How I Met Your Modem presented at HITBSecConf Amsterdam 2013

by Peter \xe2\x80\x98blasty\xe2\x80\x99 Geissler, Steven Ketelaar,

Summary : The importance of software security and integrity of common embedded devices is still often overlooked by many. Compromising the important part of a network (modems, routers/switches, etc.) yields a unique and powerful vector for both eavesdropping and injection of packets. This talk will cover the main aspects of a typical DSL modem and the risks that emerge from the ways ISP’s are trying to manage and support their customers.
Expect an in-depth explanation of vulnerabilities we found and were able to exploit successfully and reliably from both the local and remote sides without requiring
any user interaction.
The talk can be broken down into the following big parts:
* Introduction to DSL modems and why we should care about them
* Identifying local and remote vulnerabilities
* Responsible disclosure of these vulnerabilities
* Debugging on (hostile) embedded devices
* Reliably exploiting remote pre-auth vulnerabilities
* Building an advanced trojan for MIPS/Linux
This talk will start by covering a quick explanation of what a DSL modem is capable of and why we should care about them. Subsequently, there will be an introduction to various methods of managing these DSL modems locally (for endusers), and remotely (for ISP’s).
Next up, there will be a description of the process we followed to identify a basic local command injection vulnerability in order to pop a shell on the device.
After warming up a bit with this basic command injection vulnerability there will be an explanation of how a remote (WAN) vulnerability was identified and successfully and reliably exploited. This includes detailed explanations on exploiting memory corruption bugs and doing return oriented programming on MIPS. To take a break from all the technical stuff we’ll briefly cover responsible disclosure and our experience with disclosing these vulnerabilities to the biggest Dutch Telco/ISP in order to mitigate a lot of (potential) damage and not end up in jail.
To make things more interesting beyond popping a simple shell, we will explain how we developed a somewhat advanced trojan/RAT for these limited devices that is capable of:
* Eavesdropping on VoIP calls
* HTTP iframe/exploitkit injection
* General packet eavesdropping (POP3, IMAP, etc.)
* SSLStrip capabilities
* Some fun stuff (upsidetownternet anyone?)
Last but not least, we will end this talk with a nice exclusive demo of the trojan and exploits and try to leave some time for Q&A.