --> 00:41:05,749 Yes. Um, did you check cable 1069 00:41:05,750 --> 00:41:07,999 modems because at least in Germany 1070 00:41:08,000 --> 00:41:10,069 we are forced to use the modems we get 1071 00:41:10,070 --> 00:41:12,409 by our providers and 1072 00:41:12,410 --> 00:41:14,659 especially models 1073 00:41:14,660 --> 00:41:17,089 like the technical laws are very 1074 00:41:17,090 --> 00:41:19,489 well known for horrible exploits, 1075 00:41:19,490 --> 00:41:21,889 like you can force them to reboot 1076 00:41:21,890 --> 00:41:23,569 with a broken htp piguet, 1077 00:41:24,620 --> 00:41:26,899 which is kind of scary. 1078 00:41:26,900 --> 00:41:29,089 Yeah. So we didn't 1079 00:41:29,090 --> 00:41:31,489 try to categorize, according 1080 00:41:31,490 --> 00:41:33,559 to, you know, cable or or 1081 00:41:33,560 --> 00:41:35,269 DSL or whatever it is. 1082 00:41:35,270 --> 00:41:37,639 If it's on the suspected vulnerable 1083 00:41:37,640 --> 00:41:40,309 model, then we saw it as, 1084 00:41:40,310 --> 00:41:41,989 you know, as vulnerable as containing 1085 00:41:41,990 --> 00:41:43,189 Rampage or four 07. 1086 00:41:43,190 --> 00:41:45,409 That's a very simple check, 1087 00:41:45,410 --> 00:41:47,569 OK, because I'm just asking because I 1088 00:41:47,570 --> 00:41:49,639 have no possibility to switch as 1089 00:41:49,640 --> 00:41:52,369 long as I stick to this ISP. 1090 00:41:52,370 --> 00:41:54,469 So I understand that it's definitely 1091 00:41:54,470 --> 00:41:55,909 a problem that we're seeing in other 1092 00:41:55,910 --> 00:41:58,009 places worldwide. 1093 00:41:58,010 --> 00:42:00,439 And, you know, this is a part 1094 00:42:00,440 --> 00:42:02,929 of why we're doing this, a part of why 1095 00:42:02,930 --> 00:42:04,399 we're doing this publication. 1096 00:42:04,400 --> 00:42:06,589 We think that this puts a very 1097 00:42:06,590 --> 00:42:08,749 positive pressure on 1098 00:42:08,750 --> 00:42:11,089 many, many vendors out there to try 1099 00:42:11,090 --> 00:42:13,399 to fix this as fast as possible. 1100 00:42:13,400 --> 00:42:15,709 I know we are seeing that 1101 00:42:15,710 --> 00:42:17,659 that this process is being expedited. 1102 00:42:17,660 --> 00:42:19,939 So definitely in cases like this, if 1103 00:42:19,940 --> 00:42:22,069 this is vulnerable, please go 1104 00:42:22,070 --> 00:42:24,139 and talk to your providers and tell 1105 00:42:24,140 --> 00:42:26,119 them this is a very, very serious 1106 00:42:26,120 --> 00:42:28,279 security issue and you have to deal with 1107 00:42:28,280 --> 00:42:29,389 this now. 1108 00:42:29,390 --> 00:42:30,409 OK, thank you. 1109 00:42:30,410 --> 00:42:32,659 Thank you. OK, hang on a minute. 1110 00:42:32,660 --> 00:42:35,150 Um, we have a question from the Internet 1111 00:42:36,290 --> 00:42:37,369 because we've been streaming. 1112 00:42:37,370 --> 00:42:38,509 So can we have a question on the 1113 00:42:38,510 --> 00:42:39,589 Internet, please? 1114 00:42:39,590 --> 00:42:41,519 Yes, there's a question. 1115 00:42:41,520 --> 00:42:43,939 I have to try to open 1116 00:42:43,940 --> 00:42:45,980 this up. If not, I are going to 1117 00:42:47,660 --> 00:42:47,979 we. 1118 00:42:47,980 --> 00:42:49,910 So, no, we did not try it. 1119 00:42:51,050 --> 00:42:52,549 It's definitely it's definitely a 1120 00:42:52,550 --> 00:42:53,689 research direction. 