ChaosPad V1.1
Full screen

Server Notice:

hide

31c3-talk-6166 Latest text of pad 31c3-talk-6166 Saved Jan 13, 2021

 
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
 
 
So just a quick show of hands, who here have seen the two minute video? We've got like, yeah, that's a good enough percentage for now, so it's just going to hit it off. Takes a lot to make us do a pinch of salt and laughter to scoop up the spice, just love to make it. When it comes to me and her and the baby to. Too many good families like soup and everyone school makes an ounce of smile, so sweet, cool. All right, so for those of you who have no idea what you just saw, too many cooks in a TV skit that went viral a few months ago, and we like you should watch it if you have it. So if you've seen it, you can enjoy some references throughout this presentation. And if you haven't, then you can just laugh at the funny pictures. OK, so who are we? So where the Malware and Vulnerability Research Group at Checkpoint, um, what do we do here? Uh, we have this marketing slogan that says we secure the Internet and we actually try to do that by finding problems, telling the vendors and sharing them with the community, which is exactly what we're trying to do here. So let's talk about what's in store for today, when a very quickly go through what TR 69 is and explain a little of what we talked about last DEFCON, which will lead us to the motivation behind the research that we're presenting today. We'll talk about that. The TR 69 Census 2014. We'll give you the interesting bits of our research story and some technical details. Then we'll continue to show what can only be described as mass poonch and then conclude talking about why this won't go away so quickly. So TR 69 TR is actually like an FC still stands for Technical Report and this is a technical report, number 69 and this defines the C.P.E. when management protocol, which is C.P.E. is a consumer premises equipment that would be the home rotaries that you have at home. And this was you know, this was released in 2004 by the broadband forum, which is a group of companies working to define broadband standards. And then there 
were a few amendments so far. But remember that this was released just 10 years ago. And this is what Espy's used to provision your device. This is what's called the zero touch configuration. It's used to monitor your device for false or malicious activity and configure anything they want in your home, including getting your Mac addresses and host names for anything on your network, creating additional Wi-Fi networks and go as far as deploying new firmware. So this is how our 69 sessions or provisioning sessions look like, so on the right side, we have the C.P.E. right, the consumer premises equipment, the TR sixty-nine client. That would be your home router. On the left side, we have the TR sixty-nine server, which is called an X or an auto configuration server, and they talk in basic SoPE, RBC, which is XML over HTTP. And it's important to mention that the client always initiates the connection, which is a single TCP connection over which RFQs are called back and forth. So the client begins with with an informant telling the server why this session was initiated. And the access follows with provisioning functions such as get parameter values and set parameter values. It's pretty simple when you think about it. So there is a dual authentication mechanism that the CPP should make sure that's talking to a verified ax and the ax should only accept sessions from authenticated CBS. And now there is there's a slight thing called the connection request that the ax can issue. And we'll talk about that. So talking about the fighting so far, we presented this at DEFCON 20 to our research uncovered implementation and configuration flaws in many Espy's akes deployments. So Accies are a single point of Panitch in modern ISP infrastructure, and many 069 implementations just are in serious enough. We found vulnerabilities in several products and that leads to ISP fleet takeover. So you remember that connection request thing, and this is straight volunteer 69 specifications, the a
ction at any time request that the CPA initiate a connection to the acts using the connection request notification mechanism. Support for this mechanism is required in a C.P.E. right straight from the specification. In fact, every 69 client in the world is also a connection request server. On Witchboard, you ask, and as it turns out, I signed seven five four seven for all three 69 uses and including the Connection Request Board and this is a widely used default. And let's talk let's look on some very interesting research released last year from the Zeynab guys, which is exactly the rumor, and his friends from University of Michigan, and he's talking like in a couple hours and they actually scanned two million random addresses on every port, up to almost 10000. And they found that sea WMP or the TIAR 694 port is in fact the second most popular open port in the world, with one point twelve percent of the Internet listening on that port. So, again, this is for a protocol that was invented 10 years ago. So think about that. And you