SlideShare a Scribd company logo

4G modem – best present ever!

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 22
Dmitry Sklyarov Senior Analyst @ Department for Advanced Developments Positive Technologies Positive Hack Days IV, May 21-22, 2014
How it looks (approximately ;)
Explore textual marks on Modem Front side: • “4G” logo • operator’s logo Under the cover (access to SIM and SD cards): • operator’s internal model number • IMEI • serial number Hmm, what the actual manufacturer name and model number? Back side: • nothing
Explore packaging Manufacturer name (ZTE) printed on the box and in booklet
ZTE MF823 4G Modem Specification • LTE-FDD: 800/900/1800/2600MHz; • UMTS: 900/2100MHz; • LTE-FDD: DL/UL 100/50Mbps (Category3) • DC-HSPA+: DL/UL 42/5.76Mbps • Size: 90 x 28.4 x 13mm • OS: Win7, Windows XP,Vista, Win8, Mac OS
ZTE MF823 4G Modem re-Branding MegaFon (Russia) O2(Germany)
Is there Modem anymore? After plugging into PC running Windows 7: • CWID USB SCSI CD-ROM USB Device • ZTE MMC Storage USB Device (MicroSD Card Reader) After performing “Eject CD Drive”: • CD-ROM (sometimes they come back!) • MicroSD Card Reader • Remote NDIS* based Internet Sharing Device *NDIS == Network Driver Interface Specification No drivers required! (at least on Windows 7 ;)
Remote NDIS adapter properties > ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.0.182 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1
How to speak with MF823? Results of ports scan for 192.168.0.1
HTTP server on 192.168.0.1 NB: Some brand-customized firmware contains web-interface that relies on “GoForm” handlers GET /index.html HTTP/1.1 Host: 192.168.0.1 HTTP/1.1 404 Site or Page Not Found GET / HTTP/1.1 Host: 192.168.0.1 HTTP/1.0 302 Redirect Server: GoAhead-Webs/2.5.0 Location: http://192.168.0.1/index.html
HTTP server Handlers Defined UrlHandlers: /goform /cgi-bin /mmc2 /api/xmlclient/post /client/backup /api/nvramul.cgi Defined GoForm handlers: /goform/goform_get_cmd_process /goform/goform_set_cmd_process /goform/goform_process /goform/formTest
Getting diagnostics info http://192.168.0.1/goform/ goform_get_cmd_process? cmd=device_diagnostics Returns: productName softwareVersion modemVersion routerVersion webUiVersion hardwareVersion serialNumber simSerialNumber simMsisdn deviceImei simImsi simStatus sdCardAvailable sdCardTotalMemory sdCardUsedMemory currentConnectedUsers maxConnectedUsers timeSinceStartup
Switching to Download (FACTORY) mode http://192.168.0.1/goform/goform_process? goformId=MODE_SWITCH&switchCmd=FACTORY New devices appears: • ZTE Diagnostics Interface (COMX) • ZTE NMEA Device (COMY) • ZTE Proprietary USB Modem NB: Send AT+ZCDRUN=F to COM-port associated with “ZTE NMEA Device” to return from Download mode
telnetd on 192.168.0.1 OpenEmbedded Linux 9615-cdp msm 20130729 9615-cdp 9615-cdp login: root Password: zte9x15 root@9615-cdp:~# id uid=0(root) gid=0(root) groups=0(root)
root is good! Full-featured ARM-based Linux • busybox apps (e.g. nc and netstat) • iptables • tcpdump • gdbserver CD image at /usr/zte_web/ZTEMODEM.ISO HTTP server root at /usr/zte_web/web/* • auto_apn • copy • zte_log
What is actually under your control?
What is actually under your control?
What are the treats? controls all external traffic log all internet activity replicate all internet activity WiFi-enabled? access to local WiFi GPS-enabled? store/report GPS location under remote management access to local network
My favorite Modem ;)
That’s all… Thanks for your patience ;) Dmitry Sklyarov DSklyarov@ptsecurity.ru Senior Analyst @ Department for Advanced Developments Positive Technologies
4G modem – best present ever!

