Head of Research Equus
My name is Amihai Neiderman, 26 years old. I worked with computers for the last 20 years or so, doing everything from high-level programming to bare metals electronic fun.
in the last 8 years I’ve been working in the field of security research,mostly doing vulnerability research and exploitation in windows,linux and embedded devices.
Today I work for a company called Equus as the head of research. searching for Android is IOS 0days.
How I hacked my city
The talk is an in-depth walkthrough on how I managed to take over the Tel-Aviv municipal Wi-Fi network “FREE_TLV”. The talk will take the audience through all of the steps I took while researching the network, from the first connection, getting the WAN side IP address, scanning the network and finding and exploiting a vulnerability in the network’s load-balancer.
My research began with an external IP address of the network, which I got from connecting to the Wi-Fi network and going to http://whatismyip.com . when scanning the network from the outside using nmap I got a single port open – 443. When connecting to it I found it’s a network device from a company called peplink. I started researching the device in a blackbox manner and couldn’t find anything interesting.
After detecting the type of the device (in a pretty cool way involving the research of the http headers that were being sent by the device) I went to the manufacturer site and downloaded the right firmware.
The firmware itself was encrypted by the company so I had to reverse the boot process and the kernel patches that were inserted in order to implement the encryption and decryption process.
To save time I tried to unpack a firmware update of a simpler version of the device with a weaker encryption mechanism and then I found a logic vulnerability which allowed me to download a specific cgi file from the device. I used this vulnerability in order to download this cgi binary from the target’s device. It happened to be that this cgi is a native binary which holds most of the web functionality which makes it a prime candidate for research. I started researching this binary until I have found a memory corruption vulnerability which was also easy to exploit.
To check my exploit POC I eventually reversed the entire boot process and hacked my way through their “encryption” (shorty XOR key :\ ) and built myself a working model on a VM of the device. I managed to write a successful exploit for Peplink’s load-balancer series.
During my talk I will explain my thought process and the problems I encountered and how I overcame them. The audience will learn how a real life research from the eyes of an attacker is done from the basics of how to detect the device you’re want to attack, finger printing it and eventually finding a vulnerability and testing it back home before using it in the wild.
DVB-T is a standard for digital television broadcasting. The standard requires a consumer who wants to watch the digital television broadcasts to purchase a special device that can receive and process the RF signals.
In my research I wanted to be able to exploit a DVBT receiver via an over the air attack – sending a specially crafted data packet over an RF signal and taking over the device.
The research was focused on a common receiver in Israel and Europe made by a Chinese company called MSTAR. The receiver itself is an embedded MIPS device which runs an embedded operating system. During the research I managed to extract the firmware from the flash memory chip on the board and analyze the binary dump. I reversed some of the main function in the OS and built a custom embedded debugger in order to be able to perform live debugging and eventually found and exploited a vulnerability in the DVBT protocol which allowed me using a USRP kit to exploit every DVBT receiver in an area of a few hundred meters.
Are you the next cyber security superstar?
Ready for this year's presentations?
By registering you will unlock access to 60+ speakers and two full days with cyber security news & showcases from worldwide leaders.
Sponsors & Partners
They help us make this conference possible.
Orange „brings you closer to what matters to you”.
This is our brand promise: to bring our clients closer to what’s essential to them and to keep them always connected and in touch with the latest technologies, by offering them the best and safest communication experience.