 So just by a quick show of hands, who here have seen the Too Many Cooks video? We've got like yeah, that's a good enough percentage for now. So we're just gonna hit it off So, for those of you who have no idea what you just saw Too Many Cooks is a TV skit that went viral a few months ago and We liked it. You should watch it if you haven't So if you've seen it, you can enjoy some references throughout this presentation So if you haven't then you can just laugh at the funny pictures Okay, so Who are we so we're the malware and vulnerability research group a checkpoint What do we do here? We have this marketing slogan That says we secured the internet and we actually try to do that by finding problems Telling the vendors and sharing them with the community, which is exactly what we're trying to do here So let's talk about what's in store for today We're gonna very quickly go through what TR 69 is And explain a little of what we talked about last DEF CON Which will lead us to the motivation behind the research that we're presenting today. We'll talk about that The TR 69 census 2014 Will give you the interesting bits of our research story and some technical details then we'll continue to show what can only be described as mass ponage and Then conclude talking about why this won't go away so quickly So TR 69 TR is actually like an RFC right TR stands for technical report and this is technical report number 69 and this defines the CPE when management protocol which is the CPE is a consumer premises equipment that would be the home riders that you have at home and This was you know, this was released in 2004 by the broadband forum Which is a group of companies working to define broadband standards? And then there were a few amendments so far, but still remember that this was released just 10 years ago And this is what ISPs use to provision your devices is what's called the zero touch configuration it's used to monitor your device for faults or malicious activity and Configure anything they want in your home riders including getting your MAC addresses and host names for anything on your network Creating additional Wi-Fi networks and go as far as deploying new firmware So this is how TR 69 sessions or Provisioning sessions look like so on the right side. We have the CPE right that the consumer premises equipment the TR 69 client That would be your home router on the left side We have the TR 69 server which is called an ACS or an auto configuration server And they talk in basic soap RPC, which is X XML over HTTP And it's important to mention that the client always initiates the the connection Which is a single TCP connection over which RPCs are called back and forth so the client begins with with an inform telling the server why this session was initiated and The ACS follows with provisioning functions such as get parameter values and set parameter values It's it's it's pretty simple when you think about it So there is a dual authentication mechanism that the CPE should make sure that stock into a verified ACS and the ACS Should only accept sessions from authenticated CPEs and now there's there's a slight thing called a connection request The DICS can issue and we'll talk about that So talking about a fighting so far we presented this at DEF CON 22 Our research uncovered implementation and configuration flaws in many ISPs ACS deployments so ACSs are a single point of ponage in modern ISP infrastructure And many TR 69 implementations just aren't serious enough We found vulnerabilities in several products and that leads to ISP fleet takeover Exactly So you remember that connection request thing And this is straight from TR 69 specification so the ACS can at any time Request that the CPE initiate a connection to the ACS Using the the connection request notification mechanism support for this mechanism is required in a CPE Right so straight from the specification In fact every TR 69 client in the world is also a connection request server On which port you ask and as it turns out IANA assigned 7547 for all TR 69 uses and Including the connection request board and this is a widely used default and Let's talk at some let's look on some very interesting research released last year From this the Z map guys, which is a Zachard Rumerich and his friends from University of Michigan And he's talking like in a couple hours And they actually scanned 2 million random addresses on every port up to almost 10,000 and They found that CWMP or the TR 69 default port is in fact the the second most popular Open port in the world with 1.12% of the internet listening on that port So again, this is for a protocol that was invented 10 years ago. So think about that And you know, how many how many devices are 1.12% you know out of the public internet This is around 45 million devices estimated that should listen on 7547, you know from a vulnerability research perspective This is and no matter how hard we looked no one is talking about this service and there has to be something there So let's review the top two open ports in the world So previous research has given us this image. So in 480 there are on 70 million devices About 50% of which are web servers, you know, it's regular web servers with a patch you're leading the bunch You got your engine X your IIS and then a small percentage for the rest Including I know lightspeed and the Google dedicated servers and the other 50% are Simply those internet of things devices, right? Most of them are routers. You got your webcams You got your voice over IP phones and of course, let's not forget about all the IPv4 enabled toasters out there So by the way people start understanding that leaving these things open to the when is dangerous Luckily, we're seeing more and more devices updated to have port 80 access on