know, how many how many devices are at one point one, two percent, you know, out of the public Internet. This is around forty five million devices estimated that you listen on seven, five, four, seven, you know, from a vulnerability research perspective and no matter how hard we looked, no one is talking about this service and there has to be something there. So let's review the top two open ports in the world, so previous research has given us this image. So and for Ed on 70 million devices, about 50 percent of which are Web servers, you know, regular Web servers with about you leading the bunch, you got your engine X, your eyes, and then a small percentage for the rest, including light speed and the Google dedicated servers. And the other 50 percent are are simply those Internet of Things devices, right? Most of them are routers. You got your webcams, you got your voice over IP phones. And of course, let's not forget about all the IP for en
abled toasters out there. So, by the way, people start understanding that leaving these things open to the when is dangerous. If no. Luckily, we're seeing more and more devices updated to have port access on the land only. Now, remember that not only there is diversity in the server software, it's also being used for different uses, serving, I mean, surfing websites, all sorts of cloud services and then management interfaces for each device. You know, it's a messy landscape. But looking at Port seven, five, four, seven, you know, we have an estimated 45 million devices and these are all Internet of Things devices, you know, listening on their connection, request for it. There's nothing else there. It's just devices waiting for connection requests. So this landscape is much clearer. And and remember, we're looking for security issues here and we're looking to find, you know, significant numbers affected. So as a first as a first step, we needed to stop guessing and estimated and estimating. So we conducted the TR 69 census 2014. And, you know, we scanned seven five four seven on the entire IPV for address space. And we did this last month a few times, actually, with the with the gracious help of some good friends over at Rapide seven and University of Michigan who contributed contributed to this research. So thanks, guys. And the results are one point one eight percent of the public Internet responds on four seven five four seven. So we actually communicated with 46 million ninety three thousand seven hundred and thirty three devices who answered our benign requests for getgo. So these are all over the world. And and it's not just one country who accidentally left this port open. It's 189 countries, which makes sense when you remember, you know, it's a protocol requirement to leave this port open for the access. Um, and and just a small note, not to the point, zero six percent increase from last year is actually two point two million devices added in a year, which is
 showing us a nice trend. And numbers are still on the rise. So we're set on finding an issue with TIAR, Sixty-nine, Clydeside implementations, and the natural thing to do at this point is look at what implementations we're seeing out there. So we categorize the responses and sum up the numbers and we get this. So we have five main connection request servers out there, but it's very clear that this thing called Rampage Pager, you know, is leading the pack and I think that means that we got ourselves the target. So what is rampage here? It's an embedded HTP server by Alliegro Software, it's the Massachusetts based company that's optimized for minimal environments. It's a small, binary, small memory requirements. It was first introduced in 1996. And, you know, there's been many versions since. The conversion is five point four. But then, you know, now that we've decided that we're going after this front page, we need to see what versions are out there. And this will help us focus our efforts. So we run the short script again. And, you know, we actually see just four different rampages, rampage versions out there, you know, and you'd expect this sort of normal distribution of this versions in the wild. And instead we get this so. So ninety eight point zero four percent of the identified devices are version four point seven, which is a pretty old version, too. So, you know, this is where I grew suspicious. Right. I mean, what can explain this incredible popularity of a single version? And how could it be like a batch of old devices at a single ISP or something? Which is which is don't know it yet. And this really piques our interest. So we have to find out. So we went ahead and we bought a new a new puling Crowder, and we we unbox it, we plug it in, we connect it to our network, you know, and it's running rampage of four 07. So we thought, you know, maybe this is an old version of the device. You know, it's it has it's like an old version of Ron Page or so. We downloade
