0x01:
Introduction to Modems
The term DSL modem is technically
used to describe "a modem which connects to a single computer, through a
USB port or is installed in a computer PCI slot". The more common DSL
router which combines the function of a DSL modem and a home router is a standalone
device which could be connected to multiple computers through multiple Ethernet
ports or an integral wireless access point. Also called as a "residential
gateway", a DSL router usually manages the connection and sharing of the
DSL service in a home or small office network.
Most consumer DSL lines use one of several variations and varieties of
Asymmetric DSL (ADSL). The "asymmetric" DSL here means that more of
the bandwidth of the line is dedicated to downstream (download) data than
upstream (upload) data. Hence, download rates are faster than upload rates
since most users download much larger quantities of data than they actually
upload. Because the telephone lines were never designed to carry such high
frequency signals, DSL is distance-sensitive. The farther away from the
switching center the modem is, the longer the telephone wires, the weaker the
signal, and the lower the data rate that the modem can achieve. Users in
metropolitan areas, close to switching centers, may have access to higher rate service,
up to 8 Mbit/s than the expected rate for the same service in remote areas.
Reference: en.wikipedia.org/wiki/DSL_modem
0x02:
Market Share
The modem manufacturers mostly are
mostly chinese based . Research shows that companies like ZTE & Huawei are
doing very well and have gained enterprise router share in china over the past
year. In China ZTE is placed third player in 2013 and 2014 with dizzying rise
this year than the popular consortium Cisco. (Which happens to be more secure).
This is also due to the fact that cisco's products are very costly and
difficult for the home users to afford.
0x03:
Backups& Backdoors
All modems include Backup
files mainly because of the need to recover the modem to the original state
after a reset. However, knowing the direct link to the backup file puts the
modem directly in danger. All an attacker has to do is request the backup file
and view it; mostly this is juicy plain info that contains passwords, ISP configurations.
Knowing this however, some vendors try to encrypt the contents that are inside
these files. So downloading this would be useless for the attacker. But this
isn’t entirely impossible as lots of vendors tend to use weak encryption
mechanisms to encrypt backup file. And research done by white hats such as
Osanda Malith shows that. He for example provided a PoC tool used to decrypt
these rom-0 (Backup) files from most modems, including ZTE and TP-Link.
Most of the chinese Vendors such as ZTE are banned from the US, one because
they being incredibly insecure and two because, they put malicious backdoors to
snoop and eavesdrop on individuals and organizations.
Lots of trusted companies such as TP-Link, Huawei and other chinese companies
have a record of placing backdoors in their products. These backdoors are
normally in form of open ports which on connecting would provide a reverse
shell. The ports are often found to be high in number to make it harder to
detect.
One of such examples can be found here. This lets them
capture sensitive files and sometimes sell it for residing countries. This
strategy is great one for governments to spy on their citizens as well as for
great as a part of a cyber attack against a particular country. So for example:
A country could sell cheap backdoored modems to a target country, and in
case the modems end up being used on military and sensitive systems, then they
have hit a jackpot.
0x04:
Default Configuration details and Hardcoded Credentials
Apparently, all if not most modems
come with very easy to guess password configurations. Infact, most of them are
identical like: username:admin and password: admin. Most people do not change
the configuration details and most ISP’s leave this as default.
This amazingly is a good news for malicious users. Because all they have to do
is know the vendor and they can get their hands on it easily using sites such
as http://www.routerpasswords.com/ to extract information.
0x05:
XSRF and XSS
These two are two of the most common flaws in the history of
web security. Mmost ZTE modems do not use anti-XSRF tokens (Used to prevent
CSRF Attacks) on any sensitive request.
XSS is even more worsed because if
one found an XSS flaw in any modem (which is likely), he can send that link to
a logged in administrator and perform any action in behalf of the admin, this
could be done by stealing the XSRF-Token. Also, an XSS could also allow session
hijacking and other browser attacks.