the land only Now remember that not only there is diversity in the server software It's also being used for different uses serving. I mean serving websites all sorts of cloud services and then management interfaces for each device You know, it's a messy landscape But looking at port 7547, you know, we have an estimated 45 million devices and These are all internet of things devices, you know listening on their connection request fort There's nothing else there. It's just Devices waiting for connection requests, you know, so this landscape is much clearer and and and remember we're looking for security issues here And we're looking to find, you know significant numbers affected so as a first as a first step we needed to stop guessing and estimated and estimating so we conducted the TR 69 census 2014 and You know, we scanned 7547 on the entire IPv4 address base And we did this last month a few times actually with the with the gracious help of some good friends over at rapid seven and University of Michigan who contributed contributed to this research. So thanks guys And the results are 1.18% of the public internet responds on port 7547 So we actually communicated with 46 million ninety three thousand and seven hundred and thirty three devices Who answered our benign requests for get slash? So these are all over the world and and it's not just, you know, one country who accidentally left this port open That's a hundred eighty nine countries Which makes sense when you remember, you know, it's a protocol Requirement to leave this port open for the ACS And and just a small note note that the the point zero six percent increase from last year is Actually two point two million devices added in a year, which is you know showing us a nice trend and numbers are still on the rise So we're set on finding an issue with TR 69 client-side implementations And the natural thing to do at this point is look at what implementations we're seeing out there So we categorize the responses and sum up the numbers and we get this So we have five main connection request servers out there, but it's very clear that this thing called rom pager, you know is leading the pack and I think that means that we got ourselves a target So what is rom pager? It's an embedded HTTP server by Allegro software. It's the Massachusetts Bates based company It's optimized for minimal environments. It's a small binary small memory requirements. It was first introduced in 1996 And you know, just there's been many versions since the conversion is 5.4 But then you know now that we decided that we're going after this from pager We need to see what versions are out there and this will help us focus our efforts so we run the short script again and You know, we actually see just four different rompages our rompager versions out there You know when you'd expect this sort of a normal distribution of this versions in the wild and and instead we get this so so 98 point zero four percent of the Identified devices are version 4.07 Which is a pretty old version too. So, you know This is where I grew suspicious, right? I mean What can explain this incredible popularity of a single version? You know, it could be like a batch of all devices at a single-eyed spear or something Which is we just don't know it yet and this really picks our interest. So we have to find out So we went ahead and we bought a new a new TP link router and we we unboxed it We plug it in we connected to our network, you know, and It's running rompager 407 So it's all you know, you know, maybe this is an old version of the device You know, it's gonna it has such like an old version of rompager So we downloaded the latest firmware from the TP link website, you know, we flash it We reboot and it's still rompager 407 So, I mean What? You know at this point We start understanding the popularity of the four points. I mean the 407 version I mean, we have no idea why it's there yet But but if it's somehow embedded into brand new devices off the shelf, you know with the most recent firmware Then that can certainly explain, you know, why we're seeing so many of them But let's try something here Does anyone in the audience happen to have an unopened brand new router? Anyone? Oh, oh, what a coincidence What a coincidence. Thank you Thank you very much. Oh, wow. I Thank you kind stranger I'd you're very nice. You don't work for me at all. So I'm I'm going to I'm going to do something with that later Okay, so, you know, we dive into this a rompager 407 and this this was released 2002 So, you know, it seems to run a whole bunch of devices and You know, we return to our scan data and we start counting and so we have 2.2 million devices Serving rompager 07 on port 80 and 11.3 million devices on port 7547 and You know, suddenly we're like You know, wait, there are 12 million devices out there with this very specific version You know of a web server that was released in 2002 listening on the wan I mean, yes, this is like this is the perfect vulnerability research candidate And you know zooming out for a moment This is to the best of our knowledge the most popular Specific version of any network application service currently available online on the public Internet You know, this specific version is deployed on 200 different devices from 50 different brands You know, we are going to do whatever it takes to poem rompage rompager 407 let me hand let me hand it over to Lior Okay, oh So hi, my name is Lior and I will walk you through the process of how I analyze the Rompager is fumer and some interesting results. I found on the way So at the beginning I only have the fumer file Itself which was downloaded from the vendor website in our case. It was tippling On first glance the fumer file is looking like a big blob of compressed data And as