1121 00:42:53,690 --> 00:42:54,769 Anyone can take it up. 1122 00:42:54,770 --> 00:42:55,969 We recommend that you do. 1123 00:42:55,970 --> 00:42:58,459 So, uh, 1124 00:42:58,460 --> 00:43:00,679 not do not do not. 1125 00:43:00,680 --> 00:43:02,179 Well, have one more question from the 1126 00:43:02,180 --> 00:43:03,959 Internet and then go back to Vikram. 1127 00:43:03,960 --> 00:43:06,469 And, uh, wouldn't it be possible 1128 00:43:06,470 --> 00:43:09,359 to, uh, to use the exploit 1129 00:43:09,360 --> 00:43:11,509 to exploit the water and 1130 00:43:11,510 --> 00:43:13,789 then update them 1131 00:43:13,790 --> 00:43:15,859 to exploit the word sorry to exploit the 1132 00:43:15,860 --> 00:43:17,799 water and then update them using the 1133 00:43:17,800 --> 00:43:20,029 exploit exploit the router and then and 1134 00:43:20,030 --> 00:43:21,199 then upload. 1135 00:43:21,200 --> 00:43:22,129 Yeah, OK. 1136 00:43:22,130 --> 00:43:23,329 And then upload new firmware. 1137 00:43:23,330 --> 00:43:24,330 Definitely. 1138 00:43:27,830 --> 00:43:29,959 OK, make one I 1139 00:43:29,960 --> 00:43:30,799 think. Was it. Yeah. 1140 00:43:30,800 --> 00:43:31,729 Yep. Either. 1141 00:43:31,730 --> 00:43:32,929 Uh yeah. 1142 00:43:32,930 --> 00:43:34,219 Very good. Thanks a lot. 1143 00:43:34,220 --> 00:43:35,220 Thank you. 1144 00:43:35,780 --> 00:43:37,159 So obviously the vendors are going to 1145 00:43:37,160 --> 00:43:39,319 take a very long time to fix this, 1146 00:43:39,320 --> 00:43:41,479 but is there any really legitimate 1147 00:43:41,480 --> 00:43:42,949 use of this port. 1148 00:43:42,950 --> 00:43:45,529 Seven, four, five, four, seven 1149 00:43:45,530 --> 00:43:46,729 and from. 1150 00:43:46,730 --> 00:43:48,349 Yeah, yeah. Surely within the Espy's 1151 00:43:48,350 --> 00:43:50,809 Network, but over the network. 1152 00:43:50,810 --> 00:43:52,159 Is there any real use for this? 1153 00:43:52,160 --> 00:43:54,559 Is there something the ISPs could filter 1154 00:43:54,560 --> 00:43:56,119 their border, for example? 1155 00:43:56,120 --> 00:43:58,459 Uh, they they use it all the time 1156 00:43:58,460 --> 00:44:00,349 to do all sorts of minoring and 1157 00:44:00,350 --> 00:44:01,609 configuration issues. 1158 00:44:01,610 --> 00:44:03,259 So if you block your seven, five, four, 1159 00:44:03,260 --> 00:44:05,359 seven, if you magically block 1160 00:44:05,360 --> 00:44:06,319 it somehow. Right. 1161 00:44:06,320 --> 00:44:08,959 Because a lot of a lot of the times you 1162 00:44:08,960 --> 00:44:10,759 don't even have this option. 1163 00:44:10,760 --> 00:44:12,829 But if you do block it, then 1164 00:44:12,830 --> 00:44:14,449 they won't be able to help you with 1165 00:44:14,450 --> 00:44:16,219 anything. They won't be able to see if 1166 00:44:16,220 --> 00:44:17,539 anything's wrong with your device. 