 The next talk is going to be beyond your cable modem How not to do docks his networks? Sorry, I'm not a hardware guy but Alexander Graf is gonna hold a talk and he's done a lot on virtualization and stuff other people think is too complicated and now he's gonna talk about The outside of your apartment give him a warm welcome Hi and welcome to my talk beyond your cable modem This is gonna look at what's beyond the stuff you usually see at home where you just plug in a network cable and well You happen to have internet available So who am I? I'm Alexander Graf. I'm usually more of a virtualization developer. I have nothing to do with hacking in my day work I don't usually go around and hack embedded devices usually at least But during the last year I had a lot of spare time at night because the baby was crying So I figured could as well spend that time and do something useful So what happened? We moved to a new home. So I was living in a home where I had DSL available I had a real phone line. Everything was great Things were just awesome, but then we moved into this new home where Where there was no DSL available. Well, there was these elevable. There were different circumstances Why couldn't use it so? Instead I figured you know what try this cool new technology Internet over your cable TV cable TV cable So I got myself a cable modem from the provider got myself registered and now had internet over cable TV Also on the same time or along the same lines I figured why not go and also do your phone line over that cable provider with your old phone numbers So that people still can contact you when they want to Now the thing is the when I finally received the whole package. I realized whoa wait some things some things wrong here That's an analog phone line. Are we like in 2015 or is it 1994? So instead of the usual digital stuff that I'm used to I just got myself a analog phone line So I had to put myself another box in there that would convert the analog phone line back to a digital phone line So I could route it in my house to another line to another machine that would then go and router to my phone You see the problem in there? Yeah, that that whole stuff over there just doesn't look right right you why would you go and convert something? It's obviously digital. I mean the stuff that goes into your cable is obviously digital right kind of obvious And and convert it back to analog and then back to digital just to be able to do a phone call So I called up the technicians support and said hey guys, you know what? Isn't there a way I can like directly access whatever you have there and go and use Digital throughout and the guy said well, you know what actually behind the scenes. We're all just running SIP It's just a normal SIP server. There's not just normal voice of IP. That's something special about it. So If you know what you're doing just go ahead and connect to it challenge accepted So what we learned from Felix earlier in this Car talk was what do you do when you don't want to break your own system? Of course you buy a new one on eBay. They're really cheap. Just go and get a cable modem and then you can go away and well Treated with a kind of laugh that you want the device to be treated with Turns out my modem is actually just running Linux. Oh nice. It fits me pretty well And it's just a normal arm system. Well, the only special thing is this big Indian But then again, I'm kind of used to arm by now Why not just go away and like go around and just look at how this thing works? And well, we really just want to get this voice of IP stuff working So take a look at how this voice IP stuff works on the on the device turns out There's actually a normal SIP SIP works on port 50 50 60 usually Normal SIP client running on there But this IP looks weird So my external IP looks different and my internal IPs all look different and so so what where does this IP come from? So I looked at the IP list of my device and figured well, wait some things some things weird I have a lot of IPs in there and connections that I really don't know anything about hmm So down here is obviously my phone line and Up here is something else that I have no idea. Oh, sorry something else that I have no idea Well, this is about so I figured, you know, let's go and dig a bit deeper and see what's actually happening there So how does docsis work? Just this is just a like small introduction and like high-level introduction and how are they rooting ones? So basically you have your cable modem that is connected using your TV cable line to a cmts just a translation service that then Takes all of the docsis specific stuff and just basically gives you an IP routing over into something something something behind it However, it doesn't just give you one line. It actually gives you three gives you one line for your internet Make sense, right? You want to get online? That's the one you actually see when you plug into the device It also gives you another line for voice of IP and it gives you one more line that I would call the admin line It's the provisioning line Now let's start with the admin line that that sounds the most interesting, right? But what does the admin line do well? In the end the modem in the docsis network is just a normal client like in your ethernet network So the first thing it does when it gets online is what does it DHCP request and DHCP request it goes and gets an IP address and gets all the information it needs and it also Well, it's kind of same. It's just a normal DHCP request it also However, gets something similar to pixie booting where it gets usually in pixie booting you would get an executable that