Router RTA04N Backdoor

De Área31 Hackerspace
Revisão de 23h51min de 9 de dezembro de 2015 por Coffnix (discussão | contribs)
Responsáveis: 
* Raphael Bastos aka coffnix
* Ewerson Guimarães aka Crash
* Gabriel Lanzi aka Glanzi

Who put the backdoor in my router?

Research Information

This is a INDEPENDENT research conduced by two freaks:

  • Raphael Bastos(Coffnix) - That efectvitly found the backdoor.
  • Ewerson Guimarães (Crash): Continue the research, did more device tests and contact with vendors.


Abstract

For quite some time we have been seeing espionage cases reaching countries, governments and large companies.

A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TPLink, Dlink, Linksys, Samsung and other companies which are internationally renowned.

This article will discuss a backdoor found on the modem / router XXX, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed. Which lead us to question on the research title: “Who put the backdoor in my modem?”

Detailed Outline

In a recent research on a RTA04N device, supplied by GVT (Brazilian ISP) we have found some intriguing facts:

The vendor’s website does exist, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware


The device

Router GVT from Belo Horizonte-Minas Gerais / Brazil.

Strange default SSID and Password based on MAC Address and S/No.:

Router 01

Click to enlarge:

Router 01 frente Router 01 verso

Router 02

Click to enlarge:

Router 02 frente Router 02 verso


Internal

Click to enlarge:


Legal

Consulting the approved register in ANATEL ( Brazilian National Telecomunication Agency):

Regulate, and supervise grant. Thus can be summarized the main duties of Anatel, developed to fulfill the mission of "promoting the development of telecommunications in the country in order to give it a modern and efficient telecommunications infrastructure capable of providing adequate services to society and diversified prices just around the national territory.

http://pt.wikipedia.org/wiki/Ag%C3%AAncia_Nacional_de_Telecomunica%C3%A7%C3%B5es

We can see more one company in the process, BAYTEC Technology:


http://sistemas.anatel.gov.br/sgch/HistoricoCertificado/Homologacao.asp?NumRFGCT=217112&idtHistoricoCert=9349313 (25/03/14)


More strange stuffs..

BayTech

Address: Rua Aluisio Azevedo - 40 - Rocha - Rio de Janeiro-RJ / Brazil - CEP: 20960-050

Observa Telecom

In the device manger you can see Observa Telecom but....

The device has the mac started by E4:C1:46 referring to the company: Objectivo y Servicios de Valor Anadido – which in the end, refers directly to ObservaTelecom

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf;hb=HEAD

The vendor’s website “exist”, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware.

Of course, they dont reply emails...

https://www.nic.es

Of course, he dont reply (11)emails...

http://simbiotika.com/empresa/OBJETIVOS-Y-SERVICIOS-DE-VALOR-A%C3%91ADIDO-SL


GVT (Global Village Telecom)

This device is distributed by GVT. A big Brazilian Internet Service Provider player.

According to GVT technical support, this modem/router is not supported by them. Are you serious? Dont belive? Take a look at:

http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens


Hex dump

Opening its firmware in hex viewer... Wow wait, its made by TPLINK??????

Cookies nos ajudam a entregar nossos serviços. Ao usar nossos serviços, você concorda com o uso de cookies.