wimax hacking 2010
play

WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON - PowerPoint PPT Presentation

Feb 16, 2023 •632 likes •983 views

WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON 18 Updated slides, code, and discussion at https://groups.google.com/group/wimax-hacking The Technology WiMAX: a broadband wireless Internet technology 802.16, similar

  1. WiMAX Hacking 2010 Pierce, Goldy, and aSmig feat. sanitybit DEFCON 18 Updated slides, code, and discussion at https://groups.google.com/group/wimax-hacking

  2. The Technology ●WiMAX: a broadband wireless Internet technology ●802.16, similar to 802.11 (IEEE control) ●Competing with LTE ●Large network being deployed by Clearwire

  3. Network Deployment ●Clear has the most widely deployed WiMAX network in the US, as such, it is the focus of our research efforts ●Currently deployed in 79 markets across 21 states ●An additional 22 markets are expected to be deployed in the next 3 months, including: New York, NY Denver, CO Nashville, TN Los Angeles, CA Boston, MA Minneapolis, MN San Francisco, CA Miami, FL Philadelphia, PA ● Coverage planned for most major US cities by 2012 ●Operates on frequencies in the 2.5-2.6 GHz range

  4. Other Services using Clear's Network ●Time Warner Cable ○Roadrunner Mobile ●Comcast ○High-speed 2 go ●Sprint Nextel ○4G Service ○HTC EVO All of these services are placed onto the same physical network infrastructure, with small differences in provider portal pages

  5. Official Clear coverage map taken from clear.com/coverage Green = Current Market Grey = Future Market (map does not show all of them)

  6. Captive Portal Bypass Last years vulnerability: ●OpenVPN over UDP/53 Their fix: ●Block large UDP/53 packets Counter fix: ●OpenVPN over UDP/53, fragmented packets (1024 bytes) OpenVPN Options to add: tun-mtu 1500 mssfix 1024

  7. Example OpenVPN Config client dev tun proto udp remote vpn.server.com 53 tun-mtu 1500 mssfix 1024 resolv-retry infinite nobind persist-tun tls-client ca ca.crt cert vpn.server.com.crt key client.key dh dh2048.pem keepalive 20 200 cipher BF-CBC cipher AES-256-CBC tls-remote vpngate ns-cert-type server route-delay 2 redirect-gateway def1 ...............

  8. Echo Peak Hardware & Software ●WiMAX gear from Intel ●www.linuxwimax.org ●5150, 5350 are best supported ●Buy on eBay ($80) ●Get a USB-PCIe cradle ($40) ●PCIe cards might work in some thinkpads

  9. Home Device Hard Hacks CPEi25150 CPEi25750 Got root?

  10. Home Device Specs Motorola CPE 150/750 ●64MiB RAM ●32MiB flash ●Beceem 802.16 ●Texas Instruments TNETV1061 ○213 MHz ○MIPS32 4KEc ○Chip debugging via EJTAG ○Linux

  11. Logic Probe The magic wand of hardware hacking

  12. CPE 150 (CPEi25150)

  13. http://bit.ly/bqEBND

  14. aSmig's first JTAG interface

  15. B0011620: .....C..........TOOLS_USER.0.BOO B0011640: TLOADER.0x90000000,0x90020000.IM B0011660: AGE_A.0x90040000,0x90C40000.CONF B0011680: IG_A.0x90C40000,0x90C60000.CONFI B00116A0: G_B.0x90C60000,0x90C80000.IMAGE_ B00116C0: B.0x90CE0000,0x918E0000.FNE_CERT B00116E0: S.0x90C80000,0x90CA0000.DEV_CERT B0011700: S.0x90CA0000,0x90CC0000.FACTORY_ B0011720: DEF.0x90CC0000,0x90CE0000.JFFS2. B0011740: 0x918E0000,0x92000000.RESET_CAUS B0011760: E.0.PartNumber.SGDN5313AA.Produc B0011780: tID.CPEi25725.HWRevision.REV.D.S B00117A0: erialNumber.TS199X0YKY.HWA_1.00: B00117C0: 23:EE:**:**:**.GATEWAY_MAC_ADDRE B00117E0: SS.00:23:EE:**:**:**.FingerPrint B0011800: .63F7FED52*****EB2E76B7F35B***** B0011820: E1EC*****.HWA_0.00:24:A0:**:**:* B0011840: *.FactoryProvision.Complete.CONS B0011860: OLE_STATE.locked................