you would run Here you get something different here. You also get a file that you need to download using TFTP just like with pixie However, in this case, it's a configuration file configuration file that you just received using pixie to your cable modem and then the cable modem is configured Now what is inside this provisioning file? That's what they call it. Well, that's interesting information like What is your firmware update file name called if you want to update your firmware or if the provider wants to have you update your firmware? How much bandwidth do I have I? Hear people have been playing with that one and Well, since it's just a normal TFTP request you can just do it yourself, too This is my configuration. You just go get it and you have your configuration file Now the interesting thing that I realized when I first started doing this was well Sure, this is my configuration file, but what about configuration files from other people? Well, you go and get the MAC address if you have the MAC address you just go and get it and there you go You have the other people's configuration file Easiest that right that's that's the way it's supposed to work The actual effects of that we're gonna come to that later So let's just declare TFTP the whole access to that as slightly insecure for now But now now if you're if you're an ISP you want to monitor what your people do, right? So imagine you're the admin there you just imagine you're one of the good guys, right? And you want to see what are those people on your modem doing? Are they like downloading too much contents because you obviously cannot filter or find that out from the other side Um, so what do you do? Well, you obviously send the industry standard for that an SNMP request Using a password that only you know Send it over to the cable modem and the cable modem then goes in and replies with the respective reply saying oh, yeah Sure, I'm I got this piece of information. There you go. You have it. Um, oh that was too quick So, um, but how does? How does your modem actually verify that password? Yeah, you guessed right using the provisioning file obviously so Once you don't know the provisioning file from any random modem in there including yours You end up getting an interesting password All right However, what one they actually did at least one thing they are limited the address range you allow to access those devices on Yeah As a hint for those who did not clap This means everybody who's in that network, but but how big is this network? So I figured you know why not just give it a try and ask some people in Hanover whether I could just get their Mac addresses and See you, you know how far I could get just send an SNMP request over I had the password now, right? and ask that modem Please tell me everything you know and Did reply There's a lot of interesting information as MP. You wouldn't believe it. So this is obviously just General stuff like oh, yeah, and this and that modem, but there's more in there That's for example, and this is my public IP address in case you're searching for someone specific or These are my internal Mac addresses IP addresses in case you're searching for some specific notebook then someone stole from you also or This is my provisioning file in case you just happen to port scan all of the machines out there and ask them using the same password that they all share on What their provisioning files could be called? Hmm, of course, I never did that, right? So well, I would say the whole SNMP story isn't really all that secure either Yeah But at a certain point in time like when the modem actually doesn't work Like the way you would envision it to be or if you just need to do more administrative stuff The admin wants to have more access and just SNMP, right? It's just kind of isolated to a few specific pieces of information Yeah, you want some more hardcore access like we'll go down into a real shell How do you do shells in 2015? Tell me exactly We'll actually get to the point where talent was a good idea later, but um, that's 30 slides down or so So well, we already managed to get an SNMP connection working to a different modem Let's let's just try the same with talent and see you know where how far we can get well we can go in and Just turn it in and it replies and says please give me a login Hmm now where where do I get this login from? Turns out the administrator needs to provide that password just the same to the modem which needs to verify it Based on configuration, which it gets from the provisioning file that I think you see the point So in the same provisioning file that you can obviously again download for every single user in the network You also have the password in plaintext That's the part that actually took me the longest in this whole thing I spent weeks trying to figure out what hash this is So if we try to log into the server using those credentials we got Yeah, we get greeted with a nice commander interface for poor mr. Admin at our provider site, but I don't really like those Like boiled down interfaces. I want a real shell. I don't want to load kernel modules I want to filter all my network traffic. I want to reroute everything that modem does to indifferent machine. I want to Rewrite the voice of IP client here instead do either way So I want to do something real right, so let's do the help command and it tells us that there's a cool command called shell Oh, yeah, there we go. Good a shell So by now at that point I can actually go and do anything I want with that modem. I forgot full root access By the way, all the modems run every single command like piece of software wanting on there