Recommended

DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...Felipe Prado
 
Volte troubleshooting
Volte troubleshootingVolte troubleshooting
Volte troubleshootingJamil Awan
 
GPRS/EDGE Basics / knowledge sharing
GPRS/EDGE Basics / knowledge sharingGPRS/EDGE Basics / knowledge sharing
GPRS/EDGE Basics / knowledge sharingMustafa Golam
 
02 umts network architecturenew
02 umts network architecturenew02 umts network architecturenew
02 umts network architecturenewsivakumar D
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guideKlajdi Husi
 
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkomGpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkomWahyu Nasution
 
HSIFLS
HSIFLSHSIFLS
HSIFLSjdeleiva
 
2.oeo000010 lte handover fault diagnosis issue 1
2.oeo000010 lte handover fault diagnosis issue 12.oeo000010 lte handover fault diagnosis issue 1
2.oeo000010 lte handover fault diagnosis issue 1Klajdi Husi
 

Recommended

DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...Felipe Prado
 
Volte troubleshooting
Volte troubleshootingVolte troubleshooting
Volte troubleshootingJamil Awan
 
GPRS/EDGE Basics / knowledge sharing
GPRS/EDGE Basics / knowledge sharingGPRS/EDGE Basics / knowledge sharing
GPRS/EDGE Basics / knowledge sharingMustafa Golam
 
02 umts network architecturenew
02 umts network architecturenew02 umts network architecturenew
02 umts network architecturenewsivakumar D
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guideKlajdi Husi
 
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkomGpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkom
Gpon omci v2__voice_configuration_introduction_omciv2_v2_pt_telkomWahyu Nasution
 
HSIFLS
HSIFLSHSIFLS
HSIFLSjdeleiva
 
2.oeo000010 lte handover fault diagnosis issue 1
2.oeo000010 lte handover fault diagnosis issue 12.oeo000010 lte handover fault diagnosis issue 1
2.oeo000010 lte handover fault diagnosis issue 1Klajdi Husi
 
3.oeo000020 lte call drop diagnosis issue 1
3.oeo000020 lte call drop diagnosis issue 13.oeo000020 lte call drop diagnosis issue 1
3.oeo000020 lte call drop diagnosis issue 1Klajdi Husi
 
LTE KPI Optimization - A to Z Abiola.pptx
LTE KPI Optimization - A to Z Abiola.pptxLTE KPI Optimization - A to Z Abiola.pptx
LTE KPI Optimization - A to Z Abiola.pptxssuser574918
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
Ericsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranEricsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranThananan numatti
 
5G network architecture progress
5G network architecture progress5G network architecture progress
5G network architecture progressMohammad Anwarul Islam
 
5G NR: Key features and enhancements
5G NR: Key features and enhancements5G NR: Key features and enhancements
5G NR: Key features and enhancements3G4G
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration FlowHouman Sadeghi Kaji
 
LTE Optimization-KPIs.pptx
LTE Optimization-KPIs.pptxLTE Optimization-KPIs.pptx
LTE Optimization-KPIs.pptxHasanBilalKhan
 
Lte questions adv
Lte questions advLte questions adv
Lte questions advKehinde Yussuf
 
VoLTE optimization.pdf
VoLTE optimization.pdfVoLTE optimization.pdf
VoLTE optimization.pdfRakhiJadav1
 
Huawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decHuawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decKetut Widya
 
OMEGAMON XE for Messaging V730 Long client presentation
OMEGAMON XE for Messaging V730 Long client presentationOMEGAMON XE for Messaging V730 Long client presentation
OMEGAMON XE for Messaging V730 Long client presentationIBM z Systems Software - IT Service Management
 
AIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM International
 
Huawei - Lte handover troubleshooting
Huawei - Lte handover troubleshootingHuawei - Lte handover troubleshooting
Huawei - Lte handover troubleshootingnavaidkhan
 
Irat handover basics
Irat handover basicsIrat handover basics
Irat handover basicsBamidele Odediya
 
Presentation on 4gLTE
Presentation on 4gLTEPresentation on 4gLTE
Presentation on 4gLTEshanu singh chauhan
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
LTE1406 Extended VoLTE Talk Time.pptx
LTE1406 Extended VoLTE Talk Time.pptxLTE1406 Extended VoLTE Talk Time.pptx
LTE1406 Extended VoLTE Talk Time.pptxkuldeep288490
 
LTE quick introduction session Training
LTE quick introduction session TrainingLTE quick introduction session Training
LTE quick introduction session TrainingShiraz316
 
CAT TP
CAT TPCAT TP
CAT TPAta Ebrahimi
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
Mvi56 mcm datasheet
Mvi56 mcm datasheetMvi56 mcm datasheet
Mvi56 mcm datasheetFranz07
 

More Related Content

What's hot

3.oeo000020 lte call drop diagnosis issue 1
3.oeo000020 lte call drop diagnosis issue 13.oeo000020 lte call drop diagnosis issue 1
3.oeo000020 lte call drop diagnosis issue 1Klajdi Husi
 
LTE KPI Optimization - A to Z Abiola.pptx
LTE KPI Optimization - A to Z Abiola.pptxLTE KPI Optimization - A to Z Abiola.pptx
LTE KPI Optimization - A to Z Abiola.pptxssuser574918
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
Ericsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranEricsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranThananan numatti
 
5G NR: Key features and enhancements
5G NR: Key features and enhancements5G NR: Key features and enhancements
5G NR: Key features and enhancements3G4G
 
LTE Optimization-KPIs.pptx
LTE Optimization-KPIs.pptxLTE Optimization-KPIs.pptx
LTE Optimization-KPIs.pptxHasanBilalKhan
 
VoLTE optimization.pdf
VoLTE optimization.pdfVoLTE optimization.pdf
VoLTE optimization.pdfRakhiJadav1
 
Huawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decHuawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decKetut Widya
 
AIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM International
 
Huawei - Lte handover troubleshooting
Huawei - Lte handover troubleshootingHuawei - Lte handover troubleshooting
Huawei - Lte handover troubleshootingnavaidkhan
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
LTE1406 Extended VoLTE Talk Time.pptx
LTE1406 Extended VoLTE Talk Time.pptxLTE1406 Extended VoLTE Talk Time.pptx
LTE1406 Extended VoLTE Talk Time.pptxkuldeep288490
 
LTE quick introduction session Training
LTE quick introduction session TrainingLTE quick introduction session Training
LTE quick introduction session TrainingShiraz316
 

What's hot (20)

3.oeo000020 lte call drop diagnosis issue 1
3.oeo000020 lte call drop diagnosis issue 13.oeo000020 lte call drop diagnosis issue 1
3.oeo000020 lte call drop diagnosis issue 1
 
LTE KPI Optimization - A to Z Abiola.pptx
LTE KPI Optimization - A to Z Abiola.pptxLTE KPI Optimization - A to Z Abiola.pptx
LTE KPI Optimization - A to Z Abiola.pptx
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architecture
 
Ericsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utranEricsson documents.mx ericsson-field-guide-for-utran
Ericsson documents.mx ericsson-field-guide-for-utran
 
5G network architecture progress
5G network architecture progress5G network architecture progress
5G network architecture progress
 
5G NR: Key features and enhancements
5G NR: Key features and enhancements5G NR: Key features and enhancements
5G NR: Key features and enhancements
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
 
LTE Optimization-KPIs.pptx
LTE Optimization-KPIs.pptxLTE Optimization-KPIs.pptx
LTE Optimization-KPIs.pptx
 