d the latest firmware from the TPE Link website. You know, we flash it, we reboot, and it's still Ron Pager for 07. So, I mean, what, um, you know, at this point, we start understanding the popularity of the four points. I mean, the four 07 version, I mean, we have no idea why it's there yet. But but if it's somehow embedded into brand new devices off the shelf, you know, with the most recent firmware, then that could certainly explain, you know, why we're seeing so many of them. But let's try something here. Does anyone in the audience happen to have an unopened brand new router anyway? Oh, what a coincidence. What a coincidence. Thank you. Thank you. Thank you very much. Oh, wow. I thank you. Kind stranger. You're very nice. You don't work for me at all, so I'm going to I'm going to do something with that later. OK, so, you know, we dove into this around page 407 and this this was released 2002, so, you know, it seems to run a whole bunch of devices and, you know, we return to our scan data and we start counting. And so we have two point two million devices serving rampage for 07 on board eighty and eleven point three million devices on four seven five, four, seven. And, you know, suddenly we're like. In a week, there are 12 million devices out there with this very specific version, you know, of a Web server that was released in 2002 listening on the Wen. Yes, I mean, yes, this is like this is the perfect vulnerability research candidate and, you know, zooming out for a moment, this is, to the best of our knowledge, the most popular specific version of any network application service currently available online on the public Internet. You know, this specific version is deployed on 200 different devices from 50 different brands. We are going to do whatever it takes to Poun Ron Page, Ron page for 07. Let me let me hand it over to Lewa. OK, oh, so hi, my name is the author, and I will walk you through the process of how I analyze the rampage is humor and some interest
ing results I found on the way. So at the beginning, I only have the Fumer file itself, which was downloaded from the event, a website. In our case, it was tippling, a on first glance, the human face looking like a big blob of compressed data. And as any rookie female only knows the first the first thing you need to do is to Benwell. Your friend will be OK. Is this great tool developed by that device Zero, which recognized in Ampex most of the common female files. So luckily for us, a bit easily recognized and extracted for files. So we have the bootloader, we have the Vendel logo in the GIF images and the main binary. So after I got the first female, I decided I needed some more Fenmore, which contained grumped you're a four zero seven. So I downloaded some more and some more and some more. And I see that each and every one of them had the same Zino etc. and also the same architecture, which was me. So while this Rampage 047 looks so similar at this point, I have no idea whatsoever, eh? So one may ask himself, what is this with? We are seeing all the females. So Zino is a an embedded a w created by Zinsser, which is a major Taiwanese DSL vendor, is you know, this is an article with a real time OS, which means it's a very basic operating system without any filesystem or permissions mechanism. Just one big binary file responsible for everything. When you Google Apps in OS, you also see the GENOWAYS is very interesting on four rom zero vulnerability discovered last year, which allow an attacker to get to the router credentials by downloading the entire AI, the entire sorry, by downloading the entire configuration file from the router without any authorization. All it takes for the weapon to be open, importante and the attacker just simply getting the password and the username. And one point two million devices were affected by this vulnerability. This is a lot. So before we start analyzing the film itself, let's see what our attack surface look like. So we thought it 
was a we are getting an unauthorized response, which just has to for the credential, and since we don't know them, we are getting these instead in four, seven, five or seven, we are getting, albeit not found for any path except for the correct connection request path. For now, we assume that we do not know the correct path. So before I actually dove into the code, I did some basic fighting over the headers, suddenly I managed to correct the router by sending a digest username by overflowing to the user name header, which led me to the first vulnerability. So to understand why this is happening, let's explore some of of code when you see what you see here is a function responsible for initializing the handler structure. Each entry consists of the HTP header and then, as you can see here, and the relevant handler function to pass this header. So let's take a look on the function that they just use a name. So can you see what caused the vulnerability? Yes. And and protect the status, if you like. But what actually caused it to crash? Because we have no simple and no dynamic analysis capability whatsoever. It's very difficult to know. So because we had no dynamic and has capabilities, I open up the router and start looking for geotag. So for those of you who don't know, is this interface designed to do how the verification and debugging for embedded devices? So I open up the router, but I couldn't find any connectors. But I did found something that looked like a series about a USB port. So I did some soldiering and they connected. They're connected to the router itself and use Buspar, which is a USB serial to use with a adapter to connect it to my computer. And when I put up when I put up the router, I could see some very nice debugging info. So it was very cool. But what happens when I try to correct the router? So this is what I got a very nice looking dump with. You see, I hear the beeps registers and they stack them up. And also on the top, you can see this one. Thi