  16. Double-Take B0011840: 5.FactoryProvision.Complete.CONS B0011860: OLE_STATE.locked................

  17. Road map - Thanks bootloader! BOOTLOADER 0x90000000 0x90020000 BootLoader Config 0x90020000 0x90040000 IMAGE_A 0x90040000 0x90C40000 CONFIG_A 0x90C40000 0x90C60000 CONFIG_B 0x90C60000 0x90C80000 FNE_CERTS 0x90C80000 0x90CA0000 DEV_CERTS 0x90CA0000 0x90CC0000 FACTORY_DEF 0x90CC0000 0x90CE0000 IMAGE_B 0x90CE0000 0x918E0000 JFFS2 0x918E0000 0x92000000

  18. So what about the root? Yeah, yeah.

  19. /usr/bin/bd_chk $ strings usr/bin/bd_chk /lib/ld-uClibc.so.0 ... _end /pstore/dbg_tools/bd_open2 CONSOLE_STATE unlocked Lock Serial Console echo "unsetpermenv CONSOLE_STATE" > /proc/ticfg/env; echo "setpermenv CONSOLE_STATE locked" > /proc/ticfg/env CONSOLE_STATE not found

  20. /pstore/dbg_tools/bd_open2 Magical debug tools file! ●CONSOLE_STATE is left alone ●file is executed on every boot! ○change your passwords ○re-crypt your keys ○adjust your firewall ○kill SNMPd

  21. Shell Fun # ssh Admin@192.168.15.1 (Pass: Tools) dbgcli> shell BusyBox v0.61.pre (2009.09.14-12:29+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # export PATH=/bin:/sbin:/usr/bin:/usr/sbin Now you can use tab complete for a list of system binaries. There is too much information to cover here, but some highlights include access to iptables and the dbg/cpe cli tools.

  22. Home Device Auth Bypass There is a hidden administrative account on the home CPE device. We can use it to bypass the login on the web interface if the user changed the default. ->

  23. Clear Mobile ●Mobile 4g ●Mobile 3g/4g ○sprint ●Clearspot ○password is last three bytes in mac address

  24. Clear Mobile Hard Hacks Clear Spot ●16MiB RAM ●4MiB flash ●Mini PCI w/ Atheros WiFi card ●Ubicom IP3023 - MASI 250MHz ○M ultithreaded A rchitecture for S oftware I /O ○Chip debugging via proprietary SPI (not JTAG) ○Proprietary instruction set ○NOT Linux

  25. Clear Spot CradlePoint PHS300

  26. It's only a 48 pin TSOP

  27. SB5120 is good for something after all ●MIPS32 ●EJTAG ●TTL UART

  28. Clear "Stick" (USB Modem) Mod and photo by Loki

  29. HTC EVO ●sequans ●getprop/setprop ●Diagnostic apks ●WiMAX tether ●deactivated evo ●2.1 (fresh or damage control) ●2.2 cyanogen (toastcfh and maejrep)

  30. Location Based Services Service Types: ●Client/Server (AJAX) - "Where am I?" ○http://developer.clear.com/ClearLocationDemo.html ●Server/Server (Parlay X) - "Where are they?" ○x.509 cert & key required Interfaces ●AJAX ○Web browser friendly, uses Google Maps ●Parlay X ○Uses SOAP specification, POSTed in XML format ○Query by IP, MAC ( phone number or e-mail )

  31. Location Based Services (Parlay X) Currently ● Location / Range are determined by tower and antenna Current Accuracy: Predefined ranges (in meters) ● 160, 241, 321, 402, 482, 563, 643, 724, 804, 885, 965, 1126, 1448 Down the road ● Multiple towers used to increase accuracy of location and range ● No known ETA

  32. Privacy Problems with LBS ●Opt-IN is the DEFAULT ○ Customer's have no option to Opt-OUT online ○ Registered and Unregistered devices are traceable ● Who's Affected? ○ EVERYONE that uses WiMAX ■ Clear, Sprint, Comcast, Time Warner, etc ● How to Opt-OUT ○ Contact the Engineering Department to have it disabled ○ This prevent's both AJAX and Parlay X queries ● Random dead spots

  33. The Future ●Open source firmware ●OpenWRT on a home device ●802.16m provides 100 Mbit/s mobile & 1 Gbit/s fixed ●Better privacy?