Lte questions adv
Lte questions advLte questions adv
Lte questions adv
 
VoLTE optimization.pdf
VoLTE optimization.pdfVoLTE optimization.pdf
VoLTE optimization.pdf
 
Huawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st decHuawei parameter strategy v1.4 1st dec
Huawei parameter strategy v1.4 1st dec
 
OMEGAMON XE for Messaging V730 Long client presentation
OMEGAMON XE for Messaging V730 Long client presentationOMEGAMON XE for Messaging V730 Long client presentation
OMEGAMON XE for Messaging V730 Long client presentation
 
AIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network ArchitectureAIRCOM LTE Webinar 1 - Network Architecture
AIRCOM LTE Webinar 1 - Network Architecture
 
Huawei - Lte handover troubleshooting
Huawei - Lte handover troubleshootingHuawei - Lte handover troubleshooting
Huawei - Lte handover troubleshooting
 
Irat handover basics
Irat handover basicsIrat handover basics
Irat handover basics
 
Presentation on 4gLTE
Presentation on 4gLTEPresentation on 4gLTE
Presentation on 4gLTE
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
 
LTE1406 Extended VoLTE Talk Time.pptx
LTE1406 Extended VoLTE Talk Time.pptxLTE1406 Extended VoLTE Talk Time.pptx
LTE1406 Extended VoLTE Talk Time.pptx
 
LTE quick introduction session Training
LTE quick introduction session TrainingLTE quick introduction session Training
LTE quick introduction session Training
 
CAT TP
CAT TPCAT TP
CAT TP
 

Similar to 4G modem – best present ever!

DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
Mvi56 mcm datasheet
Mvi56 mcm datasheetMvi56 mcm datasheet
Mvi56 mcm datasheetFranz07
 
Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiRahul Sasi
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
 
Wifi obd auto checker using step
Wifi obd auto checker using stepWifi obd auto checker using step
Wifi obd auto checker using stepBill Zhao
 
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Pietro F. Maggi
 
3 g modem_tutorial
3 g modem_tutorial3 g modem_tutorial
3 g modem_tutorialaljarous
 
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfEDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfRajeshravi49
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material SANGHEE SHIN
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)家榮 張
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTinovex GmbH
 
DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015Mark Davis
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Alvaro Roldan Peral
 
Droid Pro Launch
Droid Pro LaunchDroid Pro Launch
Droid Pro Launchndknox
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterDeep Datta
 

Similar to 4G modem – best present ever! (20)

DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
 
Mvi56 mcm datasheet
Mvi56 mcm datasheetMvi56 mcm datasheet
Mvi56 mcm datasheet
 
Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasi
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
 
Wifi obd auto checker using step
Wifi obd auto checker using stepWifi obd auto checker using step
Wifi obd auto checker using step
 
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015
 
3 g modem_tutorial
3 g modem_tutorial3 g modem_tutorial
3 g modem_tutorial
 
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdfEDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
EDK_II_SW_debugger_v0.1_lj-Plugfest.pdf
 
gofortution
gofortutiongofortution
gofortution
 
mago3D Technical Workshop Material
mago3D Technical Workshop Material mago3D Technical Workshop Material
mago3D Technical Workshop Material
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !
 
DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015DSI USA Agent & Retailer Presentation Final Version March 5 2015
DSI USA Agent & Retailer Presentation Final Version March 5 2015
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010Forti Gate Virtual Appliances Sales 201010
Forti Gate Virtual Appliances Sales 201010
 
Droid Pro Launch
Droid Pro LaunchDroid Pro Launch
Droid Pro Launch
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

4G modem – best present ever!