s is the APC, which is the MIPS instruction pointer. As you can see here, it was a overeaten with my input that this is mean. This means that we actually in control of the instruction pointer. Yeah, so, uh, some further analysis of the crash then allowed me to fully understand the vulnerability. So that's why cause us to overwrite a function pointer, which conveniently lays five hundred eighty four exabyte before after the user name. So this is pretty simple. Just send out you the name, override the function pointer with a pointer to your code and you can run remote control and you have a remote exclusion. So it sounds way too easy. Any problems? So, yep, we have a slight problem of all the vulnerable, a female female, I was in a west base. Each one is looking a bit different in terms of memory layout, and it even challenges between different fumer version of the same model. This mean we cannot we cannot know the correct position of our Chalco in the memory and therefore we don't know with which value we need to overwrite the function pointer. Of course, if you knew the answer, of course, if you knew the exact memory layout of your victim, you can easily a run code on the router and without any problem. It's also important to know that a once in a thicker and thicker has only one chance to attack router because if it causes the crash, then they're out there getting up because of the dynamic application. So a potential solution for this whole problem would be just to find some info like vulnerability that would disclose the memory layout. But it seems like way too much work for now. So that just let's keep looking for something else. So because I had no way of debugging, I had to use some very primitive debugging capabilities that were built into one pager, into the Beuttler loader, through the serial port, which allows me to patch the female before it was being loaded. So it was very handy, but very tedious process. So after way too many of the resets, I found that 
there is a hidden talent command in Zenovich which lets you patch the brutal memory online. So this led to the creation of Zahedan, which is a Zinah remote debugger of a net. And the result on you can set breakpoints view and edit memory and also read and write register value online. Dismayed at the Namik analysis, a way more convenient. So using my brand new Dibango, I was able to understand much better the nuts and bolts of a page which eventually, eventually led me to the second vulnerability. You see, front page has no dynamic memory allocation capabilities, so each request is handled in a pre allocated structure a without, with or without up to three request handled at the same time. So if you send three consecutive request, you can override the header structure, which we saw earlier. This is also caused by an unprotected FDCPA. So again, we can control over the APC. So can it be exploited? Well, theoretically you can blindly a do a memory read of a memory addresses by changing the pointer of some HTP header name. But at the end I decided to leave this vulnerability because it only works on both 80 and we already have room zero for that. So moving on to over now, that number three. So Rump, I just about cookies, because rampages, as you remember, does not have any a dynamic reallocation, it's all an internal cookies array for each request without 10 cookies, a Adira and up to 40 Bitanga each each cookie a the cookie names are a constant. So it's C zero three nine C, C, Wannsee two after C, nine M and Declan. This is an example of a client sending one of these cookies. You can see here this is zero cookie. So let's take a look on the cookie handler to see how wrong pager actually stole the cookies. So you can see on the top the trumpeter's checks, the cookie, the cookie name for it will say at the beginning, if so, then it will convert the rest of the cookie name into an integer and use this integer as an index for the cookie array. OK, so, yeah, it will it will
