Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oleg Kupreev - Telecommunication Hardware Vulne...

Avatar for DC7499 DC7499
July 03, 2015
Research
66
0

Oleg Kupreev - Telecommunication Hardware Vulnerabilities

DEFCON Moscow 9

Avatar for DC7499

DC7499

July 03, 2015

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
Avatar for DC7499 defcon
0
580
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
Avatar for DC7499 defcon
0
310
Anton Lopanitsyn - Initial reconnaissance of web applications.
Avatar for DC7499 defcon
0
320
Dmitry Volkov - Private messengers: without pain??
Avatar for DC7499 defcon
1
250
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
Avatar for DC7499 defcon
2
230
Sergey Belov - Another side of Bug Bounty programs
Avatar for DC7499 defcon
0
330
Dmitry Sklyarov - Intel ME: Flash file system explained
Avatar for DC7499 defcon
0
570
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
Avatar for DC7499 defcon
0
680
Sergey Golovanov - Indecent Response 2018
Avatar for DC7499 defcon
0
580

Other Decks in Research

See All in Research
RS-Agent: Automating Remote Sensing Tasks through Intelligent Agent
Avatar for SatAI.challenge satai
2
300
NLP colloquium: AI Safety Survey
Avatar for Masahiro Kaneko kanekomasahiro
0
650
羽田新ルート運用6年の検証
Avatar for マン点 1manken
0
160
「行ける・行けない表」による地域公共交通の性能評価
Avatar for 萬創社 bansousha
0
160
2026年1月の生成AI領域の重要リリース&トピック解説
Avatar for KAJI | 梶谷健人 kajikent
0
1k
LINEヤフー データサイエンス Meetup「三井物産コモディティ予測チャレンジ」の舞台裏-AlpacaTechパート
Avatar for tomo gamella
1
570
2026 東京科学大 情報通信系 研究室紹介 (すずかけ台)
Avatar for Tokyo Tech ICT Dept. icttitech
0
3.8k
ScoreMatchingRiesz for Automatic Debiased Machine Learning and Policy Path Estimation with an Application to Japanese Monetary Policy Evaluation
Avatar for MasaKat0 masakat0
0
290
さくらインターネット研究所テックトーク2026春、研究開発Gr.25年度成果26年度方針
Avatar for KIKUCHI Shunsuke kikuzo
0
150
Model Discovery and Graph Simulation: A Lightweight Gateway to Chaos Engineering
Avatar for Anatoly A. Krasnovsky anatolykr
0
200
Φ-Sat-2のAutoEncoderによる情報圧縮系論文
Avatar for SatAI.challenge satai
4
770
LiDAR点群の地表面分類手法の比較・検証
Avatar for vegapunk-hiroshi vegapunkhiroshi79
0
120

Featured

See All Featured
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
210
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
Avatar for Tech SEO Connect techseoconnect
PRO
0
200
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
270
The agentic SEO stack - context over prompts
Avatar for schlessera schlessera
0
820
Money Talks: Using Revenue to Get Sh*t Done
Avatar for Nikki Halliwell nikkihalliwell
0
250
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
Avatar for Akihiro Kokubo akihiro_kokubo
PRO
71
40k
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
3
4.2k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k
Claude Code のすすめ
Avatar for schroneko schroneko
67
230k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.7k
The Curious Case for Waylosing
Avatar for Cassini Nazir cassininazir
1
390
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon Słowik szymonslowik
1
340

Transcript

  1. None

  2. Telecommunication Hardware Vulnerabilities

  3. WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h, [email protected]

    ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM

  4. TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS

    • HYBRiD

  5. VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS

    (/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*

  6. VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •

    D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13

  7. MODEMZ

  8. 3G/4G modems. Made in China by Huawei.

  9. Zero CD

  10. Zero CD-RW

  11. EViL C0NF

  12. OUC.EXE = OUCH LPE

  13. 3G/4G MODEM -> CYBERWEAPON

  14. CR0SSPLATF0RM 3G/4G M0D3M R00TKiT

  15. ROUTERZ

  16. SDLC BUBEN DANCiNG

  17. None

  18. BACKUP=FCUKUP

  19. GET HTTP REQUEST

  20. 20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •

    Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…

  21. 21 habrahabr.ru CSRF Evil FTP server Config CSRF

  22. • Network configuration • PPPOE account • SIP account CONFiGURATiON

  23. OLD DAYS…

  24. 24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century

  25. AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t

    rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!

  26. Huawei HG8245 Jtagulator Huawei 8245 hacking

  27. PLACE 4 FUTURE ViRUSES

  28. PASSWORDS….

  29. How to rob the train in XXI century? Easy!

  30. WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY

    • ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274

  31. STAGE 0x00 • Search for train with WiFi • Buy

    train ticket • Don’t miss the train

  32. STAGE 0x01 admin

  33. STAGE 0x02

  34. STAGE 0x03

  35. STAGE 0x04

  36. SIP hacking? • Port 5060 + SHODAN • Auth needed?

    • Web interface?

  37. CALL TO UID 0

  38. but check! Trust,

  39. Any questions? INFO: @090h [email protected] Links https://github.com/0x90/routerz https://github.com/0x90/modemz