Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Oleg Kupreev - Telecommunication Hardware Vulne...
Search
DC7499
July 03, 2015
Research
0
54
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
DEFCON Moscow 9
DC7499
July 03, 2015
Tweet
Share
More Decks by DC7499
See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
530
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
260
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
290
Dmitry Volkov - Private messengers: without pain??
defcon
1
230
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
2
210
Sergey Belov - Another side of Bug Bounty programs
defcon
0
300
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
510
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
580
Sergey Golovanov - Indecent Response 2018
defcon
0
510
Other Decks in Research
See All in Research
Computational OT #1 - Monge and Kantorovitch
gpeyre
0
180
公立高校入試等に対する受入保留アルゴリズム(DA)導入の提言
shunyanoda
0
5.7k
rtrec@dbem6
myui
6
860
Sosiaalisen median katsaus 03/2025 + tekoäly
hponka
0
1.3k
【緊急警告】日本の未来設計図 ~沈没か、再生か。国民と断行するラストチャンス~
yuutakasan
0
130
なめらかなシステムと運用維持の終わらぬ未来 / dicomo2025_coherently_fittable_system
monochromegane
0
280
NLP2025参加報告会 LT資料
hargon24
1
320
ノンパラメトリック分布表現を用いた位置尤度場周辺化によるRTK-GNSSの整数アンビギュイティ推定
aoki_nosse
0
320
在庫管理のための機械学習と最適化の融合
mickey_kubo
3
1.1k
VAGeo: View-specific Attention for Cross-View Object Geo-Localization
satai
3
380
Adaptive Experimental Design for Efficient Average Treatment Effect Estimation and Treatment Choice
masakat0
0
130
チャッドローン:LLMによる画像認識を用いた自律型ドローンシステムの開発と実験 / ec75-morisaki
yumulab
1
440
Featured
See All Featured
Optimizing for Happiness
mojombo
379
70k
A Tale of Four Properties
chriscoyier
160
23k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
60k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Documentation Writing (for coders)
carmenintech
72
4.9k
Fireside Chat
paigeccino
37
3.5k
YesSQL, Process and Tooling at Scale
rocio
173
14k
VelocityConf: Rendering Performance Case Studies
addyosmani
330
24k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Raft: Consensus for Rubyists
vanstee
140
7k
Transcript
None
Telecommunication Hardware Vulnerabilities
WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h,
[email protected]
•
ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM
TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS
• HYBRiD
VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS
(/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*
VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •
D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13
MODEMZ
3G/4G modems. Made in China by Huawei.
Zero CD
Zero CD-RW
EViL C0NF
OUC.EXE = OUCH LPE
3G/4G MODEM -> CYBERWEAPON
CR0SSPLATF0RM 3G/4G M0D3M R00TKiT
ROUTERZ
SDLC BUBEN DANCiNG
None
BACKUP=FCUKUP
GET HTTP REQUEST
20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •
Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…
21 habrahabr.ru CSRF Evil FTP server Config CSRF
• Network configuration • PPPOE account • SIP account CONFiGURATiON
OLD DAYS…
24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century
AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t
rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!
Huawei HG8245 Jtagulator Huawei 8245 hacking
PLACE 4 FUTURE ViRUSES
PASSWORDS….
How to rob the train in XXI century? Easy!
WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY
• ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274
STAGE 0x00 • Search for train with WiFi • Buy
train ticket • Don’t miss the train
STAGE 0x01 admin
STAGE 0x02
STAGE 0x03
STAGE 0x04
SIP hacking? • Port 5060 + SHODAN • Auth needed?
• Web interface?
CALL TO UID 0
but check! Trust,
Any questions? INFO: @090h
[email protected]
Links https://github.com/0x90/routerz https://github.com/0x90/modemz