including your web server and your SIP server and anything as you ID zero. It's a good idea, right? So I now got shell access so I can do anything I want I can reroute all your traffic I can well, I don't obviously but this is this was basically where we were at half a year ago Another thing to note is that since it's so annoying to generate different passwords for different devices Yeah, yeah, I know You just use one password for all right. It's good enough So You don't even have to read your other person's file your other person's configuration file the provisioning file You can just use your own password that is in your own provisioning file, which you already have on your modem because you provisioned yourself The only notable exception that I found with this whole scheme So you manage I mean you could basically go and log into any modem out there Except for Fritz boxes Yeah Congratulations that one to us So apparently AVM are the only ones who did not follow the standard scheme from my provider and instead said no no no guys You don't do the firmware. We do the firmware and they just don't like to enable talent Apparently there are people in there in that company that actually know what they're doing so Well, I would say the whole tenant access thing isn't exactly I wouldn't market secure either But we didn't really come here for the admin network, right? It was just it's happened to be around. I just looked at it and We wanted to go and do voice of IP Yeah, so how does voice of IP look like well? It's kind of similar. It also does a DHCP request in the beginning DHCP is usually fine. I Mark it with a green tick here. It's Yeah, I'll leave it to others to further dig down into that part It does the same TFTP bit so if you just go and instead of downloading your provisioning file from your own modem into like From from a modem from from the run from the admin network You just go and get it from the other part from the other Mac address and they go you have it Nicely enough all those cable providers Registered consecutive Mac addresses. So if you have one you also have the others Yeah You basically just ask a friend give me your Mac address that's written on the box and you basically have everything you need SNMP is the same thing you can access it using SNMP the really nice thing about SNMP here is that the box also tells you the other Excesses it has so if you only have one IP address or They also have a nice DNS service internally that tells you what the whole IP address is to a certain Mac address So you just ask the DNS for the Mac address of the modem of the voice of IP access then you go and SNMP access the Go SNMP if ask it for the IP address of the admin network and they go you in the box However the really interesting bit on the voice of IP network is SIP since we're doing voice of IP, right? That's that's what the whole thing is about So voice of IP basically works your the way that your modem wants to go and do a phone call So how do you do a phone call with SIP? You know you need to provide data like credentials like tell the modem tell the other side the server How you authenticate yourself which obviously is written in your provisioning file So you use those you tell the server. I want to do a phone call and they go you do a phone call now if we look at this provisioning file you can see that it contains your server and your user name and your phone number and your basically everything you would need to Lock in and tune SIP server now since I can read anybody else's provisioning files Hmm so So imagine I'm this user up there, right and I'm just doing a normal call as this phone number up there. Well Maybe there's this other guy in the network who just goes in and downloads your provisioning file and Oh, it gets all the credentials he would need so he gets the same phone number and then he can just go and do a call Hmm Yeah, maybe I should have registered a few zero nine hundred numbers Now the really interesting part there is what it also works the other way you register for it And if you're the fastest one registering it The other modem Well, it doesn't get the chance to receive calls Which means now you receive the calls and then you can just tell the other modem that there was a call Just that by now you actually route all the traffic through your modem and you can listen to all the voice data that there is on the line Hey Yeah Not sure it would be a good idea to talk to your lawyer around either the way Using this line for secure stuff is probably not the best. I wouldn't mark SIP as secure on this thing either But at this point so so on the on the Talonet access and on all the other parts. I was like sure I can I can fix it for myself I'm an egoist right I can fix it for myself. I don't care about the rest of mankind. I do but I can claim that So I can just as well ignore all the others and say I fix it for myself But for voice of IP I can't because I'm completely out of the loop this this other guy He could just go and steal my credentials because he can And there's nothing I can do about it. So at that point I was kind of scared that someone would be able to hack me So I started to think about how to fix this thing Now the first thing that comes to mind is obviously you go and you as a user go and pick up the phone and call the Service line from your provider Yeah, I don't think that's a good idea No, no, I didn't didn't want to go down that road. Nah, so instead I figured I'm gonna call someone else I'm gonna call a couple friends I'm gonna call a couple friends from from hyzer. Thanks to my Linux work. I knew a few of those and They also tend to do