The device was hacked by a wifi attack and taken over by overwritting the current telco firmware. After this the telco application server normally providing the config/credentials of the customer (login, wifi credentials) denied to connect over the DSLAM (ASAM/ISAM). Standard procedure by delievering the customer a empty box and pushing the config by CWMP/TR069. A surrounding suspect was observed with a smartphone so there may is a Android app out there in a global unknown country Google App Store providing a success WPA2-PSK/TKIP (no AES) attack breaking into Wifi. Could also been BackTrack
exploitation tools.
Now how to get out NVRAM and RAM for IDA Pro investigation? FTK Imager and FTK (AD) ready to use but I question which is the best forensics tool to image, as the SSL/Telnet access is blocked by the telco firmware.
Here the hardware details PSB4212N, Manufactured by ADB Broadband S.p.A., SAP-10043143, P/N 151134102, Made in Vietnam
Any advice will save time to examine and will be highly appreciated.
RoGu
I am not familiar with this router, but you maybe able to dump the flash with the
Update The suspect observed in the area was probably using actual Kali 2.0 Nethunter to break the WPA2 with Aircrack-ng. A chinese smartphone manufacturer OnePlus Model One is a supported device for Kali 2.0, cheap. OnePlus One very common in Asia and looming in Europe.
Btw the Centro Router is used 100k-fold in Swiss SME provided by Swisscom and fully managed by them.
The question of liability turns against the telco provider when 'managed,. The customer did not confi anything, hands-off.
Thank you for the hint -)
Upd Broadcom 6368 CPU, nmap open ports 22 ssh fine, telnet denied, ADB Broadband former PirelliBroadband, default ip to connect 192.168.1.1, IDA Pro shows last compiled FW running 11.11.2015 IAD_Swisscom, FW based on telco site should be FW7.08.14 DPA2pv6C038q.24j (info out of telco approved hardware), BUT swisscom site shows FW 7.10.12 sig, see here
https://
date of post missing -(
Nice case to learn, as a hack and not 'sharp' evidence required
Nice case to learn, as a hack and not 'sharp' evidence required
sounds like you enjoyed this one )
Happy New Year !
#kakos - Happy New Year 2 - yes I do, but not finished, still running case
Just asking, how was the suspect found? Or are you just guessing he might be using NetHunter?
Upd The WPA2-TKIP was broken with NH, after SSL malicious FW update with open (GUEST) wlan but not broadcasted SSID for crime web access. The telco just overwrote the FW with their Application Server (telco names this 'config channel'). Not sure if telcos usually just overwrite the FW if things hang or break. Does anybody know a more agressive tool free available or on DarkWeb than NH? As long as int the Router GUI a possible way of manually FW upgrade (with path) is enabled, Crime will use it. FWs should be signed generally by digital signatures and only by a secured connection to the telco Application Server (AS). May operations in the supply-chain and maintenance issues favor a manual FW upgrade, but ever a vulnerability and not closed process.
End of story - new crime waits in the dark
We are getting a newborn Centro Business and a Nexus 10 tablet to load Backtrack 5 on we will reproduce the WPA-PSK break-in in the lab and try to log all devices for a lay-over timeline.
Criminals try hard - lets try harder -)