Equus - Head of Research
My name is Amihai Neiderman, 26 years old. I worked with computers for the last 20 years or so, doing everything from high-level programming to bare metals electronic fun.
in the last 8 years I’ve been working in the field of security research,mostly doing vulnerability research and exploitation in windows,linux and embedded devices.
Today I work for a company called Equus as the head of research. searching for Android is IOS 0days.
How I hacked my city
The talk is an in-depth walkthrough on how I managed to take over the Tel-Aviv municipal Wi-Fi network “FREE_TLV”. The talk will take the audience through all of the steps I took while researching the network, from the first connection, getting the WAN side IP address, scanning the network and finding and exploiting a vulnerability in the network’s load-balancer.
My research began with an external IP address of the network, which I got from connecting to the Wi-Fi network and going to http://whatismyip.com . when scanning the network from the outside using nmap I got a single port open – 443. When connecting to it I found it’s a network device from a company called peplink. I started researching the device in a blackbox manner and couldn’t find anything interesting.
After detecting the type of the device (in a pretty cool way involving the research of the http headers that were being sent by the device) I went to the manufacturer site and downloaded the right firmware.
The firmware itself was encrypted by the company so I had to reverse the boot process and the kernel patches that were inserted in order to implement the encryption and decryption process.
To save time I tried to unpack a firmware update of a simpler version of the device with a weaker encryption mechanism and then I found a logic vulnerability which allowed me to download a specific cgi file from the device. I used this vulnerability in order to download this cgi binary from the target’s device. It happened to be that this cgi is a native binary which holds most of the web functionality which makes it a prime candidate for research. I started researching this binary until I have found a memory corruption vulnerability which was also easy to exploit.
To check my exploit POC I eventually reversed the entire boot process and hacked my way through their “encryption” (shorty XOR key :\ ) and built myself a working model on a VM of the device. I managed to write a successful exploit for Peplink’s load-balancer series.
During my talk I will explain my thought process and the problems I encountered and how I overcame them. The audience will learn how a real life research from the eyes of an attacker is done from the basics of how to detect the device you’re want to attack, finger printing it and eventually finding a vulnerability and testing it back home before using it in the wild.
DVB-T is a standard for digital television broadcasting. The standard requires a consumer who wants to watch the digital television broadcasts to purchase a special device that can receive and process the RF signals.
In my research I wanted to be able to exploit a DVBT receiver via an over the air attack – sending a specially crafted data packet over an RF signal and taking over the device.
The research was focused on a common receiver in Israel and Europe made by a Chinese company called MSTAR. The receiver itself is an embedded MIPS device which runs an embedded operating system. During the research I managed to extract the firmware from the flash memory chip on the board and analyze the binary dump. I reversed some of the main function in the OS and built a custom embedded debugger in order to be able to perform live debugging and eventually found and exploited a vulnerability in the DVBT protocol which allowed me using a USRP kit to exploit every DVBT receiver in an area of a few hundred meters.