1167 00:44:17,540 --> 00:44:19,579 But is this something the ISPs can fix 1168 00:44:19,580 --> 00:44:22,089 and stop the entire IP 1169 00:44:22,090 --> 00:44:23,129 or space from? 1170 00:44:23,130 --> 00:44:25,489 Yeah, I mean, we released a 1171 00:44:25,490 --> 00:44:27,559 protection white paper 1172 00:44:27,560 --> 00:44:30,349 that's intended for providers, 1173 00:44:30,350 --> 00:44:32,509 you know, with some some 1174 00:44:32,510 --> 00:44:34,339 good advice on how to solve this. 1175 00:44:34,340 --> 00:44:36,469 For example, just a real, 1176 00:44:36,470 --> 00:44:39,049 you know, a small piece of it. 1177 00:44:39,050 --> 00:44:41,419 You could use an internal IP 1178 00:44:41,420 --> 00:44:43,669 range to 1179 00:44:43,670 --> 00:44:45,919 to, you know, to have this the seven, 1180 00:44:45,920 --> 00:44:47,929 five or seven on. 1181 00:44:47,930 --> 00:44:49,879 And then you don't really have to put it 1182 00:44:49,880 --> 00:44:51,439 on the public web. 1183 00:44:51,440 --> 00:44:53,389 So that's I mean, we're seeing some 1184 00:44:53,390 --> 00:44:54,559 providers definitely do that. 1185 00:44:54,560 --> 00:44:56,869 And that's a very good direction. 1186 00:44:56,870 --> 00:44:57,769 OK, great. 1187 00:44:57,770 --> 00:44:59,090 Thanks. OK, thank you. 1188 00:45:01,510 --> 00:45:03,649 Um, my number two 1189 00:45:03,650 --> 00:45:05,009 years ago. 1190 00:45:05,010 --> 00:45:07,289 Can we please have some peace, 1191 00:45:07,290 --> 00:45:09,059 you want to chat, OK, go outside. 1192 00:45:10,500 --> 00:45:12,089 If I can just respond to the previous 1193 00:45:12,090 --> 00:45:14,279 question. I'm working for an ISP and what 1194 00:45:14,280 --> 00:45:16,109 you can actually do is just an access 1195 00:45:16,110 --> 00:45:17,639 list on those modems. 1196 00:45:17,640 --> 00:45:19,919 So only the legitimate I, 1197 00:45:19,920 --> 00:45:22,169 uh, access can reach those modems. 1198 00:45:22,170 --> 00:45:24,119 That's the simplest thing you can do as 1199 00:45:24,120 --> 00:45:24,779 an ISP. 1200 00:45:24,780 --> 00:45:26,549 Yeah, well, I think we also mentioned 1201 00:45:26,550 --> 00:45:28,019 that in the production of Google and 1202 00:45:28,020 --> 00:45:28,779 thank you for that. 1203 00:45:28,780 --> 00:45:30,929 Um, second question is, 1204 00:45:30,930 --> 00:45:32,609 are you aware of the research that was 1205 00:45:32,610 --> 00:45:34,709 presented at 1206 00:45:34,710 --> 00:45:37,109 Hack in the Box, Amsterdam 2013 1207 00:45:37,110 --> 00:45:39,119 in April? Because I think they hacked 1208 00:45:39,120 --> 00:45:41,039 your modem. Yes. Yeah, because I think 1209 00:45:41,040 --> 00:45:42,359 they actually hit the same buffer 1210 00:45:42,360 --> 00:45:44,879 overflow floater in Buffalo. 1211 00:45:44,880 --> 00:45:47,039 No, it was a different version of a 1212 00:45:47,040 --> 00:45:48,239 during their zeisel. 1213 00:45:48,240 --> 00:45:50,309 And I think it's a it's 1214 00:45:50,310 --> 00:45:51,479 a very yeah. 1215 00:45:51,480 --> 00:45:53,609 We are kind of the same, a very different 1216 00:45:53,610 --> 00:45:54,569 vulnerability. 1217 00:45:54,570 --> 00:45:55,489 OK, you checked. 1218 00:45:55,490 --> 00:45:56,499 OK, just wanted to know. 1219 00:45:56,500 --> 00:45:57,119 Thanks. 1220 00:45:57,120 --> 00:46:00,019 OK, thank you. Move over to Mike, one 1221 00:46:00,020 --> 00:46:02,219 of my kind of like 1222 00:46:02,220 --> 00:46:04,219 I have to record you for the stream. 1223 00:46:04,220 --> 00:46:06,419 So have you looked into the impact of 1224 00:46:06,420 --> 00:46:08,819 what would happen if someone changed 1225 00:46:08,820 --> 00:46:11,009 the DNA settings to 1226 00:46:11,010 --> 00:46:13,079 a affect DNS or 1227 00:46:13,080 --> 00:46:15,449 changed one side 1228 00:46:15,450 --> 00:46:17,729 that or this genuinely Tovo of people's 1229 00:46:17,730 --> 00:46:19,019 letters? 