  • 1.
  • 2. Dmitry Sklyarov Senior Analyst @ Department for Advanced Developments Positive Technologies Positive Hack Days IV, May 21-22, 2014
  • 3. How it looks (approximately ;)
  • 4. Explore textual marks on Modem Front side: • “4G” logo • operator’s logo Under the cover (access to SIM and SD cards): • operator’s internal model number • IMEI • serial number Hmm, what the actual manufacturer name and model number? Back side: • nothing
  • 5. Explore packaging Manufacturer name (ZTE) printed on the box and in booklet
  • 6. ZTE MF823 4G Modem Specification • LTE-FDD: 800/900/1800/2600MHz; • UMTS: 900/2100MHz; • LTE-FDD: DL/UL 100/50Mbps (Category3) • DC-HSPA+: DL/UL 42/5.76Mbps • Size: 90 x 28.4 x 13mm • OS: Win7, Windows XP,Vista, Win8, Mac OS
  • 7. ZTE MF823 4G Modem re-Branding MegaFon (Russia) O2(Germany)
  • 8. Is there Modem anymore? After plugging into PC running Windows 7: • CWID USB SCSI CD-ROM USB Device • ZTE MMC Storage USB Device (MicroSD Card Reader) After performing “Eject CD Drive”: • CD-ROM (sometimes they come back!) • MicroSD Card Reader • Remote NDIS* based Internet Sharing Device *NDIS == Network Driver Interface Specification No drivers required! (at least on Windows 7 ;)
  • 9. Remote NDIS adapter properties > ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.0.182 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1
  • 10. How to speak with MF823? Results of ports scan for 192.168.0.1
  • 11. HTTP server on 192.168.0.1 NB: Some brand-customized firmware contains web-interface that relies on “GoForm” handlers GET /index.html HTTP/1.1 Host: 192.168.0.1 HTTP/1.1 404 Site or Page Not Found GET / HTTP/1.1 Host: 192.168.0.1 HTTP/1.0 302 Redirect Server: GoAhead-Webs/2.5.0 Location: http://192.168.0.1/index.html
  • 12. HTTP server Handlers Defined UrlHandlers: /goform /cgi-bin /mmc2 /api/xmlclient/post /client/backup /api/nvramul.cgi Defined GoForm handlers: /goform/goform_get_cmd_process /goform/goform_set_cmd_process /goform/goform_process /goform/formTest
  • 13. Getting diagnostics info http://192.168.0.1/goform/ goform_get_cmd_process? cmd=device_diagnostics Returns: productName softwareVersion modemVersion routerVersion webUiVersion hardwareVersion serialNumber simSerialNumber simMsisdn deviceImei simImsi simStatus sdCardAvailable sdCardTotalMemory sdCardUsedMemory currentConnectedUsers maxConnectedUsers timeSinceStartup
  • 14. Switching to Download (FACTORY) mode http://192.168.0.1/goform/goform_process? goformId=MODE_SWITCH&switchCmd=FACTORY New devices appears: • ZTE Diagnostics Interface (COMX) • ZTE NMEA Device (COMY) • ZTE Proprietary USB Modem NB: Send AT+ZCDRUN=F to COM-port associated with “ZTE NMEA Device” to return from Download mode
  • 15. telnetd on 192.168.0.1 OpenEmbedded Linux 9615-cdp msm 20130729 9615-cdp 9615-cdp login: root Password: zte9x15 root@9615-cdp:~# id uid=0(root) gid=0(root) groups=0(root)
  • 16. root is good! Full-featured ARM-based Linux • busybox apps (e.g. nc and netstat) • iptables • tcpdump • gdbserver CD image at /usr/zte_web/ZTEMODEM.ISO HTTP server root at /usr/zte_web/web/* • auto_apn • copy • zte_log
  • 17. What is actually under your control?
  • 18. What is actually under your control?
  • 19. What are the treats? controls all external traffic log all internet activity replicate all internet activity WiFi-enabled? access to local WiFi GPS-enabled? store/report GPS location under remote management access to local network
  • 21. That’s all… Thanks for your patience ;) Dmitry Sklyarov DSklyarov@ptsecurity.ru Senior Analyst @ Department for Advanced Developments Positive Technologies