XSRF flaws are more commonly found in modems as opposed to
xss due to the fact that modems use HTTP authentications most of the time. So
Headers are mainly used in communications protocols to communicate with one
another. This makes it harder for the modem to detect and create anti-csrf
tokens other than to compare it.
Because of these or just because of
careless developing it is sometimes possible in to tricking admins changing
passwords, issuing commands or easing access.
0x06:
Social Engineering
What would you say if a blocked
number called you and told you that she is from your ISP and she needs your
credentials in order to add/maintain the new and revised 3G technology into
your modem. Or even she asks you to maintain security flaws in your modem? You
surly never expect this to be a troll. I mean, why would you? And then next
thing you know, she snooped your configuration password. Knowing this password
could mean (since lots of people use same passwords) that she got access to
email password, financial account, etc.
0x07:
Exploit Databases
Many Exploit databases hold juicy
info about modems. Including default configurations, XSRF/XSS/LFI flaws,
logical issues, backdoors. So all you need to do is to find the modem version and
give a search on exploit databases such as exploit-db.com, 1337day.com etc
So say, in case you found an exploit against a previous version of a modem,
however not for the exact version. This necessary doesn't mean yours isn’t
vulnerable to the particular exploit you found. Infact most vendors use same
architecture to construct the web architecture of their modems. So one XSS on
one model could mean XSS on all other vendor modems.
0x08:
Eavesdropping
The lack of SSL usually means bad
luck for modems. Especially if it’s for office/public usage because the admin
is always in risk of accessing any file from the modem. The reason being, that
it is very easy to sniff ongoing traffic with with tools like Wireshark.
The fact that modems use login protocols like HTTP authentication puts them in
more danger because when requesting any file, the modem should request the
authentication header and the admin responds in (mostly Base64 form), and an
attack easily can sniff this and decode the communication easily it.
Even when using SSL (note very few modems use it), it can still be insecure and
even pose more risk. Recently, A lot of attacks have been identified against
SSL protocols Heartbleed, POODLE to name a few.
0x09:
Denial Of Service
Denial of Service is one of the most
annoying things I can think of next to a Log out CSRF. People with bad
intentions can use this type of attack to knock a modem out of delivering
internet and sometimes even let the modem reset itself.
This is really crazy for people trying to do their job. The fact this attack
can easily be turned an untraceable attack can make your business day a big
pain just because you choose to use a vulnerable modem.
Most modems by design don’t hold more HDD than 25MB and less than 2MB ram with
no DOS protections. This usually means they can handle limited amount of data
with huge amount of time. All an attacker has to do is send more requests than
the modem can handle and hence exhausting it's memory and resulting in a DOS.
0x10: Lack Of Updates
Modem users seldom receive updates for modems in case a critical
vulnerabilities have been identified in the wild, and a lot of them don't
really have a mechanism for providing OTA (Over the Air) updates. A lot of
times, users manually have to upgrade the firmware and ofcourse which is not
possible for people having lack or no technical knowledge.
0xA:
Suggestions
- If you are an admin/user of a modem, Try not to stay
logged in to make attacks like XSRF,XSS and ClickJacking less effective. .
- Try doing a little research about the modem model you
are trying to buy. Google exploits for it, try to search if it uses secure
connection (TLS), if it is vulnerable, why should you. Look for another.
- Try disabling remote access to decrease the attacker’s
possibility of gaining access over the internet; since most of the modem
exploits require LAN access, it’s a good thing to disable Telnet, web and
even ftp access to modem remotely.
- Limit Physical Access. Because, most modems have a
physical hard reset key/button, it should be noted most of them should
remain in a secured environment where only authorized people can reach.
- See more at:
http://www.rafayhackingarticles.net/2014/12/common-attacks-against-modems.html#sthash.Yxtwt9PK.dpuf
0x04: Default Configuration details and Hardcoded Credentials
Apparently, all if not most modems come with very easy to guess password
configurations. Infact, most of them are identical like: username:admin
and password: admin. Most people do not change the configuration
details and most ISP’s leave this as default.
