drop it like it's hotspot - black hat briefings · firmware contains mtd 2 and 3 partitions...
TRANSCRIPT
![Page 1: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/1.jpg)
Drop it like it's hotspotSteve Lord
![Page 2: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/2.jpg)
AgendaWhat This Is About
● How to hack Linux-based embedded devices
● How to abuse mifi hotspots● Some toys
![Page 3: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/3.jpg)
Who Is This Guy?No, really? Who is he?
● @stevelord● Career Pentester
● Technical Director at Mandalorian● @44Con co-founder● Tiger Scheme Tech Panel Member● Described as a “walking 4chan” by
some guy at AppSec EU last year
![Page 4: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/4.jpg)
ConclusionThanks for listening
● Breaking embedded systems is easy● For some values of embedded systems● And some values of easy
![Page 5: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/5.jpg)
Butt
![Page 6: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/6.jpg)
Weight?
![Page 7: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/7.jpg)
I Was In A Hot CountryNo, really
![Page 8: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/8.jpg)
And I Saw This
![Page 9: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/9.jpg)
What Is That?Bandluxe PR30 Mifi Hotspot
● Based on Freescale i.MX25● ARM926EJ-S
● HSPA+● Built in 802.11 b/g● Micro SD slot
● SMB Server
![Page 10: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/10.jpg)
Other StuffBandluxe PR30 Mifi Hotspot
● Exports .iso as CD● Uses RNDIS for USB Net● External 3G antenna port● 2200 mAH battery (4 hours!)
● Nearly 24 hours with a spare 10000 mAH pack!
![Page 11: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/11.jpg)
An ApproachTaking control
● Profile the device● Analyse the firmware● Find and exploit flaws
![Page 12: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/12.jpg)
Profile The DeviceLets take a look
![Page 13: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/13.jpg)
Profile The DeviceLets take a look
![Page 14: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/14.jpg)
Profile The DeviceLets take a look
![Page 15: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/15.jpg)
Profile The DeviceLets take a look
![Page 16: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/16.jpg)
Analyse The FirmwareWhat's in the box?
![Page 17: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/17.jpg)
Analyse The FirmwareWhat's in the box?
![Page 18: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/18.jpg)
Analyse The FirmwareWhat's in the box?
![Page 19: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/19.jpg)
Analyse The FirmwareWhat's in the box?
![Page 20: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/20.jpg)
Analyse The FirmwareWhat's in the box?
![Page 21: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/21.jpg)
Analyse The FirmwareWhat's in the box?
![Page 22: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/22.jpg)
Analyse The FirmwareWhat's in the box?
![Page 23: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/23.jpg)
Analyse The FirmwareWhat's in the box?
![Page 24: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/24.jpg)
Analyse The FirmwareWhat's in the box?
![Page 25: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/25.jpg)
Analyse The FirmwareWhat's in the box?
![Page 26: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/26.jpg)
Analyse The FirmwareConclusions
● Firmware contains mtd 2 and 3 partitions● Other mtd partitions referenced in
software● Could reconstruct modified firmware
● Risky but doable
![Page 27: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/27.jpg)
Find And Exploit FlawsTime to root
● Bandrich customised x-wrt webif● Uses haserl to execute shell scripts● Runs as root● Looks pretty legit to me
![Page 28: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/28.jpg)
Find And Exploit FlawsTime to root
![Page 29: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/29.jpg)
Find And Exploit FlawsTime to root
![Page 30: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/30.jpg)
Find And Exploit FlawsTime to root
![Page 31: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/31.jpg)
Find And Exploit FlawsTime to root
![Page 32: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/32.jpg)
Find And Exploit FlawsTime to root
![Page 33: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/33.jpg)
Find And Exploit FlawsTime to root
![Page 34: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/34.jpg)
Find And Exploit FlawsTime to root
● Backup/Restore● Uses tar● No integrity checks● Untars to /
– As root– :)
![Page 35: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/35.jpg)
Find And Exploit FlawsTime to root
![Page 36: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/36.jpg)
Find And Exploit FlawsTime to root
![Page 37: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/37.jpg)
Find And Exploit FlawsTime to root
![Page 38: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/38.jpg)
And Once We're On The BoxIt's showtime, people
![Page 39: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/39.jpg)
TakeawaysChipsy King style
● Linux devices are not as hard as they seem
● This device employs much security comedy
● Root is only half the battle...