any rookie fumer analyst knows the first the first thing you need to do is to be in walk Be lucky or framework be what is this great tool developed by DevToyS0 Which recognize and unpex most of the common fumer files So luckily for us a been work easily recognized and extracted for files So we have the bootloader. We have the vendor logo in the gif images and the main binary So after I got the first fumer, I decided to download some more fumer Which contained rompager a 407 so I downloaded some more and some more and some more and I see that each and every one of Them had the same Zina West header and also the same architecture, which was MIPS So while this rompager 407 looks so similar at this point. I have no idea whatsoever So one may might ask himself. What is this Zina West we are seeing in all the fumer? So Zina West is an embedded OS created by Zixxer, which is a major Taiwanese DSL vendor Zina West is an RTOS a real-time OS Which means it's a very basic operating system without any file system or permissions mechanism Just one big binary file responsible for everything When you Google apps in OS, you also see that Zina West is very notoriously known for the ROM zero vulnerability discovered last year which allow an attacker to get the router credentials by downloading the entire the entire Sorry by downloading the entire configuration file from the router without any authorization all it takes for the web panel to be open in port 80 and and attackers just simply gain the password and new and the username and 1.2 million devices were affected by this vulnerability. This is a lot So before we start analyzing the fumer itself, let's see what our attack surface look like So in port 80 We are getting an unauthorized response which has us to for the credential and since we don't know them We are getting this instead In port 7547 we are getting object not found for any path except for the correct connection request path For now, we assume that we do not know the correct path So before I actually started dive into the code I did some basic fuzzing over the HTTP headers Suddenly I managed to crash the router by sending a digest username by overflowing the digest username header Which lead me to the first vulnerability So to understand why this is happening, let's explore some of rompager code when you see What you see here is a function responsible for initializing the HTTP handler structure Each entry consists of the HTTP header name as you can see here and the relevant handler function to parse this header So let's take a look on the function that parsed the digest username. So can you see what caused the vulnerability? Yes, and unprotected the strcpy But what actually caused the router to crash? Because we have no symbol and no dynamic analysis capability whatsoever. It's very difficult to know So because we I had no dynamic analysis capabilities I start I open up the router and start looking for JTAG So for those of you who don't know JTAG is this interface Designed to do harder hardware verification and debugging for embedded devices So I open up the router, but I couldn't find any JTAG connectors But I did found something that looked like a serial port a you are port so I did some soldering and they connected the connected to the router itself and use Baspirate, which is a USB serial to USB Adapter to connect it to my computer and when I boot up when I boot up the router I could see some very nice debugging info. So it was very cool But what happens when I try to crash the router? So This is what I got a very nice looking crash dump with you see here The MIPS registers and the stack dump and also on the top you can see this one This is the EPC which is the MIPS instruction pointer as you can see here It was overwritten with my inputs that this is mean this means that we actually in control of the instruction pointer Yeah, so a some further analysis of the crash dump allowed me to fully understand the vernal ability So the strcpy causes to override a function pointer, which conveniently lays 584 hexabyte before after the username. So exploiting this is pretty simple. Just send large username Overwrite the function pointer with a pointer to your shellcode and You can run remote code and you have a remote code execution. So it sounds way too easy any problems So, yeah, we have a slight problem although although all the vulnerable a fumer fumer arzina West base each one is looked a bit different in terms of a memory layout and It even changes between different fumer version of the same model This means we cannot We cannot know the correct position of our shellcode in the memory and therefore we don't know with which value We need to overwrite the function pointer And Of course if you knew the a sorry, of course if you knew the exact memory layout of your victim You can easily a run code on these routers without without any problem It's also important to know that Once an attacker an attacker has only one chance to attack a router because if it causes a crash Then the router gets a new IP because of the dynamic IP allocation So a potential solution for this whole problem would be just to find a some infallible now ability that would disclose the memory layout But it seemed like way too much work for now. So let's just let's keep looking for something else So because I had no f debugging I had to use some very primitive debugging capabilities that were built into run pager Into the bootloader loader through the serial port which allowed me to patch the firmware Before it was being loaded. So it was very handy, but very tedious process So after way too many hard resets I found that there is a hidden tenant command in ZinOS which lets you patch the router memory online So this led to the creation of Zordon, which is a