Head of Research Equus
My name is Amihai Neiderman, 26 years old. I worked with computers for the last 20 years or so, doing everything from high-level programming to bare metals electronic fun.
in the last 8 years I’ve been working in the field of security research,mostly doing vulnerability research and exploitation in windows,linux and embedded devices.
Today I work for a company called Equus as the head of research. searching for Android is IOS 0days.
How I hacked my city
The talk is an in-depth walkthrough on how I managed to take over the Tel-Aviv municipal Wi-Fi network “FREE_TLV”. The talk will take the audience through all of the steps I took while researching the network, from the first connection, getting the WAN side IP address, scanning the network and finding and exploiting a vulnerability in the network’s load-balancer.
My research began with an external IP address of the network, which I got from connecting to the Wi-Fi network and going to http://whatismyip.com . when scanning the network from the outside using nmap I got a single port open – 443. When connecting to it I found it’s a network device from a company called peplink. I started researching the device in a blackbox manner and couldn’t find anything interesting.
After detecting the type of the device (in a pretty cool way involving the research of the http headers that were being sent by the device) I went to the manufacturer site and downloaded the right firmware.
The firmware itself was encrypted by the company so I had to reverse the boot process and the kernel patches that were inserted in order to implement the encryption and decryption process.
To save time I tried to unpack a firmware update of a simpler version of the device with a weaker encryption mechanism and then I found a logic vulnerability which allowed me to download a specific cgi file from the device. I used this vulnerability in order to download this cgi binary from the target’s device. It happened to be that this cgi is a native binary which holds most of the web functionality which makes it a prime candidate for research. I started researching this binary until I have found a memory corruption vulnerability which was also easy to exploit.
To check my exploit POC I eventually reversed the entire boot process and hacked my way through their “encryption” (shorty XOR key :\ ) and built myself a working model on a VM of the device. I managed to write a successful exploit for Peplink’s load-balancer series.
During my talk I will explain my thought process and the problems I encountered and how I overcame them. The audience will learn how a real life research from the eyes of an attacker is done from the basics of how to detect the device you’re want to attack, finger printing it and eventually finding a vulnerability and testing it back home before using it in the wild.
DVB-T is a standard for digital television broadcasting. The standard requires a consumer who wants to watch the digital television broadcasts to purchase a special device that can receive and process the RF signals.
In my research I wanted to be able to exploit a DVBT receiver via an over the air attack – sending a specially crafted data packet over an RF signal and taking over the device.
The research was focused on a common receiver in Israel and Europe made by a Chinese company called MSTAR. The receiver itself is an embedded MIPS device which runs an embedded operating system. During the research I managed to extract the firmware from the flash memory chip on the board and analyze the binary dump. I reversed some of the main function in the OS and built a custom embedded debugger in order to be able to perform live debugging and eventually found and exploited a vulnerability in the DVBT protocol which allowed me using a USRP kit to exploit every DVBT receiver in an area of a few hundred meters.
Are you the next cyber security superstar?
Ready for this year's presentations?
By registering you will unlock access to 60+ speakers and two full days with cyber security news & showcases from worldwide leaders.
Sponsors & Partners
They help us make this conference possible.
Orange Romania is the leader of the local telecom market and part of the Orange Group, one of the largest global telecommunications operators, connecting hundreds of millions of customers worldwide. With over 11 million customers and an annual turnover exceeding 1.5 billion euros, Orange Romania connects 1 in 2 Romanians and offers an extensive range of communication solutions to its customers, both individual users and companies, from basic services up to complete voice services, fixed and mobile data, TV services or smart home services, but also mobile financial services. Orange is also a leader in innovation investing yearly over 200 million euros in network infrastructure and R&D initiatives in Romania. In the past 3 years Orange has launched two 5G Labs in Bucharest and Iasi, that aim to support researchers, startups and companies to test their 5G solutions in advance. In addition, Orange is a long-term supporter of the startup ecosystem through the Orange Fab accelerator program designed to support entrepreneurs in the development of innovative products and their distribution locally and internationally.
Orange Services was created in 2013 and is a 100% owned subsidiary of Orange Group. As a technology services company, our DNA is in IT, but our teams also work in other domains including mobile networks and a number of commercial and business functions. Orange Services is one of the largest technology hubs in the Orange Group, working internationally for both Orange corporate functions and country operations. Through a unique combination of cutting edge know-how and expertise, our teams provide a broad range of services: development and supervision of IT services in domains such as Big Data, Cloud, M2M, IoT, TV, Connected Objects; design and development of IT infrastructure and desktop solutions; testing & planning for mobile networks; implementation of supply chain solutions and also improvement of commercial & business performance including BI, CRM, Analytics, Digital learning and Customer Care. Visit us on LinkedIn.