![Page 40: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/40.jpg)
AgendaWhat This Is About
● How to hack Linux-based embedded devices
● How to abuse mifi hotspots● Some toys
![Page 41: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/41.jpg)
How To Abuse HotspotsDropping it like it's hotspot
● Ideas● Extend cyber<war||space||marketing> into
physically disconnected environments● Autonomous meshes● Evil mobile coffee hotspot
![Page 42: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/42.jpg)
How To Abuse HotspotsAttack platform
The Plan
![Page 43: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/43.jpg)
We Pick A Target
![Page 44: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/44.jpg)
We Take One Of TheseModified, natch
![Page 45: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/45.jpg)
Stick It Under One Of These
![Page 46: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/46.jpg)
And Hope No-one Notices
![Page 47: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/47.jpg)
But Seriously, FolksDropping it like it's hotspot
● Considerations● Host tools on target versus route through● Connect to device vs device connects out● Crack Wifi from device vs pre-pwned wifi
![Page 48: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/48.jpg)
Before We BeginStage 1: Steal Underpants
● We need a cross-compile toolchain● i.MX25 compatible compiler● uClibc compatible● OpenWRT Buildroot
![Page 49: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/49.jpg)
Before We BeginStage 1: Steal Underpants
● IMX.25 Compatible Compiler● http://www.landley.net/code/aboriginal/dow
nloads/binaries/cross-compiler/cross-compiler-armv5l.tar.bz2– Needs 32-bit linux (I used an Ubuntu VM)– Not quite the right compiler– But uses uClibc...
![Page 50: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/50.jpg)
Before We BeginStage 1: Steal Underpants
![Page 51: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/51.jpg)
Before We BeginStage 1: Steal Underpants
![Page 52: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/52.jpg)
Before We BeginStage 1: Steal Underpants
● OpenWRT Buildroot● Regular Kamikaze 'awkward'● http://www.voipac.com/downloads/imx/25/
src/openwrt/– Some parts compile better, some not so good– Howto at
http://www.voipac.com/downloads/imx/25/doc/MX-OPENWRT.txt
![Page 53: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/53.jpg)
Before We BeginStage 1: Steal Underpants
● Preparing our buildroot● Untar, patch voipac sources● Make menuconfig
![Page 54: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/54.jpg)
Before We BeginStage 1: Steal Underpants
![Page 55: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/55.jpg)
Before We BeginStage 1: Steal Underpants
![Page 56: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/56.jpg)
Before We BeginStage 1: Steal Underpants
![Page 57: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/57.jpg)
Before We BeginStage 1: Steal Underpants
● Suggested target options● -O3● -march=armv5te● -mcpu=arm926ej-s● -mfloat-abi=soft● -pipe● -mthumb● -mthumb-interwork● -fomit-frame-pointer
![Page 58: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/58.jpg)
Before We BeginStage 1: Steal Underpants
● Update package list● scripts/feeds update -a● scripts/feeds install -a
● Make a sample package● make package/axel/compile● .ipk will be in bin/imx25/
![Page 59: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/59.jpg)
Before We BeginStage 1: Steal Underpants
![Page 60: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/60.jpg)
After Before We BeginStage 2: ????
![Page 61: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/61.jpg)
GotchasStage 2: ????
● uClibc is not tool friendly● Mx25 port appears incomplete● Rob Landley's compiler doesn't like the
code I throw at it● Mainly due to the armv5l vs armv5te● Also uclibc weirdness
● Packages need to be set in menuconfig
![Page 62: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/62.jpg)
How It Should WorkStage 2: ????
![Page 63: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/63.jpg)
Start With SSHStage 2: ????
● Use reverse SSH to host we control● SSH Back in● Set option GatewayPorts 'yes' in
/etc/config/dropbear● Alternate options
● OpenVPN● <protocol>Tunnel
![Page 64: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/64.jpg)
Start With SSHStage 2: ????
![Page 65: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/65.jpg)
Start With SSHStage 2: ????
![Page 66: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/66.jpg)
Configure WifiStage 2: ????
● IME ignore standard convention● Anything that works● Won't work (yet) on the bandrich
![Page 67: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/67.jpg)
DeploymentStage 3: Profit
![Page 68: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/68.jpg)
DeploymentStage 3: Profit
![Page 69: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/69.jpg)
TakeawaysTasty, delicious, takeaways
● Weaponising hotspots is fun● If you enjoy swearing at compilers
● Ubiquitous computing lowers the cost of attack● We're doing this already with bigger kit
● The possibilities for handheld devices are endless● Use your imagination!
![Page 70: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/70.jpg)
AgendaWhat This Is About
● How to hack Linux-based embedded devices
● How to abuse mifi hotspots● Some toys
![Page 71: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/71.jpg)
Some ToysGive me tools, they said!
● PR39 Onanist's Toolkit Installer● Tested on Ubuntu 8.04 LTS● Installs and prepares the following
– Angstrom compiler– Landley compiler– OpenWRT build kit– Sample tools– Test packages
● White paper to follow
![Page 72: Drop it like it's hotspot - Black Hat Briefings · Firmware contains mtd 2 and 3 partitions ... Evil mobile coffee hotspot. How To Abuse Hotspots Attack platform The Plan. We Pick](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed435e15f99ec21bd18523f/html5/thumbnails/72.jpg)
Thanks For Having MeDon't forget your feedback forms!
This presentation brought to you by coffee, pizza, beer, Goldfrapp, many cups of tea, not much sleep and swearing at @#£!ing segfaulting code. Catch me next at DC4420 on the 24th April.CC-NC-SA ©2011 Mandalorian.