  34. Mad Gr33tz SophSec, Janus Privacy Solutions, Aardvark, Snoop Security, Lookout, xda-developers, theorie, rumple, tokiestar, iviatticus, i0n, osirisx11, caboose, and busticati everywhere. Clearwire and Sprint Technical Development Resources http://2md.hosted.panopto.com/CourseCast/Viewer/ Default.aspx?id=1cd37bbb-d822-4637-bf18-2a254282e688 WiMAX Hacking Group https://groups.google.com/group/wimax-hacking AJAX LBS Demo http://developer.clear.com/ClearLocationDemo.html

Recommend

WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March

WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March

PBL-02- BASIC CONCEPTS WiMAX and AD HOC COMMUNICATION NETWORK ECE3103-ADVANCED COMMUNICATION NETWORKS Friday, 17 March 2017 1. WiMAX is short for W orldwide I nteroperability for M icrowave A ccess. 2. WiMAX is a metropolitan wireless

784 views • 34 slides
The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution

The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution

WiMAX Evaluation: The Perspective of a Service Provider Jorge Rodrigues WiMAX Program Manager Network Evolution Strategy Department PT Comunicaes Workshop on Mobile WiMAX - Towards Ubiquitous Internet ISCTE, LISBON 27th September 2007

224 views • 19 slides
IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo

IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo

I nternational Telecom m unication Union ITU-T IEEE 802.16/WiMAX IEEE 802.16/WiMAX Broadband Wireless Access Broadband Wireless Access Mitsuo Nohara KDDI Corp., IEEE802.16 Relay TG Chair I TU-T W orkshop NGN and its Transport Netw

388 views • 15 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email:

Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email:

Behind Mobile WiMAX Chenxi Zhu, Ph.D. Fujitsu Labs of America College Park, MD Email: czhu@ieee.org What is mobile WiMAX? Mobile broadband wireless access Defined by IEEE and WiMAX Forum. IEEE 802.16e_2005: wireless MAN-OFDMA

480 views • 26 slides
Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group

Deciphering a Commercial WiMAX Deployment using COTS Equipments Kok-Kiong Yap SING Group Meeting : August 10, 2010 Wireless Networks Today Mobile network High latency (100 - 200 ms) Low bandwidth Good coverage WLAN/WiFi

677 views • 21 slides
Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon

Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon

Duo-Binary Circular Turbo Decoder Based on Border Metric Encoding for WiMAX for WiMAX Ji-Hoon Kim and In-Cheol Park Division of Electrical Engineering Division of Electrical Engineering KAIST Introduction to Turbo Codes Introduction to Turbo

280 views • 13 slides
Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li, Department of Electrical Computer Engineering University of Toronto WiMAX MBS IWQoS 2009: Cooperative Multicast Scheduling with Random Network Coding in

856 views • 53 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security

682 views • 44 slides
Lord of the Bing Taking Back Search Engine Hacking From Google and Bing 29 July 2010 Presented

Lord of the Bing Taking Back Search Engine Hacking From Google and Bing 29 July 2010 Presented

Lord of the Bing Taking Back Search Engine Hacking From Google and Bing 29 July 2010 Presented by: Francis Brown and Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Introduction Advanced Attacks

780 views • 53 slides
A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY

A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY

A Study of A Study of WiMax QoS Mechanisms WiMax QoS Mechanisms Masood KHOSROSHAHY Vivien NGUYEN Masood KHOSROSHAHY Vivien NGUYEN RMOB Project RMOB Project April 2006 April 2006 Project supervisor: Project

741 views • 40 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These

Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These

Cellular Networks and WiMAX CS 687 University of Kentucky Fall 2015 Acknowledgment: These slides have used resources (presentations, documents, pictures) available on the web. Special thanks are given to Dr. Liang Cheng and Dr. Shalinee Kishore

503 views • 27 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

486 views • 27 slides
Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at

Intro Hardware Security Platform Security Hacking Q&A Security in Mobile Devices Hacking Mobiles for Fun and Profit Tobias Mueller Universit at Hamburg & Dublin City University 2010-12-16 1 / 54 Intro Hardware Security

974 views • 79 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Services in 4G WiMAX Networks Amitabha Ghosh IBM India Research Laboratory Department of

Services in 4G WiMAX Networks Amitabha Ghosh IBM India Research Laboratory Department of

IBM Research QoE Characterization for Video-On-Demand Services in 4G WiMAX Networks Amitabha Ghosh IBM India Research Laboratory Department of Electrical Engineering University of Southern California, Los Angeles http://anrg.usc.edu/~amitabhg

538 views • 20 slides
Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

902 views • 74 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
IEEE 802.16 WiMax Security Dr. Kitti Wongthavarawat Thai Computer Emergency Response Team

IEEE 802.16 WiMax Security Dr. Kitti Wongthavarawat Thai Computer Emergency Response Team

IEEE 802.16 WiMax Security Dr. Kitti Wongthavarawat Thai Computer Emergency Response Team (ThaiCERT) National Electronics and Computer Technology Center Thailand Presented at 17 th Annual FIRST Conference, Singapore July 1, 2005 Agenda

289 views • 13 slides
Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By

Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By

Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By Bhaskar Rao G Srinath Y Sridhar Y Jitesh M Motorola India Pvt Ltd, Hyderabad bhaskarraog@motorola.com 23 November 2009 T3UC-2009 1 Agenda

623 views • 20 slides

More recommend