Router RTA04N Backdoor: mudanças entre as edições
Criou página com ' Responsáveis: * Raphael Bastos aka coffnix * Ewerson Guimarães aka Crash * Usuário:Gabriel_Muril...' |
Sem resumo de edição |
||
| Linha 6: | Linha 6: | ||
Who put the backdoor in my router? | Who put the backdoor in my router? | ||
[[Image:Router_RTA04N.jpg|thumb| | [[Image:Router_RTA04N.jpg|thumb|550px]] | ||
= Research Information = | = Research Information = | ||
| Linha 16: | Linha 16: | ||
* Ewerson Guimarães (Crash): Continue the research, did more device tests and contact with vendors. | * Ewerson Guimarães (Crash): Continue the research, did more device tests and contact with vendors. | ||
= Abstract = | |||
For quite some time we have been seeing espionage cases reaching countries, governments and large companies. | |||
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TPLink, Dlink, Linksys, Samsung and other companies which are internationally renowned. | |||
This article will discuss a backdoor found on the modem / router XXX, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed. | |||
Which lead us to question on the research title: “Who put the backdoor in my modem?” | |||
= Detailed Outline = | |||
In a recent research on a RTA04N device, supplied by GVT (Brazilian ISP) we have found some intriguing facts: | |||
The vendor’s website does exist, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware | |||
The device has the mac started by E4:C1:46 referring to the company: Objectivo y Servicios de Valor Anadido – which in the end, refers directly to ObservaTelecom | |||
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf;hb=HEAD | |||
[[Image:Mac.png|400px]] | |||
= The device = | = The device = | ||
Router GVT from Belo Horizonte-Minas Gerais / Brazil. | |||
Strange default SSID and Password based on MAC Address and S/No.: | Strange default SSID and Password based on MAC Address and S/No.: | ||
| Linha 41: | Linha 64: | ||
Click to enlarge: | Click to enlarge: | ||
[[Image:Router_internal_front.jpg|800px]] | [[Image:Router_internal_front.jpg|600px]] | ||
[[Image:Router_internal_verso.jpg|600px]] | |||
= Legal = | |||
The device is approved by ANATEL (Brazilian National Telecomunication Agency) | |||
[[Image:Router_anatel.png|600px]] | |||
http://sistemas.anatel.gov.br/sgch/HistoricoCertificado/Homologacao.asp?NumRFGCT=217112&idtHistoricoCert=9349313 | |||
= More strange stuffs.. = | |||
== BayTech == | |||
'''Address:''' Rua Aluisio Azevedo - 40 - Rocha - Rio de Janeiro-RJ / Brazil - CEP: 20960-050 | |||
[[Image:BayTech.png|800px]] | |||
== Observa Telecom == | |||
In the device manger you can see Observa Telecom but.... | |||
[[Image:Observa.png|600px]] | |||
The vendor’s website “exist”, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware. | |||
Of course, they dont reply emails... | |||
[[Image:Observa2.png|400px]] | |||
Of course, he dont reply (11)emails... | |||
== GVT (Global Village Telecom) == | |||
[[Image:GVT.png|100px]] | |||
This device is distributed by GVT. (internet service provider). | |||
According to GVT technical support and site, this modem/router is not supported by them. | |||
Dont belive? Take a look at: | |||
http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens | |||
== Hex dump == | |||
Opening its firmware in hex viewer... Wow wait, its made by TPLINK?????? | |||
[[Image:Hex.png|600px]] | |||
[[Categoria:Hacking Projects]] | [[Categoria:Hacking Projects]] | ||
[[Categoria:HackingDocs ]] | [[Categoria:HackingDocs ]] | ||
[[Categoria:HardwareOpensource]] | [[Categoria:HardwareOpensource]] | ||
Edição das 23h42min de 9 de dezembro de 2015
Responsáveis: * Raphael Bastos aka coffnix * Ewerson Guimarães aka Crash * Gabriel Lanzi aka Glanzi
Who put the backdoor in my router?
Research Information
This is a INDEPENDENT research conduced by two freaks:
- Raphael Bastos(Coffnix) - That efectvitly found the backdoor.
- Ewerson Guimarães (Crash): Continue the research, did more device tests and contact with vendors.
Abstract
For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TPLink, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This article will discuss a backdoor found on the modem / router XXX, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed. Which lead us to question on the research title: “Who put the backdoor in my modem?”
Detailed Outline
In a recent research on a RTA04N device, supplied by GVT (Brazilian ISP) we have found some intriguing facts:
The vendor’s website does exist, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware
The device has the mac started by E4:C1:46 referring to the company: Objectivo y Servicios de Valor Anadido – which in the end, refers directly to ObservaTelecom
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf;hb=HEAD
The device
Router GVT from Belo Horizonte-Minas Gerais / Brazil.
Strange default SSID and Password based on MAC Address and S/No.:
Router 01
Click to enlarge:
Router 02
Click to enlarge:
Internal
Click to enlarge:
Legal
The device is approved by ANATEL (Brazilian National Telecomunication Agency)
More strange stuffs..
BayTech
Address: Rua Aluisio Azevedo - 40 - Rocha - Rio de Janeiro-RJ / Brazil - CEP: 20960-050
Observa Telecom
In the device manger you can see Observa Telecom but....
The vendor’s website “exist”, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware.
Of course, they dont reply emails...
Of course, he dont reply (11)emails...
GVT (Global Village Telecom)
This device is distributed by GVT. (internet service provider).
According to GVT technical support and site, this modem/router is not supported by them.
Dont belive? Take a look at:
http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens
Hex dump
Opening its firmware in hex viewer... Wow wait, its made by TPLINK??????