This amazingly is a good news for malicious users. Because all they have
to do is know the vendor and they can get their hands on it easily
using sites such as http://www.routerpasswords.com/ to extract
information.
0x05: XSRF and XSS
These two are two of the most common flaws in the history of
web security. Mmost ZTE modems do not use anti-XSRF tokens (Used to prevent CSRF Attacks) on any sensitive request.
XSS is even more worsed because if one found an XSS flaw in any modem
(which
is likely), he can send that link to a logged in administrator and
perform any
action in behalf of the admin, this could be done by stealing the
XSRF-Token. Also, an XSS could also allow session hijacking and other
browser attacks.
XSRF flaws are more commonly found in modems as opposed to xss due to the fact that
modems use HTTP authentications most of the time. So Headers are mainly used in communications
protocols to communicate with one another. This makes it harder for the modem to
detect and create anti-csrf tokens other than to compare it.
Because of these or just because of careless developing it
is sometimes possible in to tricking admins changing passwords, issuing
commands or easing access.
0x06: Social Engineering
What would you say if a blocked number called you and told you that she
is from your ISP and she needs your credentials in order to add/maintain
the new and revised 3G technology into your modem. Or even she asks you
to maintain security flaws in your modem? You surly never expect this
to be a troll. I mean, why would you? And then next thing you know, she
snooped your configuration password. Knowing this password could mean
(since lots of people use same passwords) that she got access to email
password, financial account, etc.
0x07: Exploit Databases
Many Exploit databases hold juicy info about modems. Including default
configurations, XSRF/XSS/LFI flaws, logical issues, backdoors. So all
you need to do is to find the modem version and give a search on exploit
databases such as exploit-db.com, 1337day.com etc
So say, in case you found an exploit against a previous version of a
modem, however not for the exact version. This necessary doesn't mean
yours isn’t vulnerable to the particular exploit you found. Infact most
vendors use same architecture to construct the web architecture of their
modems. So one XSS on one model could mean XSS on all other vendor
modems.
0x08: Eavesdropping
The lack of SSL usually means bad luck for modems. Especially if it’s
for office/public usage because the admin is always in risk of accessing
any file from the modem. The reason being, that it is very easy to
sniff ongoing traffic with with tools like Wireshark.
The fact that modems use login protocols like HTTP authentication puts
them in more danger because when requesting any file, the modem should
request the authentication header and the admin responds in (mostly
Base64 form), and an attack easily can sniff this and decode the
communication easily it.
Even when using SSL (note very few modems use it), it can still be
insecure and even pose more risk. Recently, A lot of attacks have been
identified against SSL protocols Heartbleed, POODLE to name a few.
0x09: Denial Of Service
Denial of Service is one of the most annoying things I can think of next
to a Log out CSRF. People with bad intentions can use this type of
attack to knock a modem out of delivering internet and sometimes even
let the modem reset itself.
This is really crazy for people trying to do their job. The fact this
attack can easily be turned an untraceable attack can make your business
day a big pain just because you choose to use a vulnerable modem.
Most modems by design don’t hold more HDD than 25MB and less than 2MB
ram with no DOS protections. This usually means they can handle limited
amount of data with huge amount of time. All an attacker has to do is
send more requests than the modem can handle and hence exhausting it's
memory and resulting in a DOS.
0x10: Lack Of Updates
Modem users seldom receive updates for modems in case a critical
vulnerabilities have been identified in the wild, and a lot of them
don't really have a mechanism for providing OTA (Over the Air) updates. A
lot of times, users manually have to upgrade the firmware and ofcourse
which is not possible for people having lack or no technical knowledge.
0xA: Suggestions
- If you are an admin/user of a modem, Try not to stay logged in to make attacks like XSRF,XSS and ClickJacking less effective. .