1230 00:46:19,020 --> 00:46:20,699 Well, definitely. 1231 00:46:20,700 --> 00:46:22,919 That's kind of what we're seeing in 1232 00:46:22,920 --> 00:46:24,209 the past few years. 1233 00:46:24,210 --> 00:46:26,219 Attacker is doing in large, you know, 1234 00:46:26,220 --> 00:46:27,779 high profile router attacks. 1235 00:46:27,780 --> 00:46:30,059 They they changed the DNS settings 1236 00:46:30,060 --> 00:46:31,469 and it's pretty much game over from 1237 00:46:31,470 --> 00:46:31,769 there. 1238 00:46:31,770 --> 00:46:34,169 So definitely that's also 1239 00:46:34,170 --> 00:46:36,149 an opening for that. 1240 00:46:36,150 --> 00:46:38,279 You know, we really hope that 1241 00:46:38,280 --> 00:46:40,499 attackers, you know, don't get a hold 1242 00:46:40,500 --> 00:46:41,500 of this. But 1243 00:46:42,570 --> 00:46:44,369 it's definitely I think it will happen 1244 00:46:44,370 --> 00:46:45,269 eventually. 1245 00:46:45,270 --> 00:46:46,319 Thanks. 1246 00:46:46,320 --> 00:46:47,409 OK, thank you. 1247 00:46:47,410 --> 00:46:49,479 So, again, I have several questions. 1248 00:46:49,480 --> 00:46:51,569 So first question, but to support 1249 00:46:51,570 --> 00:46:53,759 in Israel. So if I were on holiday, maybe 1250 00:46:53,760 --> 00:46:54,869 it's interesting. 1251 00:46:54,870 --> 00:46:57,059 And, uh, so what's 1252 00:46:57,060 --> 00:46:58,319 your support on this one? 1253 00:46:58,320 --> 00:47:00,419 I'm sorry. Again, the parts 1254 00:47:00,420 --> 00:47:02,279 for this thing and it's the fourth in 1255 00:47:02,280 --> 00:47:03,280 Israel. 1256 00:47:04,260 --> 00:47:05,279 We could talk about that later. 1257 00:47:05,280 --> 00:47:08,009 I don't want to give you no 1258 00:47:08,010 --> 00:47:08,819 good detail. 1259 00:47:08,820 --> 00:47:11,219 OK, and then the second thing is, uh, 1260 00:47:11,220 --> 00:47:13,589 I have, for example, have either ISP 1261 00:47:13,590 --> 00:47:16,019 who is gives me a box. 1262 00:47:16,020 --> 00:47:18,599 And the problem is that I cannot, uh, 1263 00:47:18,600 --> 00:47:20,769 switch I cannot get my access 1264 00:47:20,770 --> 00:47:23,819 data and I cannot, um, 1265 00:47:23,820 --> 00:47:26,009 own this thing because I would need to 1266 00:47:26,010 --> 00:47:28,319 have a high speed modem to to go 1267 00:47:28,320 --> 00:47:30,509 to the left side where it's connected 1268 00:47:30,510 --> 00:47:32,609 to the fiber 1269 00:47:32,610 --> 00:47:34,739 fiber optic, um, thing 1270 00:47:34,740 --> 00:47:37,499 that generates to cable 1271 00:47:37,500 --> 00:47:38,609 this stuff. 1272 00:47:38,610 --> 00:47:39,939 We are maybe 20 meters. 1273 00:47:39,940 --> 00:47:41,909 And so I needed to do a sniffing device 1274 00:47:41,910 --> 00:47:42,929 that goes there. 1275 00:47:42,930 --> 00:47:44,249 It's a real problem. 1276 00:47:44,250 --> 00:47:45,869 I we can understand that. 1277 00:47:45,870 --> 00:47:47,999 It's definitely one of the things that 1278 00:47:48,000 --> 00:47:49,999 make this issue so serious. 1279 00:47:50,000 --> 00:47:51,689 It's also how how do our bit of sniffing 1280 00:47:51,690 --> 00:47:53,729 device so it's a maybe a device that I 1281 00:47:53,730 --> 00:47:55,949 can exploit and say, OK, I buy 1282 00:47:55,950 --> 00:47:57,989 these old modem and Bertus petrol 1283 00:47:57,990 --> 00:47:59,999 sniffing and so maybe a double double 1284 00:48:00,000 --> 00:48:00,659 modem device. 