File:Modems, ISPs & the media.pptx

Modems, ISPs & the media How the Comhem vulnerability could have been handled, and what happened instead --- Who am I? •@johanRmoller • Penetration Tester @ Omegapoint • Podcaster @ Säkerhetspodcasten • Annoyer of ISPs -- This talk is about • How I hacked my own modem • How Comhem handled my bug report • How I worked with the media to force Comhem into handling it better • How they still failed • And finally – How it should have been done -- Lets go back a while All the way back to August, 2013 -- I live in a ComHem house Which means I get one of these: -- Its my gateway to the internet I decided to see if I could hack myself. There where two obvious ways to go about it. -- Pros & Cons Firmware Analysis Pros • Can find stuff not obvious on the web interface • Could possibly reprogram the modem • Could find cooler vulnerabilities Cons • Could brick my modem • Lots of work • Not my area of expertise -- Web Interface hacking Pros Easy and quick Could find really stupid vulnerabilities Little to no risk of damaging the modem Cons I wouldn’t be learning anything new Soldering is cool! Won’t find hidden stuff -- The web interface -- Fiddling around with burp -- Finding CSRF Vuln -- Impact of the CSRF vuln Changing DNS • Harvest account details • Spread malware • Steal Credit Card and bank details Port Forwarding • Expose internal network to internet Turning on remote admin • Changing all modem settings • Stealing stored passwords (wifi passwords stored in cleartext) • Downgrade security DOS • Brick the modem -- Hardware hacking -- Analyzing firmware -- Sending the bug report -- ComHem Responds -- A year goes by -- What is responsible disclosure? -- Comhem Responds -- Comhem responds again • “The DNS problem only exists in Stockholm” -Comhem -- Comhem locks down DNS • Limiting their modems to only using Comhems DNS. This still doesn’t solve the following problems: Port Forwarding • Expose internal network to internet Turning on remote admin • Changing all modem settings • Stealing stored passwords (wifi passwords stored in cleartext) • Downgrade security DOS • Brick the modem Etc… -- Minister proposes Law Change and PTS investigates -- Comhem solves the problem • On the 14th of November a firmware update finally arrives, solving the problem. • At this point, the media attention has died down • Noone cares that the issue is resolved • The damage to Comhem is already done, and can’t be reversed at this point -- What did we learn • How should they have done it? • Can we help our clients and companies handle these issues? •What is it like to deal with the media • Knowing what you want to say and being able to back it up