SlideShare una empresa de Scribd logo

4G modem – best present ever!

Descargar como PPTX, PDF
Positive Hack Days
Positive Hack Days
Tecnología
1 de 22
Dmitry Sklyarov Senior Analyst @ Department for Advanced Developments Positive Technologies Positive Hack Days IV, May 21-22, 2014
How it looks (approximately ;)
Explore textual marks on Modem Front side: • “4G” logo • operator’s logo Under the cover (access to SIM and SD cards): • operator’s internal model number • IMEI • serial number Hmm, what the actual manufacturer name and model number? Back side: • nothing
Explore packaging Manufacturer name (ZTE) printed on the box and in booklet
ZTE MF823 4G Modem Specification • LTE-FDD: 800/900/1800/2600MHz; • UMTS: 900/2100MHz; • LTE-FDD: DL/UL 100/50Mbps (Category3) • DC-HSPA+: DL/UL 42/5.76Mbps • Size: 90 x 28.4 x 13mm • OS: Win7, Windows XP,Vista, Win8, Mac OS
ZTE MF823 4G Modem re-Branding MegaFon (Russia) O2(Germany)
Is there Modem anymore? After plugging into PC running Windows 7: • CWID USB SCSI CD-ROM USB Device • ZTE MMC Storage USB Device (MicroSD Card Reader) After performing “Eject CD Drive”: • CD-ROM (sometimes they come back!) • MicroSD Card Reader • Remote NDIS* based Internet Sharing Device *NDIS == Network Driver Interface Specification No drivers required! (at least on Windows 7 ;)
Remote NDIS adapter properties > ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.0.182 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1
How to speak with MF823? Results of ports scan for 192.168.0.1
HTTP server on 192.168.0.1 NB: Some brand-customized firmware contains web-interface that relies on “GoForm” handlers GET /index.html HTTP/1.1 Host: 192.168.0.1 HTTP/1.1 404 Site or Page Not Found GET / HTTP/1.1 Host: 192.168.0.1 HTTP/1.0 302 Redirect Server: GoAhead-Webs/2.5.0 Location: http://192.168.0.1/index.html
HTTP server Handlers Defined UrlHandlers: /goform /cgi-bin /mmc2 /api/xmlclient/post /client/backup /api/nvramul.cgi Defined GoForm handlers: /goform/goform_get_cmd_process /goform/goform_set_cmd_process /goform/goform_process /goform/formTest
Getting diagnostics info http://192.168.0.1/goform/ goform_get_cmd_process? cmd=device_diagnostics Returns: productName softwareVersion modemVersion routerVersion webUiVersion hardwareVersion serialNumber simSerialNumber simMsisdn deviceImei simImsi simStatus sdCardAvailable sdCardTotalMemory sdCardUsedMemory currentConnectedUsers maxConnectedUsers timeSinceStartup
Switching to Download (FACTORY) mode http://192.168.0.1/goform/goform_process? goformId=MODE_SWITCH&switchCmd=FACTORY New devices appears: • ZTE Diagnostics Interface (COMX) • ZTE NMEA Device (COMY) • ZTE Proprietary USB Modem NB: Send AT+ZCDRUN=F to COM-port associated with “ZTE NMEA Device” to return from Download mode
telnetd on 192.168.0.1 OpenEmbedded Linux 9615-cdp msm 20130729 9615-cdp 9615-cdp login: root Password: zte9x15 root@9615-cdp:~# id uid=0(root) gid=0(root) groups=0(root)
root is good! Full-featured ARM-based Linux • busybox apps (e.g. nc and netstat) • iptables • tcpdump • gdbserver CD image at /usr/zte_web/ZTEMODEM.ISO HTTP server root at /usr/zte_web/web/* • auto_apn • copy • zte_log
What is actually under your control?
What is actually under your control?
What are the treats? controls all external traffic log all internet activity replicate all internet activity WiFi-enabled? access to local WiFi GPS-enabled? store/report GPS location under remote management access to local network
My favorite Modem ;)
That’s all… Thanks for your patience ;) Dmitry Sklyarov DSklyarov@ptsecurity.ru Senior Analyst @ Department for Advanced Developments Positive Technologies
4G modem – best present ever!