security which kind of falls into this whole thing and use them as a proxy. So that Nobody could actually go and sue me until things were public Hmm. So imagine what what the provider would do when he hears that I hacked into that telnet account Sure, you do the obvious thing you replace telnet with SSH, right? It's it's what everybody would do. It's the first thing you look at this and think like oh my god This is 2015. Why would you be doing telnet? Well, the answer is pretty simple um Take a look again. It's it's not as as simple as you think it's take a look at again This is provisioning file SSH actually gets different credentials So the SSH credentials are actually down here and the password is different from the one on the top I don't know what the password is, but I can tell you that the password hash is really cool So the password hash is something that comes from VX works So I'm pretty sure that there are more devices out there that might be interesting to look at The VX works hash basically works in a really simple way it creates a checksum of your input That lies somewhere between those two numbers and then creates a fancy string out of them based on some heuristics, but essentially the whole password down there boils down to just a single number that's Basically in a realistic case the upper limit is 40 characters. So you're not going to see a password that long Realistically, you basically check around 100 passwords and any any hash out there any password that's available. You're already corrected Which means there are so many collisions in this hash, which I wouldn't even call a hash That I don't know what the original password is like. I don't know, but this one works pretty well So go ahead and we lock into this machine and we type in our collision and yeah, yeah, there you go You got the same thing as before So we told them again guys look, it's not as easy as that you should probably take a bit deeper breath and take a look at How things actually are broken Which turns out they did so what happened next we had this whole Huge mess with lots of services that are all available all attackable and everything's just horribly broken That was two months ago Yeah, there were some circumstances why we just couldn't tell them earlier And in that we basically told them guys, you know in two months time We're gonna do a talk here and everything's gonna be public. So you might want to fix your network until then So the first thing that it is I ended added a check to their TFTP server to verify whether you actually eligible to download this provisioning file So now you can only download your own provisioning files, which is great finally I mean, this is the obvious thing to do. So that one's fixed Then they got went ahead and said well, there's no real reason why one modem should do SNMP traffic with another So they just added a firewall saying we're blocking SNMP traffic between different machines Problem solved the same for this age. They went ahead and said there's no reason why you should be teaching Why you should be doing TCP between one modem and another? problem solved and because the Voice of IP access credentials are actually part of your provisioning file Which you can now no longer download from somebody else That one's fixed to awesome so Go ahead. Go ahead clap. It's awesome Thank you ISP. So after two months actually managed to Limit me into the borders that I was supposed to be in the beginning. It's cool. So what do you have? Please God, your networks even if you believe that somebody couldn't go in they probably will because as soon as a customer can Access your device physically, which well kind of happens to be the case with a modem that's sitting in your department in your apartment That guy can access your network. There's no way you can you can prevent it. So Don't believe that the border of your network is the home The border of your network is the cable going into that home The same way goes the other way around if an ISP gets your device don't trust that thing Seriously, they can do anything. They're like and sometimes somebody else can do So in this case according to my provider, I was able to access three million devices Quite some number also the press is your friend if you are afraid of revealing something Tell someone who can do it for you and Usually things go out well Let's hope for the best and then this whole thing went online beginning of the week and There were a couple of questions on the phones that I read and I just wanted to take the time to reply to those So first thing that always comes up is is this a conspiracy like oh my god. This is the NSA backdoor No way, I mean seriously those guys are not as stupid. They have their own front doors. They don't need the back doors This this really is just a case of if we don't secure things. It's going to be easier for us Yeah, it was easier for everybody Including the ones who shouldn't have access So no, this is not a conspiracy. This is not some back door from some agency This is really just a matter of a company not doing their homework. The same thing goes for other providers My cable just wasn't long enough to connect to some other country So I don't know. I don't know where their other doxus networks are affected from the best of my knowledge Yes, they are. I'm not allowed to tell you to check But if you happen to have that idea on your own No animals were hurt during the production of this movie All the passwords were changed So if you happen to know the real passwords you probably had a good laugh during the presentation If you don't know the real passwords, they're different To the best of