 show that it will multiply S3 three, which is the index by 40, and then use it as in the destination for the RNC to. Yep. So here you can see more easily. So basically this give me an arbitrary memory. Right. A right for it from a relative, a position in the rampage, your internal structure, which means we can pretty much control everything a wrong pager does. So a very nice bonuses that we can overflow the thirty two bit integer to get to a negative offset in the structure. So let's take a look on that. On some non harmful a cookie instead of C zero C one we are sending this with the index is pointing exactly at the request request best field. We can see that we can now set this path to anything we like and in this case, we'll get this. So we were able to override the request with our own input. Uh, but this actually has far worse consequences. So I will need to mention this technique will work on any model, on any brand that we have legal access to. You see with a few magic cookies added to your request, you can bypass authentication and browse the configuration interface as admin from any port. So to prove this insane claim, let's go straight to the demo. Sorry, no, wait a sec, I'll fix it. Yes, we are ready. I think. Next, yes, OK, so, uh, we actually have a video recorded and then we're going to try the live demo, we prayed to the demo gods earlier, so hopefully things will work there as well. But first, let's look at the demo that will really, I think, explain. The issue here, right? So we enter the router, it shows us, you know, username, password login, um, we can also try to see what's available on seven, five, four, seven. Of course, we get the object found. Then we use our Chrome plugin. Let's actually try this live and really hope that it works. Let's see now. We've got all right, so we get the authentication required. Oh, you're not seeing like. Here you go. Well, it's it's a bit small, but still so we're getting the authentication required. We're goin
g to go to the. Misfortune kookie out of Perner and try that again, see if it works. Hopefully it works. It doesn't. Oh, wait a sec, wait a sec. We're going to try that again. Now, it's like an internal thing, don't worry about it. Oh, it doesn't matter what for we are. Will this work? Yeah. This is. You know, this this is what we got at the store. This is brand new. This is a device that was manufactured 2014. This is very interesting. OK, so. Back to our presentation, we set up this nice website and it explains kind of the core issue here, and then we try to see which countries were affected by this. And, you know, again, this vulnerability affects devices in a hundred and eighty nine countries all over the world. And in some countries, this is an incredibly popular affecting up to 50 percent of the IP addresses in use in that country. I'm not joking. That's one out of every two IP addresses in that country are vulnerable to this. And that's that's a few countries and certainly some big names in the country list that you didn't expect to see there. Yeah, uh, Smartphone's happy about that as well. I know what you're thinking. I have to turn this off on my device right now. I should not have seven, five, four, seven listening on my you know, on my public IP address. And as soon as you get home, you know, you'll enter your configuration in your face and you'll find the settings, you know, and you'll deactivate it and you hit save. And it doesn't do anything because it's seven five, four seven is still open. That's right. There is no legitimate way for you to turn this off even as admin. I don't know if to laugh or to cry, I don't know. So what can you do? You can cancel your Internet subscription? Um, of course, I mean, the technical users, hopefully that's you guys. You can flash alternative firmware. So you have both tea and opened up your tea, which are which you just don't have rampages, pagers. You can take your chances on whatever they have there. Um, but it's 
not the the, you know, the old version of Ron Pager and, you know, don't buy these models until they're fixed. And the suspect, a vulnerable model, is on the website and we, uh, occasionally update that. All right. So so let's understand, you know, let's understand the supply chain here. Um, Alegra, soft provided rampage pager at one point to a certain chipset vendor, and this chipset vendor implemented the TR six nine functionality and bundled this into their SDK as a bonus feature. Now, this SDK was provided to manufacturers who compiled their firmware is for each product, series and model. And just to make it a bit more complicated, the Espy's customized the firmware to include brand logos, you know, default configurations and deploy these versions to consumate devices. So you can start to and understand this this incredibly complex behind the scenes chain. And think about what this means for security updates, because the update propagation chain here is incredibly slow, if not nonexistent. Allegro self-test to provide a fixed version to the chipset vendor, which then has to incorporate this into the SDK, which has to be given to manufacturers who have to recompile firmware for every product line and every product model which have to give it to Espy's, which have to recompile it. The, you know, to to recompile the framers and the updated version using their customization. And now this thing has to be deployed on every device. This is a nightmare. And, you know, in this in this case, we can truly say that too many cooks do spoil the broth. And thank you. You know, you know, this is the good case we're describing here, because, you know, your device is controlled by your ISP because if you just bought your home router off the shelf, you know, most people never upgrade the router firmware. And, you know, anyway, this vulnerability will be here for months and years to come. So vendor communication, we contacted Alliegro soft and all the major affected vendors, we pro
