BlackHat资料us-14-Lindh-Attacking-Mobile-Broadband-Modems-Like-A-Criminal-Would-WP.pdfVIP

Attacking Mobile Broadband Modems Like A Criminal Would Andreas Lindh 2014-06-18, addelindh@, @addelindh Introduction 2 Background 2 Previous research 2 Disclaimers 2 Design and implementation 3 Hostless modems 3 Network topology 3 Features and functionality 3 Thinking like a criminal 4 Getting into the mindset 4 Attacks and outcomes 4 DNS hijacking (Huawei E3276/E3236) 4 CSRF-to-SMS (ZTE MF821D) 6 Code injection (ZTE MF821D) 7 Gaining persistence (ZTE MF821D) 8 Building an SMS-controlled bot (ZTE MF821D) 9 A more targeted attack (Huawei E3276/E3236) 11 Conclusion 13 Old technology in new contexts 13 Wrongful assumptions by developers 13 And finally... 13 Introduction A lot of security research and (ethical) hacking is all about getting a root shell, popping calc.exe, or basically anything that proves that the target has been owned in the 1337-est possible way. Though often entertaining and educational, this approach may mean that bugs that are perceived as “not sexy” will be overlooked in favor of more complex or flashier ones. If we also take into consideration that the number of network connected devices are steadily increasing with the “internet of things” and that the bulk of these devices are not designed with security in mind, we can be fairly sure that there will be a large number of basic vulnerabilities that are not very hard to exploit. This paper will take a look at how a criminal would most likely go about attacking a target through their mobile broadband modem, skipping past the flashy exploits and going straight for the gold. I will cover easy ways to cash in, stealing sensitive information, controlling where a user browse to on the internet, and establishing a persistent hold of the users device. As the grand finale, there will be a demonstration of a targeted phishing attack using out-of-