- Try doing a little research about the modem model you are trying to
buy. Google exploits for it, try to search if it uses secure connection
(TLS), if it is vulnerable, why should you. Look for another.
- Try disabling remote access to decrease the attacker’s possibility
of gaining access over the internet; since most of the modem exploits
require LAN access, it’s a good thing to disable Telnet, web and even
ftp access to modem remotely.
- Limit Physical Access. Because, most modems have a physical hard
reset key/button, it should be noted most of them should remain in a
secured environment where only authorized people can reach.
- See more at: http://www.rafayhackingarticles.net/2014/12/common-attacks-against-modems.html#sthash.Yxtwt9PK.dpuf
0x01: Introduction to Modems
The term DSL modem is technically used to describe "a modem which
connects to a single computer, through a USB port or is installed in a
computer PCI slot". The more common DSL router which combines the
function of a DSL modem and a home router is a standalone device which
could be connected to multiple computers through multiple Ethernet ports
or an integral wireless access point. Also called as a "residential
gateway", a DSL router usually manages the connection and sharing of the
DSL service in a home or small office network.
Most consumer DSL lines use one of several variations and varieties of
Asymmetric DSL (ADSL). The "asymmetric" DSL here means that more of the
bandwidth of the line is dedicated to downstream (download) data than
upstream (upload) data. Hence, download rates are faster than upload
rates since most users download much larger quantities of data than they
actually upload. Because the telephone lines were never designed to
carry such high frequency signals, DSL is distance-sensitive. The
farther away from the switching center the modem is, the longer the
telephone wires, the weaker the signal, and the lower the data rate that
the modem can achieve. Users in metropolitan areas, close to switching
centers, may have access to higher rate service, up to 8 Mbit/s than the
expected rate for the same service in remote areas.
Reference: en.wikipedia.org/wiki/DSL_modem
0x02: Market Share
The modem manufacturers mostly are mostly chinese based . Research shows
that companies like ZTE & Huawei are doing very well and have
gained enterprise router share in china over the past year. In China ZTE
is placed third player in 2013 and 2014 with dizzying rise this year
than the popular consortium Cisco. (Which happens to be more secure).
This is also due to the fact that cisco's products are very costly and
difficult for the home users to afford.
0x03: Backups& Backdoors
All modems include Backup files mainly because of the need to recover
the modem to the original state after a reset. However, knowing the
direct link to the backup file puts the modem directly in danger. All an
attacker has to do is request the backup file and view it; mostly this
is juicy plain info that contains passwords, ISP configurations.
Knowing this however, some vendors try to encrypt the contents that are
inside these files. So downloading this would be useless for the
attacker. But this isn’t entirely impossible as lots of vendors tend to
use weak encryption mechanisms to encrypt backup file. And research done
by white hats such as Osanda Malith shows that. He for example provided
a PoC tool used to decrypt these rom-0 (Backup) files from most modems,
including ZTE and TP-Link.
Most of the chinese Vendors such as ZTE are banned from the US, one
because they being incredibly insecure and two because, they put
malicious backdoors to snoop and eavesdrop on individuals and
organizations.
Lots of trusted companies such as TP-Link, Huawei and other chinese
companies have a record of placing backdoors in their products. These
backdoors are normally in form of open ports which on connecting would
provide a reverse shell. The ports are often found to be high in number
to make it harder to detect.
One of such examples can be found
here.
This lets them capture sensitive files and sometimes sell it for
residing countries. This strategy is great one for governments to spy on
their citizens as well as for great as a part of a cyber attack against
a particular country. So for example: A country could sell cheap
backdoored modems to a target country, and in case the modems end up
being used on military and sensitive systems, then they have hit a
jackpot.
- See more at: http://www.rafayhackingarticles.net/2014/12/common-attacks-against-modems.html#sthash.Yxtwt9PK.dpuf