ZinOS remote debugger offered net and With Zordon you can set breakpoints view and edit memory and also read and write register value online This made the dynamic analysis a way more convenient So using my brand new debugger I was able to understand much better than nuts and bolts of a run page Oh, which eventually eventually led me to the second for now ability You see run pager has no dynamic memory allocation capabilities So each request is handled in a pre-allocated structure Without without up to three requests handled at the same time So if you send three consecutive requests, you can override the HTTP header structure, which we saw earlier This is also caused by an unprotected STL CPY So again, we can control over the EPC So can it be exploited? Well, theoretically you can blindly do a memory read of Memory addresses by changing the pointer of some HTTP header name But at the end I decided to leave this for an ability because it's only works on port 80 and We already have room zero for that. So moving on to over an ability number three so Rump edges support cookies because rump edges were as you remember does not have any a Dynamic memory allocation. It's holding an internal cookies array for each request without 10 cookies At the array and up to 40 bytes long each each cookie The cookie names are a constant. So it's C0 C9 C1 C2 up to C9 and The client this is an example of a client sending one of these cookies. You can see here the C0 cookie So let's take a look On the cookie handle to see how rump edges actually store the cookies So You can see here on the top the trump edges checks the cookie the cookie name for a capital C at the beginning If so, then it will convert the rest of the cookie name into an integer and Use this integer as an index for the cookie array Okay so Yeah, it will it will load it It will multiply s s3 which is the index by 40 and then use it as an destination for the strncpy Yep So here you can see more easily so Basically, this gives me an arbitrary memory right a right for from a relative a position in the rompager internal structure Which means we can pretty much control everything a rompager does So a very nice bonus is that we can overflow the 32-bit integer to get to a negative offsets in the structure So let's take a look on some on some on some non harmful a Cookie instead of C0 C1. We're sending this With the index is pointing exactly at the request request path field We can see that we can now set this path to anything we like and in this case We'll get this so we were able to overwrite the request path with our own input But this actually has far worse consequences So I'll need to mention this technique will work on any model on any brand that we had legal access to You see With the a few magic cookies added to your request you can bypass Authentication and browse the their configuration interface as admin from any port So to prove this insane claim, let's go straight to the demo Sorry no wait a sec. I'll fix it. Yes, we are ready. We are psyched next Yes Okay, so we actually have a video recorded and then we're gonna try the live demo We prayed to the demo gods earlier So hopefully things will work there as well. But first, let's look at the demo that will really I think explain the issue here, right So we enter the router it shows us, you know username password login We can also try to See what's available on 7547. Of course we get the object not found then we use our chrome plug-in Thank you Let's actually try this live and and really hope that it works. Let's see now We've got all right, so we get the authentication required. Oh You're not seeing yet wait a sec There you go Well, it's it's a bit small, but still so we're getting the authentication required we're gonna go to the Misfortune cookie auto-poner and Try that again See if it works. Hopefully it works It doesn't oh wait a sec wait a sec. We're gonna try that again No, it's like an internal thing. Don't worry about it. Oh, it doesn't matter what port we are Will this work? Yeah So again, you know This is You know this this is what we got at the store. This is brand-new. This is a device that was manufactured 2014. This is Very interesting Okay, so Back to our presentation We set up this nice website and it explains kind of the core issue here and then we try to see which countries were affected by this and You know again this vulnerability affects devices in a hundred and eighty nine countries all over the world and In some countries, this is Incredibly popular affecting up to 50% of the IP addresses in use in that country. I'm not joking. That's one out of every two IP addresses in that country are vulnerable to this and That's that's a few countries and certainly some big names in The country at least that you didn't expect to see there Yeah Smurf is happy about that as well. I Know what you're thinking. I have to turn this off on my device right now I should not have seven five four seven listening on my you know on my public IP address and As soon as you'll get home, you know, you'll enter your configuration interface and you'll find the CW MP settings You know and and you'll deactivate it and you hit save and It doesn't do anything because port seven five four seven is still open That's right. There is no legitimate way for you to turn this off even as admin I Don't know if the laugh or the cry. I don't know so what can you do you can cancel your internet subscription? Of course, I mean the technical users. Hopefully that that's you guys you can flash alternative firmware So you have you know both DDWRT and open WRT which are which you just don't have rompager So you can take your chances on whatever they have there But it's not the you know the old version of rompager and you know, don't buy these models