vided full description of the vulnerability and non harmful on the policy to trigger it. You know, despite some broken English, the message did get through at least most of the time. We have some patched firmware already out, at least from from Huawei, who actually they were they were the best responders so far. Very clear communication and, you know, electro soft released a statement saying that, no, we can't force any vendor to upgrade to the latest version. And we actually provided a Pashto version in 2005. So think about this. If code from 2005 still did not make it through the chain and we actually know we did not make it even one step into the chain, something is wrong here. So just a few very frequently asked questions that we've been getting in the week that this is out, you know, it's rampage your bad no. You know, there were actually very responsive. There were security aware. They caught this bug in internal code review. They did. They just didn't know what it meant. When we explained it to them. They were. I know there was. I heard the jaws drop over the phone line. Um, and, you know, we just happened to research an old version of their software. I think any code written in 2002 might have been, you know, secure the same. And, you know, we don't think this is intentionally please back door. It doesn't look like one. We will not be sharing the exploit. Uh, no, sorry about that. Um, you know, some bodies have approached me and and they're asking about, you know, the IPS that are affecting their country. And I'm saying, you know, you have to scan it yourself and and listen to the numbers here are lying because some ISPs actually, you know, don't use the default yardsticks. And I'm sure they use something else. I mean, at least we know that in Israel we use something else. Um, and when you scan in these sports, you get very different numbers. So that's important point to mention. Uh, short recap, we found a pretty serious vulnerability in the most popular se
rvice exposed in IPV for at least as far as we know, do challenge us if you think otherwise. And, uh, hey, industry fix this. Thank you very much. I would love to have your questions. Well, thank you so much. Actually, I have the honor to mediate a similar lecture this morning at 11 thirty by an Irish man who showed us that the switches that the main energy providers actually you can just download the image and upload it when you've patched it into the room. This is a bit more complicated, but it's basically the same thing actually scares the shit out of me. It's you should be scared. OK, we'll be taking questions. I can blow up if you guys want to know. So we'll do one, two, one, two. Is that OK with you? OK, here you go. Number one. OK, so I'd like to know a bit more about the universe because at home I have. Can you people please, when you leave, leave quietly. Some people still want to listen. I'm sorry. Yeah. So have that delaying yourself because you would be which is in your list and it's OK to put tweet because it's quite quick and it's one of the Linux, but it's looks like before it went the Linux, it was something else which had a double. And I don't know if it matches the newest, if it's some kind of pre Linux is or how does it work. OK, so we don't know that device because we don't have access to every single device that we saw on the list. But we didn't we didn't try to exploit everything on the Internet. Only thing devices that we could have legal access to would be I mean, we would love to talk about this later. And if you can share some details with us, then maybe we can look into this. But we don't have anything to add about this. And so now just it it may be that the device noise, which then starts Linux, you know. Sorry, I don't know. OK, we got to think this if I think. OK, thank you. There's somebody waiting to go ahead. When you originally published this issue as Miss Fortune Cookie, you recommend it to home users to install sound alarm as a pr
otective measure and computers. Could you explain how it's installing a personal firewall? Would protect me from router. Panitch So all I can definitely explain how this helps if your router gets boned. But it's definitely not what I want to talk about. And we can we can talk about this later. OK, thank you. Yes, more quick next question mark, when you mentioned the it appear, at least for country, please, can you have can we have some quiet, please? You mentioned getting on the list of the IP addresses for our country. Just one request. Please talk to the charitable foundation because they have the daily methods of scanning for these kind of issues and send out the list of IP addresses to all national search all over the world. So is the foundation we can donate them. OK, so talk to you later. Sure, yes. OK, we'll stick to the mike. No, there is nobody. Is there somebody over there. Oh, I come up front. Oh do I look that scary. Do they look that scary. It's us. It's us. I mean to you folks ok. Yeah. Yeah. Now um did you think you could speak into the mic please. Yes. Um, did you check cable modems because at least in Germany we are forced