Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modems, ISPs & the media How the Comhem vulnerability could have been handled, and what happened instead.

Published byDonavan Needler Modified over 9 years ago

Similar presentations

Presentation on theme: "Modems, ISPs & the media How the Comhem vulnerability could have been handled, and what happened instead."— Presentation transcript:

1 Modems, ISPs & the media How the Comhem vulnerability could have been handled, and what happened instead

2 Who am I? @johanRmoller Penetration Tester @ Omegapoint Podcaster @ Säkerhetspodcasten Annoyer of ISPs

3 This talk is about How I hacked my own modem How Comhem handled my bug report How I worked with the media to force Comhem into handling it better How they still failed And finally – How it should have been done

4 Lets go back a while All the way back to August, 2013

5 I live in a ComHem house Which means I get one of these:

6 Its my gateway to the internet I decided to see if I could hack myself. There where two obvious ways to go about it.

7 Pros & Cons Firmware Analysis Pros Can find stuff not obvious on the web interface Could possibly reprogram the modem Could find cooler vulnerabilities Cons Could brick my modem Lots of work Not my area of expertise Web Interface hacking Pros Easy and quick Could find really stupid vulnerabilities Little to no risk of damaging the modem Cons I wouldn’t be learning anything new Soldering is cool! Won’t find hidden stuff

8 The web interface

9 Fiddling around with burp

10 Finding CSRF Vuln

11 Impact of the CSRF vuln Changing DNS Harvest account details Spread malware Steal Credit Card and bank details Port Forwarding Expose internal network to internet Turning on remote admin Changing all modem settings Stealing stored passwords (wifi passwords stored in cleartext) Downgrade security DOS Brick the modem

12 Hardware hacking

13

14 Analyzing firmware

15 Sending the bug report

16 ComHem Responds

17 A year goes by

18 What is responsible disclosure?

19

20

21

22 Comhem Responds

23 Comhem responds again “The DNS problem only exists in Stockholm” -Comhem

24

25 Comhem locks down DNS Limiting their modems to only using Comhems DNS. This still doesn’t solve the following problems: Port Forwarding Expose internal network to internet Turning on remote admin Changing all modem settings Stealing stored passwords (wifi passwords stored in cleartext) Downgrade security DOS Brick the modem Etc…

26 Minister proposes Law Change and PTS investigates

27 Comhem solves the problem On the 14 th of November a firmware update finally arrives, solving the problem. At this point, the media attention has died down Noone cares that the issue is resolved The damage to Comhem is already done, and can’t be reversed at this point

28 What did we learn How should they have done it? Can we help our clients and companies handle these issues? What is it like to deal with the media Knowing what you want to say and being able to back it up

29 Evil DNS - Swedbank

Download ppt "Modems, ISPs & the media How the Comhem vulnerability could have been handled, and what happened instead."

Similar presentations

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Computer Threats I can understand computer threats and how to protect myself from these threats.

Computer Threats I can understand computer threats and how to protect myself from these threats.
A few simple steps, hints and tips to figure out if it is indeed fake. - By Emily Breuss.

A few simple steps, hints and tips to figure out if it is indeed fake. - By Emily Breuss.
Unit 9 Network Fundamentals. Describe a network Explain the benefits of a network Identify risks in computing Describe the roles of clients & servers.

Unit 9 Network Fundamentals. Describe a network Explain the benefits of a network Identify risks in computing Describe the roles of clients & servers.
Starting up a Security Class for Students Created by: Beth Byrnes Larry James Zac Reimer For Information Services University of Nebraska-Lincoln.

Starting up a Security Class for Students Created by: Beth Byrnes Larry James Zac Reimer For Information Services University of Nebraska-Lincoln.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Internet Security Passwords.

Internet Security Passwords.
Wi-Fi Structures.

Wi-Fi Structures.
E-Commerce Strategy By Callum Kirkman.

E-Commerce Strategy By Callum Kirkman.
1 Configuring Linksys Wireless Router Prof. Valencia Community College.

1 Configuring Linksys Wireless Router Prof. Valencia Community College.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
INTERNET SAFETY FOR STUDENTS

INTERNET SAFETY FOR STUDENTS
Email evidence. Safety To stay safe on the internet there are many points you need to follow. The first point is to change your password regularly, you.

evidence. Safety To stay safe on the internet there are many points you need to follow. The first point is to change your password regularly, you.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.

Similar presentations

Ads by Google