1285 00:48:00,660 --> 00:48:01,589 Yeah, I can. 1286 00:48:01,590 --> 00:48:03,269 But then it's kind of, you know, it's not 1287 00:48:03,270 --> 00:48:04,919 going to be for the mass market. 1288 00:48:04,920 --> 00:48:06,989 So I want to hack my flat box and then 1289 00:48:06,990 --> 00:48:09,149 I know it and then it's better for 1290 00:48:09,150 --> 00:48:10,379 me that I can use something else. 1291 00:48:10,380 --> 00:48:12,179 I guess there are a few people here are 1292 00:48:12,180 --> 00:48:14,069 thirty one three that can help you build 1293 00:48:14,070 --> 00:48:14,909 that thing. 1294 00:48:14,910 --> 00:48:17,009 OK, and then 1295 00:48:17,010 --> 00:48:18,659 with cable modems, if you don't have 1296 00:48:18,660 --> 00:48:21,209 cable modem, it would be much more fun 1297 00:48:21,210 --> 00:48:22,979 because cable is flat. 1298 00:48:22,980 --> 00:48:25,049 So even if I don't have 1299 00:48:25,050 --> 00:48:27,209 to subscribe, subscribe to a cable, 1300 00:48:27,210 --> 00:48:29,309 uh, device, I can just go into 1301 00:48:29,310 --> 00:48:31,769 my flat, have a cable outlet, 1302 00:48:31,770 --> 00:48:33,989 go to a flea market, buy a cable modem, 1303 00:48:33,990 --> 00:48:36,119 as can I, scan the Internet for some 1304 00:48:36,120 --> 00:48:38,459 cable modem in the city and dump 1305 00:48:38,460 --> 00:48:40,589 the memory put put the excess 1306 00:48:40,590 --> 00:48:42,749 data of this person into my cable modem 1307 00:48:42,750 --> 00:48:44,249 and I can have it for free. 1308 00:48:46,400 --> 00:48:48,419 This is how they catch me. 1309 00:48:48,420 --> 00:48:50,999 It's it's flat. It's just passive 1310 00:48:51,000 --> 00:48:53,369 networks like like typing. 1311 00:48:53,370 --> 00:48:55,559 I mean, that's what we're seeing 1312 00:48:55,560 --> 00:48:57,629 a lot of these, uh, you know, a 1313 00:48:57,630 --> 00:49:00,029 lot of these home real threats. 1314 00:49:00,030 --> 00:49:01,979 And it's definitely one, uh, one that 1315 00:49:01,980 --> 00:49:04,039 we're also looking into, um, 1316 00:49:04,040 --> 00:49:05,429 and the cable modem very now. 1317 00:49:05,430 --> 00:49:07,649 So hopefully for next year. 1318 00:49:07,650 --> 00:49:09,839 OK, OK. 1319 00:49:09,840 --> 00:49:11,049 But we'll keep trying. 1320 00:49:11,050 --> 00:49:12,299 OK. Yes. Mac No. 1321 00:49:12,300 --> 00:49:14,369 One, is it correct that 1322 00:49:14,370 --> 00:49:16,889 via tr sixty nine of the providers 1323 00:49:16,890 --> 00:49:19,619 can also change this default port 1324 00:49:19,620 --> 00:49:21,119 so that they can send you a new 1325 00:49:21,120 --> 00:49:22,139 configuration. 1326 00:49:22,140 --> 00:49:24,509 Yeah. And so they could on the very first 1327 00:49:24,510 --> 00:49:26,789 provisioning of the box when I just 1328 00:49:26,790 --> 00:49:28,529 couldn't take it out and connect it to my 1329 00:49:28,530 --> 00:49:30,839 DSL that I get 1330 00:49:30,840 --> 00:49:32,009 immediately from the. 1331 00:49:32,010 --> 00:49:34,229 Yes. A new port which is not 1332 00:49:34,230 --> 00:49:35,789 the default port anymore. 