until they're fixed and The suspected vulnerable modelist is on the website and we occasionally update that All right, so so let's understand, you know, let's understand the supply chain here Allegro soft Provided rompager at one point to a certain chipset vendor and this chipset vendor implemented the TR69 functionality and bundled this into their SDK as a bonus feature Now this SDK was provided to Manufacturers who compiled their firmwares, you know for each product series and model and just to make it a bit more complicated The ISPs customize the firmware to include brand logos, you know default configurations and Deploy these versions to consumer devices So you can start to and you know understand this this incredibly Complex behind-the-scenes chain and think about what this means for security updates because the update propagation chain here is incredibly slow if not non-existent a Lego soft has to provide a fixed version to the chipset vendor Which then has to incorporate this into the SDK which has to be given to manufacturers We have to recompile firmwares for every product line and every product model which have to give it to ISPs We have to recompile it that you know to recompile the firmwares and the updated version using their customization and now this thing has to be deployed on every device this is a nightmare and You know in this in this case we can truly say that too many cooks do spoil the broth and Thank you You know, you know, this is the good case We're describing here because you know where your device is controlled by your ISP because if you just bought your home router off the shelf, you know, most people never upgrade the router firmware and You know, anyway, this this vulnerability will be here for months and years to come So vendor communication We contacted a Lego soft and all the major affected vendors We provided full description of the vulnerability and a non-harmful on the POC to trigger it You know, despite some broken English the message did guess and get through at least most of the time We have some patched firmware already out at least from from Huawei Who actually they were they were the best responders so far that very clear communication and you know Allegro soft release it's a statement saying that No, we can't force any vendor to upgrade to their to the latest version and we actually provided a patched version in 2005 so think about this if code from 2005 Still did not make it through the chain and we actually know it did not make it even one step into the chain Something is wrong here So just a few very frequently asked questions that we've been getting in the week that this is out, you know Is rampage are bad? No, you know, they were actually very responsive. They were security aware They caught this bug an internal code review. They just they just didn't know what it meant when we explained it to them They were I know that I heard the jaws drop over the phone line And you know, we just happened to research an old version of their software It's I think it's any code written 2002 might have been, you know Secured the same and you know, we don't think this is intentionally placed backdoor. It doesn't look like one We will not be sharing the exploit No, I'm sorry about that You know a lot of some cert bodies have approached me and and they're they're asking about, you know The IPs that are affected in their country and I'm saying, you know, you have to scan it yourself And and listen the numbers here are lying because some ISPs actually, you know Don't use the default here 69 board. They use something else. I mean at least we know that in Israel We use something else And when you scan in these boards, you get very different numbers So that's an important point to mention Short recap We found a pretty serious vulnerability in the most popular service exposed in IPv4 at least as far as we know do challenge us if you think otherwise and Hey industry fix this Thank you very much Well, thank you so much actually I have the honor to mediate a similar lecture this morning at 1130 by an Irish man who showed us that the switches that the main energy providers Actually, you can just download the image and upload it when you've patched it into the ROM This is a bit more complicated, but it's basically the same thing actually a maze scares the shit out of me It's you should be scared. Okay. We'll be taking questions. I can know oops la as you guys want to know so We'll do one two one two. Is that okay with you? Okay, here you go number one. Okay, so I'd like to know a bit more about the nervous because at home I have can you people please when you leave leave quietly Some people still want to listen. I'm sorry. Yeah, so I have that D-Link DSL 3 2 0 B which is in your list and it started to put into it because it's quite crap and It runs the Linux But it looks like before it runs the Linux it runs something else which has a drop there And I'd like to know if it matches the newest if it's some kind of pretty Linux OS How does it work? Okay? So first we don't know that device because we don't have access to every single device that we saw on the list Right, we didn't we didn't try to exploit everything on the internet only thing devices that we could have legal access to Would be I mean we would love to talk about this later And if you can share some details with us, then maybe we can look into this We don't have anything to add about this. I'm sorry. Yeah, just Is it maybe compatible that it's the device starts in OS which then starts Linux? Do you know? No, sorry. I don't know. Okay. We have the same this device. Thank God. Okay. Thank you There's somebody waiting at my too. Go ahead When you originally published this issue as misfortune cookie You recommended to home users to install zone