For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP-Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This talk will discuss a backdoor found on the modem / router rtn, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.
Which lead us to question on the research title: “Who put the backdoor in my modem?”
--- Ewerson Guimaraes
Degree in Computer Science from Fumec University, Security Analyst and Researcher at Epam Systems. Certified by Offesinve Security(OSCP) and Elearn(WPT) as Pentester, Ewerson has published articles in the Brazilian Information Security/Computers magazines H4ck3r and GEEK, moreover, posted exploits and advisory on SecurityFocus found in big companies like: IBM, McAfee, Skype, Technicolor, Tufin, TrendMicro and others. Contrib to develop some modules to Metasploit Framework Project. Founder of BHack Conference and Area31, the first hackerpsace in Minas Gerais and is an active Kali Linux Community Contributor
20. CONFIDENTIAL
More strange stuff...
In the device manger you can see Observa Telecom but....
The vendor's website exists but it's a single branded blank page,
without any other links to other areas such as manuals, support and firmware.
22. CONFIDENTIAL
More strange stuff..
This device is distributed by GVT (Global Village Telecom).
According to GVT technical support and site, this modem/router is not supported by them.
Don’t belive? Take a look at:
http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens
33. CONFIDENTIAL
Inside of backdoor...
Taking a closer look at the device’s memory it was possible to find some interesting information:
Redirection link to Chinese company:
Even after reset it was possible to retrieve the device’s previous user name:
The device saves neighbour network names:
36. CONFIDENTIAL
Inside of backdoor...
The factory default password is not
admin:admin
admin:12345
admin:
You can make the factory reset!
The password stills: admin:gvt12345
45. CONFIDENTIAL
How to fix
Change the backdoor flag,
upload the file and never
reset to factory defaults.
OR / AND
Of course, disable the remote access.
Hack the firmaware