1333 00:49:35,790 --> 00:49:37,919 Very possible and actually being done. 1334 00:49:37,920 --> 00:49:40,049 OK, so then 1335 00:49:40,050 --> 00:49:42,749 I would be vulnerable of course 1336 00:49:42,750 --> 00:49:44,249 on the word but. 1337 00:49:44,250 --> 00:49:46,409 Right. So I mean but we also 1338 00:49:46,410 --> 00:49:48,089 recommended that some ISPs do that 1339 00:49:48,090 --> 00:49:49,469 because at least you're going to get away 1340 00:49:49,470 --> 00:49:52,079 from the opportunistic 1341 00:49:52,080 --> 00:49:53,789 hackers that just scan the entire 1342 00:49:53,790 --> 00:49:54,479 Internet. 1343 00:49:54,480 --> 00:49:55,949 OK, I don't know who would do such a 1344 00:49:55,950 --> 00:49:56,950 thing, but 1345 00:49:58,980 --> 00:50:01,319 maybe regarding your statistics, Germany 1346 00:50:01,320 --> 00:50:03,549 was quite light colored. 1347 00:50:04,630 --> 00:50:06,729 Is it because you've spent 1348 00:50:06,730 --> 00:50:08,979 only that part or did you can 1349 00:50:08,980 --> 00:50:11,029 we only scan seven, five, four, seven? 1350 00:50:11,030 --> 00:50:12,639 It's important to mention all of our 1351 00:50:12,640 --> 00:50:13,959 numbers are based on seven, five or 1352 00:50:13,960 --> 00:50:16,659 seven. If you know, you go into 1353 00:50:16,660 --> 00:50:18,789 the depth of each country, of each 1354 00:50:18,790 --> 00:50:21,219 ISP, you can potentially 1355 00:50:21,220 --> 00:50:23,379 find a lot more vulnerable devices. 1356 00:50:23,380 --> 00:50:24,669 OK, thank you much. 1357 00:50:24,670 --> 00:50:26,829 OK. And if anyone does 1358 00:50:26,830 --> 00:50:28,929 this, please do share it with us 1359 00:50:30,010 --> 00:50:31,659 because you know, we might make this 1360 00:50:31,660 --> 00:50:33,759 public and and help your provider 1361 00:50:33,760 --> 00:50:34,760 fix this. 1362 00:50:35,440 --> 00:50:37,989 OK, now you all people know that 1363 00:50:37,990 --> 00:50:39,759 if you want to go back and look at this 1364 00:50:39,760 --> 00:50:41,889 talk, you'll find out it 1365 00:50:41,890 --> 00:50:44,409 in our Stream archive just 1366 00:50:44,410 --> 00:50:45,819 before you get panic. 1367 00:50:45,820 --> 00:50:46,989 Number two, please. 1368 00:50:46,990 --> 00:50:49,059 OK, I didn't quite get how the protocol 1369 00:50:49,060 --> 00:50:50,229 actually works. 1370 00:50:50,230 --> 00:50:51,609 Is the listening device or listening 1371 00:50:51,610 --> 00:50:53,049 service on the clients that actually 1372 00:50:53,050 --> 00:50:55,059 require it, because you said every 1373 00:50:56,110 --> 00:50:58,059 communication is initiated by the client 1374 00:50:58,060 --> 00:50:59,279 and why? 1375 00:50:59,280 --> 00:51:01,539 Yeah, well, first of all, you 1376 00:51:01,540 --> 00:51:03,489 understand that this vulnerability has 1377 00:51:03,490 --> 00:51:05,619 almost nothing to do with your Sixty-nine 1378 00:51:05,620 --> 00:51:06,609 doesn't have anything to do with the 1379 00:51:06,610 --> 00:51:08,979 protocol. It's just a Web server 1380 00:51:08,980 --> 00:51:11,049 that's listening on this port because 1381 00:51:11,050 --> 00:51:13,299 of that. And so 1382 00:51:13,300 --> 00:51:15,339 just mentioning again, what I said at the 1383 00:51:15,340 --> 00:51:17,499 beginning that this 1384 00:51:17,500 --> 00:51:19,689 is a connection request for that 1385 00:51:19,690 --> 00:51:22,029 asks can send connection 1386 00:51:22,030 --> 00:51:24,219 requests to which the 1387 00:51:24,220 --> 00:51:26,469 client immediately follows by, you 1388 00:51:26,470 --> 00:51:28,869 know, making a new connection and do a 1389 00:51:28,870 --> 00:51:30,189 real provisioning session. 