Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Oleg Kupreev - Telecommunication Hardware Vulne...
Search
DC7499
July 03, 2015
Research
0
54
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
DEFCON Moscow 9
DC7499
July 03, 2015
Tweet
Share
More Decks by DC7499
See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
540
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
270
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
290
Dmitry Volkov - Private messengers: without pain??
defcon
1
240
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
2
210
Sergey Belov - Another side of Bug Bounty programs
defcon
0
300
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
520
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
610
Sergey Golovanov - Indecent Response 2018
defcon
0
530
Other Decks in Research
See All in Research
Creation and environmental applications of 15-year daily inundation and vegetation maps for Siberia by integrating satellite and meteorological datasets
satai
3
280
Type Theory as a Formal Basis of Natural Language Semantics
daikimatsuoka
1
290
数理最適化に基づく制御
mickey_kubo
6
730
Galileo: Learning Global & Local Features of Many Remote Sensing Modalities
satai
3
240
AIによる画像認識技術の進化 -25年の技術変遷を振り返る-
hf149
7
4k
Time to Cash: The Full Stack Breakdown of Modern ATM Attacks
ratatata
0
130
電力システム最適化入門
mickey_kubo
1
920
「どう育てるか」より「どう働きたいか」〜スクラムマスターの最初の一歩〜
hirakawa51
0
860
能動適応的実験計画
masakat0
2
810
利用シーンを意識した推薦システム〜SpotifyとAmazonの事例から〜
kuri8ive
1
250
国際論文を出そう!ICRA / IROS / RA-L への論文投稿の心構えとノウハウ / RSJ2025 Luncheon Seminar
koide3
6
4.7k
論文読み会 SNLP2025 Learning Dynamics of LLM Finetuning. In: ICLR 2025
s_mizuki_nlp
0
210
Featured
See All Featured
Faster Mobile Websites
deanohume
309
31k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
GitHub's CSS Performance
jonrohan
1032
460k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.6k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
The Straight Up "How To Draw Better" Workshop
denniskardys
236
140k
Writing Fast Ruby
sferik
628
62k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
Navigating Team Friction
lara
189
15k
The Power of CSS Pseudo Elements
geoffreycrofte
77
6k
Transcript
None
Telecommunication Hardware Vulnerabilities
WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h,
[email protected]
•
ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM
TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS
• HYBRiD
VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS
(/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*
VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •
D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13
MODEMZ
3G/4G modems. Made in China by Huawei.
Zero CD
Zero CD-RW
EViL C0NF
OUC.EXE = OUCH LPE
3G/4G MODEM -> CYBERWEAPON
CR0SSPLATF0RM 3G/4G M0D3M R00TKiT
ROUTERZ
SDLC BUBEN DANCiNG
None
BACKUP=FCUKUP
GET HTTP REQUEST
20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •
Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…
21 habrahabr.ru CSRF Evil FTP server Config CSRF
• Network configuration • PPPOE account • SIP account CONFiGURATiON
OLD DAYS…
24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century
AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t
rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!
Huawei HG8245 Jtagulator Huawei 8245 hacking
PLACE 4 FUTURE ViRUSES
PASSWORDS….
How to rob the train in XXI century? Easy!
WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY
• ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274
STAGE 0x00 • Search for train with WiFi • Buy
train ticket • Don’t miss the train
STAGE 0x01 admin
STAGE 0x02
STAGE 0x03
STAGE 0x04
SIP hacking? • Port 5060 + SHODAN • Auth needed?
• Web interface?
CALL TO UID 0
but check! Trust,
Any questions? INFO: @090h
[email protected]
Links https://github.com/0x90/routerz https://github.com/0x90/modemz