my knowledge all of that knowledge that I just gave you is completely useless to you because all the Issues are fixed Thank you So now we can go for questions if you like so please or you go ahead and announce it so if you have questions run towards a microphone and Stand behind it visibly The first one was on number four Yeah, you were talking about Taking a couple of weeks to get to know that it was the password wasn't hashed by plaintext So how long did this whole exchange In total go on How how how much face bombing and how many hours did it take for you? So I didn't spend full time on it. I really literally just whenever the baby was crying I just went up and figured I can do something It's not I Basically got cable access two years ago I first got into the modem about one year ago, I think that's when I started looking for real and Well, it's a I basically ended up digging deeper and deeper right it's it's not like voice of IP for example I only realized the whole voice of IP story in say August or so since I just didn't look before I was like so excited to see all the other bits Just didn't look Now number one, please Are you really sure that the TFTP? Professioning file fetching is secure now because do they do some Mac integrity tests or Mac spoofing and The problem is the law right I'm not allowed to tell you to try it yourself I'm not allowed to tell you that I don't think that anything on the physical layer is insecure I'm not allowed to tell you that I mean there's so many things. I'm not allowed to tell you about this whole network. I Haven't tried I Really just went in and said TFTP fetch and see whether I can get it Number seven up there on the balcony Hello, my question is in the beginning and your config files. I think there was something about Traffic priority or network priority as well. Did you play around with that one as well? Is that something about net neutrality? Maybe? That's an interesting. Okay, so it's not about net neutrality at all. It's about qs of different services so they basically say that voice of IP traffic gets Higher priority than the other bits since you want to have low latency on voice of IP traffic, obviously So there's nothing with net neutrality in this thing at all. I did play around with those settings just because Coincidentally right the day after the far plan got released my account got throttled to 80 kilobits. I Don't know why it could be related could maybe not but I figured I'm paying for a hundred megabits, so I should probably get a hundred megabits and Started to look at those things. I did not manage to actually convince my modem to get me more Did you change the bandwidth in the settings? Yeah, no dialogues, please. I did change the bandwidth It's not My guess is they're also qs'ing on the other side, but if you want to verify it. I'm not telling you not to Number two, please. Yes. So at first. Thank you for the nice insights. I am a capital user So I'm interested here and I want to again make a statement on the provisioning file You should have told them that a provisioning file Fetching in this way isn't the good idea anyway And I personally would believe if they do not scan transfer it via a completely different panel It will not get really secure They cannot do it differently because it's part of the part of the standard There's a doctor standard which all the modems have to adhere to and that's part of the standard They cannot do it differently if you want to have it done differently You have to tell the doctor's standardization committee, which is in India Now we'll have a question from the internet Could two modems be programmed to talk among themselves directly bypassing the ISP firewall Say it again Could two modems be programmed to talk among themselves directly bypassing the ISP firewall You mean with a new scheme over the old scheme with the old scheme It was just available. You could just go and route through it with a new scheme You not with the official modems Number eight on the balcony Did you find any traces of TR-69 in this thing? I did in On the AVM boxes that were secure. Yeah, so that was the only bit that actually ended up making a lot of sense TR-69 is a pretty nice standard. You basically have authenticated I think was even HTTPS traffic that basically goes and pokes the server to get you a firmware update It it's a perfectly nice way of provisioning such a system. It's definitely a lot different from the usual way So on those text boxes modems the usual way to tell it to get a new Filmware is either to tell it to reboot and get a new file from the provisioning server or to just poke directly to SNMP Tell it go to this TFDP server over there with this file name and flash it onto your flash No, I have not tried to spoof the privileged IP address range Now it's number four again The question I have is When you tried first contact them via hyzer Was there any Way, they might have tried to convince you to not to the talk and if so would there be an H on your head They did not try in any way whatsoever Zero do you think that was due to the credibility or do you think they thought of we screwed up? I don't know I Don't think they thought any other way would work at that point in time since the press is already involved They're not gonna pull back their story There's nothing else they can do Thank you again Forehand the microphone. Do you want to do the entire? 