alarm as a protective measure Could you explain how it's installing a personal firewall would protect me from router ponage? First of all, I can definitely explain how this helps if your router gets boned But it's definitely not what I want to talk about and We can we can talk about this later. Okay. Thank you Yes, more okay next question like one You mentioned the affected API address list for countries. Please can you have can we have some quiet please? You mentioned getting the list of the affected addresses for a country Just one request, please talk to the shadow server foundation because they have the Daily methods of scanning for exactly these kind of issues and signed all the list of affected peer-dresses to all National search all over the world. So I didn't get that the party shadow server foundation. We can talk later Okay, so talking later sure Yes, more okay, we'll stick to the mic. No, there is nobody is there somebody over there. Oh I come up front. Oh, do I look that scary? Do they look that scary? It's us. It's us. I mean to you folks Okay, go ahead. You you yeah Did you Thank you and speak into the mic, please. Yes Did you check cable modems because at least in Germany we are forced to use the modems we get by our providers and especially Models like the technique colors are very well known for horror exploits Like you can force them to reboot with a broken HTTP get Which is like kind of scary? Yeah, so we we didn't try to categorize according to you know cable or or DSL or whatever it is if it's on the suspected vulnerable model list then we saw it as You know as vulnerable as containing rampager 407. That's a very simple check to me Okay, because I'm just asking because I have no possibility to switch as long as I stick to this ISP So I understand that it's definitely a problem that we're seeing in other places worldwide and you know, this is a part of why we're doing this a part of why We're doing this publication. We think that this puts a very positive pressure on Many many vendors out there to fist to fix this as fast as possible I know we're we are seeing that that this process is being expedited So definitely in cases like this if this is vulnerable Please go and talk to your providers and tell them This is a very very serious security issue and you have to deal with this now. Okay. Thank you. Thank you Okay, hang on a minute We have question from the internet Because we've been streaming so can we have a question from the internet, please? Yes, there's a question. Have to try to Propone a G-SOP. If not, are you going to? We so now we did not try it It's definitely it's definitely a research direction. Anyone can take it up. We recommend that you do so Should I not do not a quest not we'll have one more question from the internet and then go back to Mike one and Wouldn't it be be possible to To use the exploit to exploit the water water and then update them To exploit the one sorry to exploit the water and then update them using the exploit Oh exploit the router and then and then upload. Yeah, okay, and then upload new firmware. Definitely Okay Mike one. I think was it. Yeah. Yep. Hi there. Yeah, very good talk. Thanks a lot. Thank you So obviously the vendors are going to take a very long time to fix this But is there any really legitimate use of this port seven four five four seven? Yes from outs. Yeah. Yeah, surely within the ISPs network But over the network, is there any real use for this? Is this something that ISPs could you know filter at their border for example? They use it all the time to do all sorts of monitoring and configuration issues So if you block your seven five four seven if you magically block it somehow, right? Because a lot of a lot of the times you don't even have this option But if you do block it then they won't be able to help you with anything They won't be able to see if anything's wrong with your device But is this something that ISPs can fix and stop the entire IP few more space from yeah I mean we released a protection whitepaper That's intended for providers, you know with some some good advice on how to solve this For example, just a real, you know a small taste of it You could use an internal IP range To to you know to have this the seven five four seven Listen on and then you don't really have to put it on the public when so that's I mean We're seeing some providers definitely do that and that's a very good direction for so okay great. Thanks. Okay. Thank you you queue up Mike number two you're go. Yeah, can we please have some peace you want to chat okay go outside If I can just respond to the previous question I'm working for an ISP and what you can actually do is just set an access list on those modems So only the legitimate I CS can reach those modems. That's the simplest thing you can do as an ISP Yeah, we're all I think we also mentioned that in the project and thank you for that Second question is are you aware of the research that was presented at? hacking the box Amsterdam 2013 in April because I think they are I hacked your modem. Yes. Yeah, because I think they actually hit the same buffer of flow there Same buffer over flow. No, it was a different version of a rompager in a zig-zool Rather, I think it's a it's a very we are kind of the same base. They're very different vulnerability. Okay. You checked Okay, just wanted to know. Okay. Thank you. Thank you move over to Mike one Talking to the mic cotton like I have to record you for the stream Have you looked into impact of what would happen if someone changed all the DNS setting to the ones that are to a fake DNS or Changed everyone's a society name and things like that or this generally played havoc of people's letters. Yeah, well, well, definitely That's kind of what we're seeing in the past