Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oleg Kupreev - Telecommunication Hardware Vulne...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for DC7499 DC7499
July 03, 2015
Research
60
0

Oleg Kupreev - Telecommunication Hardware Vulnerabilities

DEFCON Moscow 9

Avatar for DC7499

DC7499

July 03, 2015

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
Avatar for DC7499 defcon
0
580
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
Avatar for DC7499 defcon
0
300
Anton Lopanitsyn - Initial reconnaissance of web applications.
Avatar for DC7499 defcon
0
320
Dmitry Volkov - Private messengers: without pain??
Avatar for DC7499 defcon
1
250
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
Avatar for DC7499 defcon
2
230
Sergey Belov - Another side of Bug Bounty programs
Avatar for DC7499 defcon
0
320
Dmitry Sklyarov - Intel ME: Flash file system explained
Avatar for DC7499 defcon
0
570
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
Avatar for DC7499 defcon
0
670
Sergey Golovanov - Indecent Response 2018
Avatar for DC7499 defcon
0
580

Other Decks in Research

See All in Research
Collective Predictive Coding and World Models in LLMs: A System 0/1/2/3 Perspective on Hierarchical Physical AI (IEEE SII 2026 Plenary Talk)
Avatar for Tadahiro Taniguchi tanichu
1
390
台湾モデルに学ぶ詐欺広告対策:市民参加の必要性
Avatar for DD2030 dd2030
0
320
衛星×エッジAI勉強会 衛星上におけるAI処理制約とそ取組について
Avatar for SatAI.challenge satai
4
490
量子コンピュータの紹介
Avatar for OQTOPUS oqtopus
0
300
「なんとなく」の顧客理解から脱却する ──顧客の解像度を武器にするインサイトマネジメント
Avatar for 田島佳穂 tajima_kaho
10
7.5k
LINEヤフー データサイエンス Meetup「三井物産コモディティ予測チャレンジ」の舞台裏-AlpacaTechパート
Avatar for tomo gamella
1
500
FUSE-RSVLM: Feature Fusion Vision-Language Model for Remote Sensing
Avatar for SatAI.challenge satai
3
720
IEEE AIxVR 2026 Keynote Talk: "Beyond Visibility: Understanding Scenes and Humans under Challenging Conditions with Diverse Sensing"
Avatar for Mariko Isogawa miso2024
0
180
SOTAのさらに先へ:厳しい推論制約下での高性能モデルのPost-Training
Avatar for Hiroshi Y (RabotniKuma) analokmaus
0
890
Unified Audio Source Separation (Defense Slides)
Avatar for Kohei Saijo kohei_1979
1
600
Φ-Sat-2のAutoEncoderによる情報圧縮系論文
Avatar for SatAI.challenge satai
4
630
東京大学工学部計数工学科、計数工学特別講義の説明資料
Avatar for KIKUCHI Shunsuke kikuzo
0
400

Featured

See All Featured
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
35k
The #1 spot is gone: here's how to win anyway
Avatar for Tamara Novitovic tamaranovitovic
2
1k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
38
2.9k
A Soul's Torment
Avatar for Nat Ma seathinner
6
2.8k
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.4k
Money Talks: Using Revenue to Get Sh*t Done
Avatar for Nikki Halliwell nikkihalliwell
0
230
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.9k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
52k
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
7
36k

Transcript

  1. None

  2. Telecommunication Hardware Vulnerabilities

  3. WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h, [email protected]

    ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM

  4. TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS

    • HYBRiD

  5. VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS

    (/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*

  6. VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •

    D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13

  7. MODEMZ

  8. 3G/4G modems. Made in China by Huawei.

  9. Zero CD

  10. Zero CD-RW

  11. EViL C0NF

  12. OUC.EXE = OUCH LPE

  13. 3G/4G MODEM -> CYBERWEAPON

  14. CR0SSPLATF0RM 3G/4G M0D3M R00TKiT

  15. ROUTERZ

  16. SDLC BUBEN DANCiNG

  17. None

  18. BACKUP=FCUKUP

  19. GET HTTP REQUEST

  20. 20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •

    Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…

  21. 21 habrahabr.ru CSRF Evil FTP server Config CSRF

  22. • Network configuration • PPPOE account • SIP account CONFiGURATiON

  23. OLD DAYS…

  24. 24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century

  25. AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t

    rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!

  26. Huawei HG8245 Jtagulator Huawei 8245 hacking

  27. PLACE 4 FUTURE ViRUSES

  28. PASSWORDS….

  29. How to rob the train in XXI century? Easy!

  30. WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY

    • ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274

  31. STAGE 0x00 • Search for train with WiFi • Buy

    train ticket • Don’t miss the train

  32. STAGE 0x01 admin

  33. STAGE 0x02

  34. STAGE 0x03

  35. STAGE 0x04

  36. SIP hacking? • Port 5060 + SHODAN • Auth needed?

    • Web interface?

  37. CALL TO UID 0

  38. but check! Trust,

  39. Any questions? INFO: @090h [email protected] Links https://github.com/0x90/routerz https://github.com/0x90/modemz