BlackHat资料us-14-Lindh-Attacking-Mobile-Broadband-Modems-Like-A-Criminal-Would.pdfVIP

Attacking Mobile Broadband Modems Like A Criminal Would Andreas Lindh, @addelindh, Black Hat USA 2014 About Me •  Security Analyst @ I Secure Sweden •  Defender by profession •  Web browser security as a hobby •  @addelindh on Twitter Agenda •  Introduction •  Target overview •  Attack scenarios •  Demos •  Conclusion Introduction What’s it about? •  It’s about attacking USB modems for profit and... Profit. •  It’s NOT about popping a shell or calc.exe •  It’s about taking the path of least resistance Hacking like a criminal Source: Objectives 1.  Make money 2.  Steal information 3.  Gain persistence Target overview Previous research •  Nikita Tarakanov Oleg Kupreev –  From China With Love (Black Hat EU 2013) •  Rahul Sasi –  SMS to Meterpreter – Fuzzing USB Modems (Nullcon Goa 2013) •  Focus on modems with dialer software Scope •  One 3G/4G device each from the two biggest vendors* –  Huawei E3276 (also E3236, possibly E3256) –  ZTE MF821D •  Combined market share of more than 80% in 2011* *Source: Network topology WWW Public IP 192.168.x.0/24 192.168.x.1 192.168.x.x Web interface •  Configuration –  Limited for the user, not for us •  Features •  No authentication! –  Prone to CSRF •  Sticky configuration parameters Update model Attack scenarios or “What would Robert Hackerman do? Out of scope (but possible) •  Disconnect the device •  Lock out PIN and PUK •  Permanently break the application •  Permanently brick the device Attack: DNS changer Attack: DNS changer •  Set DnsIsStatic to ‘1’