24 remaining minutes Q&A or do you want to put a limit to it? No, I think 24 minutes Q&A is fine We can always cap it later on right it's The internet again How much of this would be possible would have been possible if the modem had been in bridge mode my modem was in bridge mode and number six Do you have an idea how long this has been that way and do you have any specific reasons to believe? What? proportion of what group of people might have abused these these problems So I don't know since I did not see anybody else on the network But it's really hard to see somebody in a sea of the million devices. I Am not aware of anybody exploiting this So I can only stay state what voter phone said and they said that nobody else did exploit those problems According as far as time and I believe them on that one actually it's it's I don't think anybody did which is surprising since This whole stuff was kind of obvious But apparently nobody thought of digging into their modem before the one thing that About the timing is Apparently they already covered dutchland basically already does internet for 10 years by now and there's very little reason to believe It's been different in the beginning So it was probably vulnerable for about 10 years That said in the beginning they were not even using docsis 3 which did not really do real encryption So at the end of the day you could just do whatever any race on the network Back in the day right now. It's only halfway complicated Now in number one Yeah, thank you for the talk to So it's completely possible that They may have not found out that somebody else accesses before and Maybe already flashed a lot of devices with another firmware Which is still listening to his commands in the with the new setup because he changed the firmware They did the they did not okay They did update the firmware at that one point in time when I showed that they switched SSH They did not change the firmware ever since so all the service that I was talking about they are still running on your modem Okay But they can't be sure that there is another firmware by somebody else on Routes running now if somebody else may be for sort of making a botnet Before all this came up in the last five years or ten years And and already controlled some devices and they can't be sure that their current firm is now running on those devices There can be still devices somewhere Controlled by somebody else sure I mean you have to obviously fake all the information They receive from the modem pretty well. Otherwise, they get you onto the security block that I'm on but If you do that correctly you can probably just replace all the firm pieces of filmware Just ignore all the updates and try to behave the same way as they would expect and hope that nobody finds out It's entirely possible. I don't think it's very likely, but it's definitely entirely possible. Let's hope there are no more networks like this one Usually there are no second questions. So We still got comfortable time, but try to limit yourself to one question Now it's number two Have you tried to change your Mac address on the doxus level also for the DHCP request or how do they do? Authentication of the modem in the network. So the authentication works using certificates I'm actually not sure I haven't read the standard on that side whether the Mac address is part of the certificate. I don't know If it's not you can easily just change it. I haven't tried But then again the modems are what eight euros number seven What other what other? What other recommendations do you have if someone were to have a suspicion about a vulnerability? For the research part and for the disclosure part What do you have to do? Well, I can't give you any legal or any advice on that one. I can tell you that Getting somebody involved that has done this before is a really smart idea Because they've gone through a lot of pain points The press is even better because they have a really really big lever Nobody wants to be in the press for two months or whatever just on negative news that There was somebody who was legitimately trying to tell them to improve the network and they sued them So there's a really good chance that going via the press is going to keep problems away from you But there's no guarantee I cannot give you real. I mean legal or any coherent advice on that one I would I mean if I would find such a thing again, I would definitely go the same route I would just call up hyzer and tell them and It went pretty smoothly And I mean though the really cool thing is they actually listen to the press if I had gone to the service They would have just said sorry. I wrong number. I can't help you know the internet How did you obtain the original data do you use jpec or dump the device firmware and run virtualized? Not sure how much of that I should actually tell everybody Let's say I Replaced you can actually see this on this on the slide, right? Oh my god, this is gonna take forever Okay Where's my mouse cursor? There it is Okay, so I got a picture of the modem here There you go. So What what you can see here down the right and the yellow cables those are the serial port And the ID cable up there. That's where the flash chip was you before I started Filling with a modem now the flash chip is actually in that socket up there Which means I could swap the flash chip between a device I own Beaglebomb black for example as a really nice spy interface that you could just use to write those And then plug it back into the modem so I could replace the firmware and get myself an initial shell As I mentioned earlier, I really do not like to lose internet access So this is not the modem that I was actually using of at home Instead I just used that modem to fetch a firmware image so I could then look at See whether there might be other bugs that you could use No number eight Earlier you've said that Who was it fritz