Recomendados

Datasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500U
Datasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500UDatasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500U
Datasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500UKelly Shaw
 
Datasheet for Hystou Mini PC model P05B-i7-5500u-2c
Datasheet for Hystou Mini PC model P05B-i7-5500u-2cDatasheet for Hystou Mini PC model P05B-i7-5500u-2c
Datasheet for Hystou Mini PC model P05B-i7-5500u-2cKelly Shaw
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSSqqlan
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
Mvi56 mcm datasheet
Mvi56 mcm datasheetMvi56 mcm datasheet
Mvi56 mcm datasheetFranz07
 
Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiRahul Sasi
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
 
Wifi obd auto checker using step
Wifi obd auto checker using stepWifi obd auto checker using step
Wifi obd auto checker using stepBill Zhao
 

Recomendados

Datasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500U
Datasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500UDatasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500U
Datasheet for Hystou Mini Industrial PC model P12-i5-4200U and i7-4500UKelly Shaw
 
Datasheet for Hystou Mini PC model P05B-i7-5500u-2c
Datasheet for Hystou Mini PC model P05B-i7-5500u-2cDatasheet for Hystou Mini PC model P05B-i7-5500u-2c
Datasheet for Hystou Mini PC model P05B-i7-5500u-2cKelly Shaw
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSSqqlan
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
Mvi56 mcm datasheet
Mvi56 mcm datasheetMvi56 mcm datasheet
Mvi56 mcm datasheetFranz07
 
Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiRahul Sasi
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
 
Wifi obd auto checker using step
Wifi obd auto checker using stepWifi obd auto checker using step
Wifi obd auto checker using stepBill Zhao
 
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Pietro F. Maggi
 
3 g modem_tutorial
3 g modem_tutorial3 g modem_tutorial
3 g modem_tutorialaljarous
 
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfEDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfRajeshravi49
 
gofortution
gofortutiongofortution
gofortutiongofortution
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material SANGHEE SHIN
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)家榮 張
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTinovex GmbH
 
Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !Francesco Prior
 
DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015Mark Davis
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Alvaro Roldan Peral
 
Droid Pro Launch
Droid Pro LaunchDroid Pro Launch
Droid Pro Launchndknox
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterDeep Datta
 
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersEclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersMicroEJ
 
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfQRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfmindhackers161
 
RedWave Smart Flyboard by RFID Global
RedWave Smart Flyboard by RFID GlobalRedWave Smart Flyboard by RFID Global
RedWave Smart Flyboard by RFID GlobalRFID Global by Softwork
 
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014Channy Yun
 
The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway stefansayer
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 

Más contenido relacionado

Similar a 4G modem – best present ever!

Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Pietro F. Maggi
 
3 g modem_tutorial
3 g modem_tutorial3 g modem_tutorial
3 g modem_tutorialaljarous
 
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfEDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfRajeshravi49
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material SANGHEE SHIN
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)家榮 張
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTinovex GmbH
 
DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015Mark Davis
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Alvaro Roldan Peral
 
Droid Pro Launch
Droid Pro LaunchDroid Pro Launch
Droid Pro Launchndknox
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterDeep Datta
 
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersEclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersMicroEJ
 
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfQRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfmindhackers161
 
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014Channy Yun
 
The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway stefansayer
 

Similar a 4G modem – best present ever! (20)

Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
 
3 g modem_tutorial
3 g modem_tutorial3 g modem_tutorial
3 g modem_tutorial
 
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfEDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
 
gofortution
gofortutiongofortution
gofortution
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !
 
DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010
 
Droid Pro Launch
Droid Pro LaunchDroid Pro Launch
Droid Pro Launch
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
 
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for MicrocontrollersEclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
 
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfQRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
 
RedWave Smart Flyboard by RFID Global
RedWave Smart Flyboard by RFID GlobalRedWave Smart Flyboard by RFID Global
RedWave Smart Flyboard by RFID Global
 
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
 
The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway
 

Más de Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Más de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Último

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Último (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

4G modem – best present ever!

