Exploiting The

Vulnerabilities of LTE

Wi-Fi Sharing Devices

Presented by: Andrew David

UNITEC Research Symposium 2020 ProgrammeDay 2

07th December 2020Session 2 – 1.10pm to 2.30pm

Overview

1. Introduction 2. Our Focus 3. Analysis 4. Technical Details

5. Demonstration 6. Threats 7. Impact 8. Discussion

9. Conclusion10.

Recommendations11. Questions and

Answers

1. Introduction

2. Our Focus

USB 4G LTE modem router

instead of smartphones

Careless usage approach

towards other devices

Provide more insight into the vulnerabilities

of Huawei E8372

Physical attack and exploitationof Huawei E8372

Backdoor and rooting

of Huawei E8372

3. Analysis

Source: https://gs.statcounter.com/os-market-share/mobile/worldwide

3.1 Mobile Operating System Market Share - WOLRDWIDE

3. Analysis

Source: https://gs.statcounter.com/os-market-share/mobile/new-zealand/#monthly-201911-202011

3.2 Mobile Operating System Market Share – NEW ZEALAND

3. Analysis

Source: https://www.ericsson.com/4adc87/assets/local/mobility-report/documents/2020/november-2020-ericsson-mobility-report.pdf

3.3 Subscription and Subscribers – WORLDWIDE

7.9b

8.8b

91%

3. Analysis

Source: https://www.statista.com/statistics/653680/volume-of-detected-mobile-malware-packages/

3.4 Detected Malicious Installation Packages on Mobile Devices – WORDLWIDE

3. Analysis

Source: https://securelist.com/it-threat-evolution-q1-2020-statistics/96959/

3.5 Map of infection attempts by mobile malware – WORDLWIDE

4. Technical Details4.1 Huawei E8372 USB 4G LTE Wi-Fi Modem Routerand Skinny 4G Mobile Broadband SIM card

4. Technical Details

4.2 Extension USB cable, tweezer and mobile device screwdriver

5. Demonstration

5.1 Device is network locked to Telstra Australia

5. Demonstration

5.2 Disassemble the device from its casing

5. Demonstration

5.3 Disassemble complete

5. Demonstration

5.4 Boot pins are exposed

5. Demonstration

5.5 Unlocking bootloader via USB connection using boot shot technique

5. Demonstration

5.6 Access to bootloader port is now possible

5. Demonstration

5.7 Applying patched bootloader, bypassing bootloader security and unlocking it

5. Demonstration

5.8 Flashing custom ROMs/firmware is now possible with interface ports open

5. Demonstration

5.9 Flashing custom ROM/firmware to network unlock and root the device

5. Demonstration

5.10 Custom ROM/firmware erased all sensitive device information

5. Demonstration

5.11 Issuing AT (attention) commands to modify device’s sensitive information

5. Demonstration

5.12 Using PuTTY as client to a backdoor of the device, connecting via Telnet

5. Demonstration

5.13 Rooting is successful

5. Demonstration

5.14 Network unlocking is successful

5. Demonstration

5.14 Successful speed evaluation done via speedtest.net

Attacks

• Man in The Middle

• Rouge DHCP

• Evil Twin

• Botnet

• Denial of service

Vulnerabilities

• Backdoor

• Remote Access Tool

• Malware

• Privacy

• Impersonation

6. Threats

7. Impact

8. Discussion

Reality • Most brands and devices have some vulnerability

Advantage• Some manufacturers and network providers are

locking bootloaders

Disadvantage• Some unhappy customers

• Telnet vulnerabilities

Opportunity

• Politicized USA and Huawei trade-war

• Innovation of Harmony OS by Huawei

Comparison work of other

researchers

• Firmware acquisition and bypassing authentication

• Generate network unlock code using IMEI

9. Conclusion

10. Recommendation

Check &Don’t use custom

firmware

Don’t root mobile devices

Don’t install unknown apps

Use VPN or encryption for sensitive data transmission

Use anti-virusUse strong password

Update latest official firmware

for mobile devices

11. Questions and Answers