few years Attackers doing in large, you know, high-profile router attacks They they changed the DNS settings and it's pretty much game over from there. So definitely That's also an opening for that You know, we really hope that attackers, you know, don't get a hold of this but It's definitely I think it will happen eventually Okay, thank you again. I have several questions. So first question, which is support in Israel so if I'm on holiday, maybe it's interesting and So what's your support in Israel? I'm sorry again the port for this thing. Oh the 40 Israel We could talk about that letter. I don't want to give out, you know Good details. Okay, and then the second thing is I have for example have a evil ISP who's gives me a fritz box Yeah, and the problem is that I cannot switch. I cannot get my access data and I cannot Own this thing because I would then need to need to have a high-speed modem to to go to the left side Where it is connected to the I think fiber fiber optic Thing that generates this coax cable DSL stuff where we are maybe 20 meters and so I need to do a sniffing device that goes there It's it's a real problem. I we can understand that it's definitely one of the things that make this issue so serious Okay, so how do I build a sniffing device? So it's a maybe a device that I can exploit and say, okay I take a buyer DSL modem and build a special sniffing and so maybe a double double modem device But then it's kind of you know, it's not gonna be for the mass markets No, but I want to hack my fritz box and then I know it and then it's better for me Then I can use something else. I guess there are a few people here at 31c3 that could help you build that thing okay, and Then with cable modems if you do it with cable modem, it would be much more fun because a cable is flat So even if I don't have Subscribed to a cable device I can just go into my flat have a cable outlet go to a flea market by cable modem I scan I scan the internet for some cable modem in the city and dump the memory put put the Access data of this person into my cable modem and I can have it for free How they catch me it's it's flat it's just passive Networks like like like that thing. I mean, yeah, we're seeing a lot of these You know a lot of these home router threats and it's definitely one one that we're also looking into And the cable modems right now. So hopefully for next to see. Okay, right? Okay, but we'll keep trying. Okay. Yes, Mike number one Yeah, is it correct that via tier 69 the providers can also change this default port So that they can send you a new configuration Yes And so they could on the very first provisioning of the box when I just connect to take it out and connect it to my DSL That I get immediately from the ACS a new port, which is not the default port anymore Very possible and actually being done. Okay, so then I would be vulnerable of course The other part right so, I mean, but we also recommended that some ISPs do that because at least you're gonna get away from the Apache opportunistic hackers that just scan the entire internet. Okay. I don't know who would do such a thing, but Maybe regarding your statistics, Germany was quite light colored Is it because you've scanned only that port or did you scan? We only scanned 7547 it's important to mention all of our numbers are based on 7547 if you know you go into the depth of each country of each ISP you can Potentially find a lot more vulnerable devices. Okay. Thank you much. Okay, and if anyone does this Please do share it with us Because you know, we might make this public and and help your provider fixes Okay, now you all people know that if you want to go back and look at this talk You'll find out on the internet in our stream archive just before you get panic number two, please Okay, I didn't quite get how the protocol actually works. It's the listening why so listening service on the clients that actually required because you said every Communication is initiated by the client and why yeah, well first of all You understand that this vulnerability has almost nothing to do with TR 69 doesn't have anything to do with the protocol it's just a web server that's listening on this port because of TR 69 and So just mentioning again what I said at the beginning that This is a connection request port with the ACS consent connection requests to Which the client immediately follows by you know making a new connection and a real provisioning session Okay, that's okay. Yeah, and this is you know XML over HTTP. So this is an HTTP server Okay, before they shut down the internet, there is this question. Yes from the internet Yes, what is with the newer versions? Are they really fixed? the new versions are have been fixed we Some some vendors have provided us with you know beta versions of firmware of fixed firmware and they actually fixed it right, I mean at least as we see it they're checking it correctly and they fixed the buffer overflows and You know just patched it actually on ROM pager 407 they just patched these vulnerabilities. So there might be more things there and also just an interesting point here that would make it a bit difficult to understand if A device is now still vulnerable because the server header is still going to be 4.07 and then you'd have to find like a different way of figuring out if this is vulnerable Yes, okay, some more no child. Yes, we answer all questions. There are more questions How about IP for six to IP for six devices using dual stack light? I'm sorry. I didn't get the question How about how about IP for six devices using dual stack light? Dual stack. Oh, I'd we did not look into that at all. Sorry Okay, was they all that was it? Anybody else a question? You guys want to ask a question? No, okay. Well, then let's have one big final hand