  • 1.
  • 2. Dmitry Sklyarov Senior Analyst @ Department for Advanced Developments Positive Technologies Positive Hack Days IV, May 21-22, 2014
  • 3. How it looks (approximately ;)
  • 4. Explore textual marks on Modem Front side: • “4G” logo • operator’s logo Under the cover (access to SIM and SD cards): • operator’s internal model number • IMEI • serial number Hmm, what the actual manufacturer name and model number? Back side: • nothing
  • 5. Explore packaging Manufacturer name (ZTE) printed on the box and in booklet
  • 6. ZTE MF823 4G Modem Specification • LTE-FDD: 800/900/1800/2600MHz; • UMTS: 900/2100MHz; • LTE-FDD: DL/UL 100/50Mbps (Category3) • DC-HSPA+: DL/UL 42/5.76Mbps • Size: 90 x 28.4 x 13mm • OS: Win7, Windows XP,Vista, Win8, Mac OS
  • 7. ZTE MF823 4G Modem re-Branding MegaFon (Russia) O2(Germany)
  • 8. Is there Modem anymore? After plugging into PC running Windows 7: • CWID USB SCSI CD-ROM USB Device • ZTE MMC Storage USB Device (MicroSD Card Reader) After performing “Eject CD Drive”: • CD-ROM (sometimes they come back!) • MicroSD Card Reader • Remote NDIS* based Internet Sharing Device *NDIS == Network Driver Interface Specification No drivers required! (at least on Windows 7 ;)
  • 9. Remote NDIS adapter properties > ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.0.182 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1
  • 10. How to speak with MF823? Results of ports scan for 192.168.0.1
  • 11. HTTP server on 192.168.0.1 NB: Some brand-customized firmware contains web-interface that relies on “GoForm” handlers GET /index.html HTTP/1.1 Host: 192.168.0.1 HTTP/1.1 404 Site or Page Not Found GET / HTTP/1.1 Host: 192.168.0.1 HTTP/1.0 302 Redirect Server: GoAhead-Webs/2.5.0 Location: http://192.168.0.1/index.html
  • 12. HTTP server Handlers Defined UrlHandlers: /goform /cgi-bin /mmc2 /api/xmlclient/post /client/backup /api/nvramul.cgi Defined GoForm handlers: /goform/goform_get_cmd_process /goform/goform_set_cmd_process /goform/goform_process /goform/formTest
  • 13. Getting diagnostics info http://192.168.0.1/goform/ goform_get_cmd_process? cmd=device_diagnostics Returns: productName softwareVersion modemVersion routerVersion webUiVersion hardwareVersion serialNumber simSerialNumber simMsisdn deviceImei simImsi simStatus sdCardAvailable sdCardTotalMemory sdCardUsedMemory currentConnectedUsers maxConnectedUsers timeSinceStartup
  • 14. Switching to Download (FACTORY) mode http://192.168.0.1/goform/goform_process? goformId=MODE_SWITCH&switchCmd=FACTORY New devices appears: • ZTE Diagnostics Interface (COMX) • ZTE NMEA Device (COMY) • ZTE Proprietary USB Modem NB: Send AT+ZCDRUN=F to COM-port associated with “ZTE NMEA Device” to return from Download mode
  • 15. telnetd on 192.168.0.1 OpenEmbedded Linux 9615-cdp msm 20130729 9615-cdp 9615-cdp login: root Password: zte9x15 root@9615-cdp:~# id uid=0(root) gid=0(root) groups=0(root)
  • 16. root is good! Full-featured ARM-based Linux • busybox apps (e.g. nc and netstat) • iptables • tcpdump • gdbserver CD image at /usr/zte_web/ZTEMODEM.ISO HTTP server root at /usr/zte_web/web/* • auto_apn • copy • zte_log
  • 17. What is actually under your control?
  • 18. What is actually under your control?
  • 19. What are the treats? controls all external traffic log all internet activity replicate all internet activity WiFi-enabled? access to local WiFi GPS-enabled? store/report GPS location under remote management access to local network
  • 21. That’s all… Thanks for your patience ;) Dmitry Sklyarov DSklyarov@ptsecurity.ru Senior Analyst @ Department for Advanced Developments Positive Technologies