to use the modems we get by our providers and especially models like the technical laws are very well known for horrible exploits, like you can force them to reboot with a broken htp piguet, which is kind of scary. Yeah. So we didn't try to categorize, according to, you know, cable or or DSL or whatever it is. If it's on the suspected vulnerable model, then we saw it as, you know, as vulnerable as containing Rampage or four 07. That's a very simple check, OK, because I'm just asking because I have no possibility to switch as long as I stick to this ISP. So I understand that it's definitely a problem that we're seeing in other places worldwide. And, you know, this is a part of why we're doing this, a part of why we're doing this publication. We think that this puts a very positive pressure on many, many vendors out there to try to 
fix this as fast as possible. I know we are seeing that that this process is being expedited. So definitely in cases like this, if this is vulnerable, please go and talk to your providers and tell them this is a very, very serious security issue and you have to deal with this now. OK, thank you. Thank you. OK, hang on a minute. Um, we have a question from the Internet because we've been streaming. So can we have a question on the Internet, please? Yes, there's a question. I have to try to open this up. If not, I are going to we. So, no, we did not try it. It's definitely it's definitely a research direction. Anyone can take it up. We recommend that you do. So, uh, not do not do not. Well, have one more question from the Internet and then go back to Vikram. And, uh, wouldn't it be possible to, uh, to use the exploit to exploit the water and then update them to exploit the word sorry to exploit the water and then update them using the exploit exploit the router and then and then upload. Yeah, OK. And then upload new firmware. Definitely. OK, make one I think. Was it. Yeah. Yep. Either. Uh yeah. Very good. Thanks a lot. Thank you. So obviously the vendors are going to take a very long time to fix this, but is there any really legitimate use of this port. Seven, four, five, four, seven and from. Yeah, yeah. Surely within the Espy's Network, but over the network. Is there any real use for this? Is there something the ISPs could filter their border, for example? Uh, they they use it all the time to do all sorts of minoring and configuration issues. So if you block your seven, five, four, seven, if you magically block it somehow. Right. Because a lot of a lot of the times you don't even have this option. But if you do block it, then they won't be able to help you with anything. They won't be able to see if anything's wrong with your device. But is this something the ISPs can fix and stop the entire IP or space from? Yeah, I mean, we released a protection white paper that's
 intended for providers, you know, with some some good advice on how to solve this. For example, just a real, you know, a small piece of it. You could use an internal IP range to to, you know, to have this the seven, five or seven on. And then you don't really have to put it on the public web. So that's I mean, we're seeing some providers definitely do that. And that's a very good direction. OK, great. Thanks. OK, thank you. Um, my number two years ago. Can we please have some peace, you want to chat, OK, go outside. If I can just respond to the previous question. I'm working for an ISP and what you can actually do is just an access list on those modems. So only the legitimate I, uh, access can reach those modems. That's the simplest thing you can do as an ISP. Yeah, well, I think we also mentioned that in the production of Google and thank you for that. Um, second question is, are you aware of the research that was presented at Hack in the Box, Amsterdam 2013 in April? Because I think they hacked your modem. Yes. Yeah, because I think they actually hit the same buffer overflow floater in Buffalo. No, it was a different version of a during their zeisel. And I think it's a it's a very yeah. We are kind of the same, a very different vulnerability. OK, you checked. OK, just wanted to know. Thanks. OK, thank you. Move over to Mike, one of my kind of like I have to record you for the stream. So have you looked into the impact of what would happen if someone changed the DNA settings to a affect DNS or changed one side that or this genuinely Tovo of people's letters? Well, definitely. That's kind of what we're seeing in the past few years. Attacker is doing in large, you know, high profile router attacks. They they changed the DNS settings and it's pretty much game over from there. So definitely that's also an opening for that. You know, we really hope that attackers, you know, don't get a hold of this. But it's definitely I think it will happen eventually. Thanks. OK, tha