1390 00:51:30,190 --> 00:51:31,149 OK, that's OK. 1391 00:51:31,150 --> 00:51:32,829 Yeah. And this is, you know, similar 1392 00:51:32,830 --> 00:51:33,339 Rajdeep. 1393 00:51:33,340 --> 00:51:34,510 So this needs to be sort of 1394 00:51:35,950 --> 00:51:38,379 OK before they shut down the Internet. 1395 00:51:38,380 --> 00:51:40,039 There is this question. 1396 00:51:40,040 --> 00:51:42,309 Yes. From the Internet. 1397 00:51:42,310 --> 00:51:43,219 Yes. 1398 00:51:43,220 --> 00:51:45,099 What is with the new versions? 1399 00:51:45,100 --> 00:51:47,469 Are they really fixed? 1400 00:51:47,470 --> 00:51:49,689 The new versions are have been fixed. 1401 00:51:49,690 --> 00:51:52,239 We, um, some 1402 00:51:52,240 --> 00:51:54,879 some vendors have provided us 1403 00:51:54,880 --> 00:51:57,009 with beta versions of firmware of 1404 00:51:57,010 --> 00:51:59,179 Fix Fermor, and they actually fixed 1405 00:51:59,180 --> 00:52:00,369 that. Right. 1406 00:52:00,370 --> 00:52:03,039 I mean, at least as we see it, 1407 00:52:03,040 --> 00:52:04,539 they're checking it correctly and they 1408 00:52:04,540 --> 00:52:07,689 fixed it before overflows and, 1409 00:52:07,690 --> 00:52:10,059 you know, just patched it actually 1410 00:52:10,060 --> 00:52:12,669 on a rampage of four 07. 1411 00:52:12,670 --> 00:52:14,769 They just patched these vulnerabilities. 1412 00:52:14,770 --> 00:52:16,989 So there might be more things there. 1413 00:52:16,990 --> 00:52:19,059 Um, and also just 1414 00:52:19,060 --> 00:52:21,099 the interesting point here that would 1415 00:52:21,100 --> 00:52:23,919 make it a bit difficult to understand 1416 00:52:23,920 --> 00:52:26,049 if a device is now still 1417 00:52:26,050 --> 00:52:27,999 vulnerable because the server header is 1418 00:52:28,000 --> 00:52:30,129 still going to be four point eighty 1419 00:52:30,130 --> 00:52:31,059 seven. 1420 00:52:31,060 --> 00:52:33,279 And then you'd have to find 1421 00:52:33,280 --> 00:52:35,079 like a different way of figuring out if 1422 00:52:35,080 --> 00:52:36,080 this is vulnerable. 1423 00:52:37,030 --> 00:52:38,769 It's OK. 1424 00:52:38,770 --> 00:52:40,659 Some more No Child Left Back. 1425 00:52:40,660 --> 00:52:41,919 We answer all questions. 1426 00:52:41,920 --> 00:52:43,779 There are more personal. 1427 00:52:43,780 --> 00:52:45,909 Oh, how about IP 462 1428 00:52:45,910 --> 00:52:48,129 IP for devices using 1429 00:52:48,130 --> 00:52:49,239 dual stack light? 1430 00:52:50,440 --> 00:52:52,509 I'm sorry, I didn't get the question. 1431 00:52:52,510 --> 00:52:54,699 How about how about IP for 1432 00:52:54,700 --> 00:52:57,100 six devices using dual stack light. 1433 00:52:58,240 --> 00:52:59,319 Dual stack. 1434 00:52:59,320 --> 00:53:01,509 Oh we 1435 00:53:01,510 --> 00:53:02,760 did not look into that at all. 1436 00:53:04,930 --> 00:53:06,579 OK, was there all that. 1437 00:53:06,580 --> 00:53:08,769 Was it anybody else. 1438 00:53:08,770 --> 00:53:09,770 A question. 1439 00:53:13,090 --> 00:53:15,339 You guys want to ask a question, though? 1440 00:53:15,340 --> 00:53:17,469 OK, well, then let's have one big final.