CONFIDENTIAL

Who put the backdoor in my router?

Ewerson Guimarães (Crash) / 2016

CONFIDENTIAL

Research Information

This talk was born in Área31 hackerspace.

All information contained here is public.

No one was hacked(cof cof)

CONFIDENTIAL

About Ewerson(Crash):

CONFIDENTIAL

Background...

CONFIDENTIAL

Background...

CONFIDENTIAL

Background...

CONFIDENTIAL

Background...

CONFIDENTIAL

Let’s start...

CONFIDENTIAL

We won't talk about the backdoor itself, so…

CONFIDENTIAL

Here is the backdoor...

CONFIDENTIAL

Usernames are equal but one is a backdoor account

CONFIDENTIAL

Transforming a single user in a backdoor...

CONFIDENTIAL

Let's analyze the hardware

CONFIDENTIAL

The Strange Device

Strange ID TAG!

CONFIDENTIAL

The strange Device

The device is approved by ANATEL (Brazilian National Telecomunication Agency)

CONFIDENTIAL

The strange Device

The device is approved by ANATEL (Brazilian National Telecomunication Agency)

CONFIDENTIAL

More strange stuff...

BayTech:

CONFIDENTIAL

BayTech:

18

CONFIDENTIAL

More strange stuff...

If you look for S&T Technology Shen Zhen .Co LTD:

CONFIDENTIAL

More strange stuff...

In the device manger you can see Observa Telecom but....

The vendor's website exists but it's a single branded blank page, without any other links to other areas such as manuals, support and firmware.

CONFIDENTIAL

More strange stuff...

Of course, he didn't reply (11)emails...

CONFIDENTIAL

More strange stuff..

This device is distributed by GVT (Global Village Telecom). According to GVT technical support and site, this modem/router is not supported by them.

Don’t belive? Take a look at:http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens

CONFIDENTIAL

More strange stuff..

Opening its firmware in hex viewer... Wow wait, it’s made by TPLINK??????

CONFIDENTIAL

More strange stuff..

The backdoor password: MAC Address last two octets  + airocon string

CONFIDENTIAL

More strange stuff..

What is Airocon?

25

CONFIDENTIAL

More strange stuff..

What is Airocon?

CONFIDENTIAL

More strange stuff..

The last avaliable site (Mar. 2005)

CONFIDENTIAL

More strange stuff..

Do you remember the tag ID and Anatel seal?

28

Bingo! 41C3

CONFIDENTIAL

...and to finish this strange part...

Hadware vendor: Realtek

CONFIDENTIAL

Inside of backdoor...

Login with normal admin user ( admin:gtv12345)

The commands “sh” and "login show" are disabled.

CONFIDENTIAL

Inside of backdoor...When logged in with a backdoor account:

CONFIDENTIAL

Inside of backdoor...

The “login show” command shows the backdoor account (which is hidden on the web interface)

CONFIDENTIAL

Inside of backdoor...

Taking a closer look at the device’s memory it was possible to find some interesting information:

Redirection link to Chinese company:

Even after reset it was possible to retrieve the device’s previous user name:

The device saves neighbour network names:

CONFIDENTIAL

Inside of backdoor...

Sensitive data about GVT credential services:

CONFIDENTIAL

Inside of backdoor...

Furthermore, the admin page for the backdoor user is completely different from the common admin page.

CONFIDENTIAL

Inside of backdoor...

The factory default password is not admin:admin admin:12345 admin:

You can make the factory reset!The password stills: admin:gvt12345

CONFIDENTIAL

Outside of backdoor...

Shodan is your friend,or not...

Divice exposed in internet: Almost 5600

CONFIDENTIAL

Small shell script:

root@anubis:~# ./gvtfucker.shGVT RTN04 F*cker

Testing:177.206.29.204Backdoor password: airocon2533Testing:179.179.72.251Testing:189.113.134.199Backdoor password: airocon0E6BTesting:186.213.233.192Testing:186.215.19.197Testing:189.113.136.93Backdoor password: airoconCE4ATesting:189.113.138.111Testing:189.113.137.203Testing:189.26.50.164Testing:189.58.16.44Testing:191.248.83.225Testing:177.132.241.119Backdoor password: airocon02CCTesting:177.156.255.85Testing:177.156.36.116Backdoor password: airoconFA1ETesting:177.157.166.210Testing:187.59.45.9Testing:189.113.131.161Testing:189.113.131.197Testing:189.113.134.226Testing:189.113.137.32Testing:189.113.138.111Backdoor password: airoconDA32

CONFIDENTIAL

Outside of backdoor...

CONFIDENTIAL

Outside of backdoor...

CONFIDENTIAL

Inside again

CONFIDENTIAL

Updates....

After around 1 year later, the Observa site was updated.

CONFIDENTIAL

Updates....

After around 1 year later, the Observa site was updated.

CONFIDENTIAL

Updates....

I tryed another contact...

CONFIDENTIAL

How to fix

Change the backdoor flag,upload the file and neverreset to factory defaults.

OR / AND

Of course, disable the remote access.Hack the firmaware

CONFIDENTIAL

Considerations

AUDIT YOUR DECIVES!

BURN YOUR DEVICES!

FUZZ and F*CK YOUR DEVICES!

CONFIDENTIAL

And the golden question:

Who put the backdoor in my router?

CONFIDENTIAL

Questions?

Please, say your full name before to ask*.

* I have a Death Note.

CONFIDENTIAL

THANKS

49