nk you. So, again, I have several questions. So first question, but to support in Israel. So if I were on holiday, maybe it's interesting. And, uh, so what's your support on this one? I'm sorry. Again, the parts for this thing and it's the fourth in Israel. We could talk about that later. I don't want to give you no good detail. OK, and then the second thing is, uh, I have, for example, have either ISP who is gives me a box. And the problem is that I cannot, uh, switch I cannot get my access data and I cannot, um, own this thing because I would need to have a high speed modem to to go to the left side where it's connected to the fiber fiber optic, um, thing that generates to cable this stuff. We are maybe 20 meters. And so I needed to do a sniffing device that goes there. It's a real problem. I we can understand that. It's definitely one of the things that make this issue so serious. It's also how how do our bit of sniffing device so it's a maybe a device that I can exploit and say, OK, I buy these old modem and Bertus petrol sniffing and so maybe a double double modem device. Yeah, I can. But then it's kind of, you know, it's not going to be for the mass market. So I want to hack my flat box and then I know it and then it's better for me that I can use something else. I guess there are a few people here are thirty one three that can help you build that thing. OK, and then with cable modems, if you don't have cable modem, it would be much more fun because cable is flat. So even if I don't have to subscribe, subscribe to a cable, uh, device, I can just go into my flat, have a cable outlet, go to a flea market, buy a cable modem, as can I, scan the Internet for some cable modem in the city and dump the memory put put the excess data of this person into my cable modem and I can have it for free. This is how they catch me. It's it's flat. It's just passive networks like like typing. I mean, that's what we're seeing a lot of these, uh, you know, a lot of these home real 
threats. And it's definitely one, uh, one that we're also looking into, um, and the cable modem very now. So hopefully for next year. OK, OK. But we'll keep trying. OK. Yes. Mac No. One, is it correct that via tr sixty nine of the providers can also change this default port so that they can send you a new configuration. Yeah. And so they could on the very first provisioning of the box when I just couldn't take it out and connect it to my DSL that I get immediately from the. Yes. A new port which is not the default port anymore. Very possible and actually being done. OK, so then I would be vulnerable of course on the word but. Right. So I mean but we also recommended that some ISPs do that because at least you're going to get away from the opportunistic hackers that just scan the entire Internet. OK, I don't know who would do such a thing, but maybe regarding your statistics, Germany was quite light colored. Is it because you've spent only that part or did you can we only scan seven, five, four, seven? It's important to mention all of our numbers are based on seven, five or seven. If you know, you go into the depth of each country, of each ISP, you can potentially find a lot more vulnerable devices. OK, thank you much. OK. And if anyone does this, please do share it with us because you know, we might make this public and and help your provider fix this. OK, now you all people know that if you want to go back and look at this talk, you'll find out it in our Stream archive just before you get panic. Number two, please. OK, I didn't quite get how the protocol actually works. Is the listening device or listening service on the clients that actually require it, because you said every communication is initiated by the client and why? Yeah, well, first of all, you understand that this vulnerability has almost nothing to do with your Sixty-nine doesn't have anything to do with the protocol. It's just a Web server that's listening on this port because of that. And so just men
tioning again, what I said at the beginning that this is a connection request for that asks can send connection requests to which the client immediately follows by, you know, making a new connection and do a real provisioning session. OK, that's OK. Yeah. And this is, you know, similar Rajdeep. So this needs to be sort of OK before they shut down the Internet. There is this question. Yes. From the Internet. Yes. What is with the new versions? Are they really fixed? The new versions are have been fixed. We, um, some some vendors have provided us with beta versions of firmware of Fix Fermor, and they actually fixed that. Right. I mean, at least as we see it, they're checking it correctly and they fixed it before overflows and, you know, just patched it actually on a rampage of four 07. They just patched these vulnerabilities. So there might be more things there. Um, and also just the interesting point here that would make it a bit difficult to understand if a device is now still vulnerable because the server header is still going to be four point eighty seven. And then you'd have to find like a different way of figuring out if this is vulnerable. It's OK. Some more No Child Left Back. We answer all questions. There are more personal. Oh, how about IP 462 IP for devices using dual stack light? I'm sorry, I didn't get the question. How about how about IP for six devices using dual stack light. Dual stack. Oh we did not look into that at all. OK, was there all that. Was it anybody else. A question. You guys want to ask a question, though? OK, well, then let's have one big final.