box was more secure and they didn't have the same vulnerabilities You think they simply didn't use hard-coded passwords and stuff So do you think they would be Vulnerable to similar attacks and that someone probably like you wouldn't tell them But maybe they should look into it or do you think it isn't possible and someone should like prove you wrong From all I can tell but this is I mean just a gut feeling that I get from looking at the different firmware files the usual way at least the Linux based firmware works on the assistance is that there's Ti creating a BSP then they give it out to Motorola the Motorola gives it out to CBN then CBN gives it out to To Kabul, Deutschland and then each party of those adds a few pieces of stuff That's the usual way it works in those those devices Whereas in the AVM boxes things looked vastly different. There was one firmware image that even contained formation for some Austrian provider so instead of giving Like full control to the cable provider AVM kept control on their own and Actually audited the stuff they were doing That's the major difference One more question from the internet Do you know if they still use unencrypted zip? Oh, yeah Yeah, there's nothing Nothing in the protocols changed at all whatsoever. They really just added a few firewalls So once you're on the physical layer, you can read everything. You're like, yeah Well, and you break through the doc's encryption obviously Now then newly adjusted number two Thank you Mine is not so much a question as I'd like to add some insight and perspective to this I have myself worked for several ISPs and The week I've actually worked for an ISP that had not this particular issue, but a similar issue and The the way that it was fixed and you can look me up. I've worked for several ISPs You don't know which one had this problem, but what? What there was actually the actually the fix was a simple IP check So once you downloaded the tip from the tip to piece over It was just checked if you did it from the IP that was suspected. So This issue may actually be reproducible if you can somehow get hold of an IP you weren't supposed to have Like say spoof Mac address or something like that That being said I would like to attach a comment to the the whole zip thing You indicated that it would be possible to silently intercept Conversations which is not necessarily the issue because many sip servers can be configured to allow multiple endpoints. So as the The what you call the bad guy would be able to pick up your calls You would also hear your phone calling yourself, right? And if your phone picks up within 0.0 and one microseconds, then yeah, that's nothing you can do about it It just rings again That's that's the point about it also the other bit that you have on the on the sip server is that That particular server actually only allowed one endpoint to be registered at a time at least from what I could tell was some Huawei box Number three, please Yeah, I intended this talk today because I know that At the beginning when doxies was introduced the modem were asking for the configuration file all over the ethernet ports Which is great and My question is Is there way within the doxies standard so that the ISP can verify their hardware? I mean you you have seen I've seen the The type and the vendor name and the SNMP, but you cannot live obviously spoofed that Of course firmware binaries won't run on the wrong hardware but I'm not quite sure I'm getting what you the question is is the weight control for the ISP Which hardware there is they are using So so I come from a virtualization background and in my world. There's no such such thing. Okay exist If you if you can somehow abstract it you can abstract it Okay Eight, please Hi I wanted to add on the part with the max goofing because I had a modem like that like five years ago And I actually I never went inside the modem But I had some applications where I needed a new IP address in a short period of time And I remember that actually the thing if you you told the modem your IP You're a MAC address a different MAC address. You've got different external IP addresses back then I don't know if things have changed because it was five years ago, but Yeah, after what I've heard from you. I'm kind of unsure that things changed No, I'm fairly sure this is actually accurate from what I understand. I never did that myself But I heard from people who did The MAC address check and the certificate check are actually separate So that if you own a valid certificate from some random dude who happens to actually pay for the service Then and you get that certificate and you're not on the same CMTS as that guy then you can actually go and Well, basically say that you are him even if you have a different MAC address Which then again implies that if you change a MAC address, you can just be somebody else Which then again implies that maybe you can actually go and get somebody else for visioning thoughts. Yeah Yeah, well Not up to you. Not gonna try it out Number two, please. Yeah You have this one with one particular provider I happen to know that there's a second provider using the same technology in Germany Where they somehow involved in this loop? I mean it took Cabel Deutschland two months to fix this No, they better hurry up Quite frankly, I do not believe that this is limited to Germany at all whatsoever So, let's see who's faster All right end of questions right or is there looks like we're at the end of questions the internet maybe No internet doesn't have any questions. They're eight empty microphones. So Thank you very much for your talk and thank you very much for