Modems, ISPs & the media – Johan Rydberg Möller

OWASP Göteborg håller ett par träffar om året , och de brukar vara riktigt bra. Jag var förbi på deras senaste träff och filmade Johans Rydberg Möllers presentation om Comhem’s säkerhetsproblem!

Modems, ISPs & the media

How the Comhem vulnerability could have been handled, and what happened instead

Who am I?
•@johanRmoller
• Penetration Tester @ Omegapoint
• Podcaster @ Säkerhetspodcasten
• Annoyer of ISPs

This talk is about
• How I hacked my own modem
• How Comhem handled my bug report
• How I worked with the media to force Comhem
into handling it better
• How they still failed
• And finally – How it should have been done

Lets go back a while
All the way back to August, 2013

I live in a ComHem house
Which means I get one of these:

Its my gateway to the internet
I decided to see if I could hack myself. There where two obvious
ways to go about it.

Pros & Cons
Firmware Analysis
Pros
• Can find stuff not obvious on the
web interface
• Could possibly reprogram the
modem
• Could find cooler vulnerabilities
Cons
• Could brick my modem
• Lots of work
• Not my area of expertise

Web Interface hacking
Pros
Easy and quick
Could find really stupid
vulnerabilities
Little to no risk of damaging the
modem
Cons
I wouldn’t be learning anything new
Soldering is cool!
Won’t find hidden stuff

The web interface

Fiddling around with burp

Finding CSRF Vuln

Impact of the CSRF vuln
Changing DNS
• Harvest account details
• Spread malware
• Steal Credit Card and bank details
Port Forwarding
• Expose internal network to internet
Turning on remote admin
• Changing all modem settings
• Stealing stored passwords (wifi passwords stored in cleartext)
• Downgrade security
DOS
• Brick the modem

Hardware hacking

Analyzing firmware

Sending the bug report

ComHem Responds

A year goes by

What is responsible disclosure?

Comhem Responds

Comhem responds again
• “The DNS problem only exists in Stockholm” -Comhem

Comhem locks down DNS
• Limiting their modems to only using Comhems DNS. This still
doesn’t solve the following problems:
Port Forwarding
• Expose internal network to internet
Turning on remote admin
• Changing all modem settings
• Stealing stored passwords (wifi passwords stored in cleartext)
• Downgrade security
DOS
• Brick the modem
Etc…

Minister proposes Law Change and PTS investigates

Comhem solves the problem
• On the 14th of November a firmware update finally arrives, solving the problem.
• At this point, the media attention has died down
• Noone cares that the issue is resolved
• The damage to Comhem is already done, and can’t be reversed at this point

What did we learn
• How should they have done it?
• Can we help our clients and companies handle these issues?
•What is it like to deal with the media
• Knowing what you want to say and being able to back it up

Annonser

Kommentera

Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut / Ändra )

Twitter-bild

Du kommenterar med ditt Twitter-konto. Logga ut / Ändra )

Facebook-foto

Du kommenterar med ditt Facebook-konto. Logga ut / Ändra )

Google+ photo

Du kommenterar med ditt Google+-konto. Logga ut / Ändra )

Ansluter till %s