Sniffing my neighbour's FTTH

Some time ago, a year more or less since My Game of Trojans in the ISACA Challenge, I was thinking about if my neighbour could analyse my FTTH traffic, and if I could do the same, finding a weekness in the GPON standard which is usually deployed by most ISP in Spain and that we shouldn't confuse with the EPON standard. In fact, this was actually an excuse to study and learn how this networks work.

Why would I wanted to know if I could sniff FTTH traffic? Because reading and speaking with my workmates we noticed that downloading traffic from the OLT arrives to any ONT in the neighbourhood. Therefore, if my downloading traffic arrives to my neighbour's house, his downloading traffic arrives to my house too. However, uploading traffic doesn't work in the same way because uploading traffic from ONT only arrives to the OLT. This is the way how P2MP (Point to MultiPoint) networks work like MetroEthernet E-Line can work. Is this ilegal? Of course, we shouldn't implement an ISP In The Middle (IITM) attack but it deserves to know what an evil neighbour can do.

GPON Downstream Transmission

GPON Upstream Transmission

First, I was thinking about spoofing. How can we spoof an ONT? For the registering process between an OLT and ONT, we need the Serial Number (SN) or SN+Password of our neighbour's ONT. Maybe the password is hardcode in the ONT but SN will be different for each ONT, although we can walk around of our neighbour's house to get it. In addition, ISP engineers aren't used to asking for SN when a new ONT is installed, but they run an auto-discovery process in the OLT to find new ONT and allow them. Anyway, we are interested in analysing our neighbour's traffic and not to spoof his ONT.

The next step was to know if traffic is encrypted. According to the standard GPON: ITU-T G.984.3, downstream is encrypted with the symmetric algorithm AES-128 and upstream isn't encrypted because it isn't needed. Can we decrypt the downstream traffic? What is the process to encrypt? Both, OLT and ONT, have a MSK (Master Secret Key) which I think could be get from a reverse engineering. However, we already know that an evil neighbour can't get upstream traffic, thus ONT generates a plaintext data key (P) to produce a ciphertext data key (C), which is sent to the OLT, with the next formula:

C = AES-ECB(MSK, P)

Once OLT has the ciphertext data key (C), along with MSK, OLT can figure out the plaintext data key (P) generated by ONT. Therefore, from my point of view, and my knowledge, an evil neighbour couldn't decrypt our FTTH traffic.

P = AES-ECB^-1 (MSK, C)

On the other hand, studying and reading about GPON, I have remembered how Time Division Multiple Access or TDM works, which is used by most FTTH, although ISP offers till 300 Mbps today with Statistical Time Division Multiplexing or STDM. However, the future is to install P2P (Point to Point) networks with Wavelengh Division Multiplexing or WDM like the Next Generation PON2 or NG-PON2 which uses Time and Wavelength Division Multiplexing or TWDM which is more secure because traffic reaches only to the right ONT.

Regards my friends and remember, your FTTH traffic is in your neighbour's house too.

WSN – Wireless Sensor Networks

Last week, I gave a speech about how an attacker or a gossipy man can get our WiFi or Bluetooth waves to know things like where we live or where we have been. In addition, I spoke about how Meridian by Aruba Networks takes advantage of this technologies to make a Wireless Sensor Network and building customized mobile applications with turn-by-turn directions to points of interest in a space. My workmates also spoke about trends over WiFi like Wireless Gigabit, WiFly and the WMM extension for Quality of Services.

Today, Wireless Networks are well known for us but Wireless Sensor Networks are a little different because they can be easily made by hundreds or thousands sensors getting information like air pollution, water quality, temperatures, etc. This sensors are tiny devices with a low power consumption, which can work with batteries, they are deployed in a simple star network or in an advanced multi-hop wireless mesh network and they can use WiFi or Bluetooth technology to interconnect with each other.

Beyond WSN, we are living today with many Bluetooth devices to interchange data which some of them are unusual or unexpected like Bluetooth hats, teeth with Bluetooth technology, toothbrush with Bluetooth, balls with Bluetooth, etc, and others common Bluetooth devices like smartphone, smartTV or smartwatch. Therefore, all of this Bluetooth devices can made a WSN against, for instance, an smartphone where we manage and monitor all of this sensors. However, we should be cautious because everything is in the air and we should take into account the Bluetooth Security.

Teeth with Bluetooth technology

Meridian by Aruba Networks has used WiFi and the fourth version of Bluetooth technology called Bluetooth Smart or BLE (Bluetooth Low Energy) to deploy WSN. Meridian can customize mobile applications to take advantages of this kind of networks for many things like pushing notifications and advertisements to mobile app users, analyzing how many devices are in a space and for how long, give turn-by-turn directions to points of interest like coffee shops, gates, restaurants, rooms, parking, etc, etc. Meridian is a powerful tool to develop your own mobile applications.

What is the future? Everything is going to be interconnected!! We know that Internet of Things (IoT) is here and it's here to stay. Today, there are many devices with WiFi and Bluetooth technologies, we know about IPv6 where many devices can have his own IP, we know about SmartCity as well where traffic lights work according to traffic jam, and virtual reality is another computer technology that it will come sooner than we think and it will be integrated with all of these Sensor Networks. I think, our future is a little frightening.

Regards my friends and remember, you will be in the future.

Cold War

If we want to understand the present, we have to study history. This is what we can do reading books like the Century Trilogy by Ken Follett which is an easy and nice way to learn about our past. Last week I finished to read the third and last book called “Edge of Eternity” about the Cold War, after reading the first one about the First World War and the second one about the Second World War. I would like to sum up some interesting facts of the Cold War era in this post.

This book begin after the Second World War with the construction of the Berlin Wall when Germany was divided in 1961, which cut off Germany in West Berlin and East Berlin because Eastern Bloc wanted to protect the population from fascist people who conspired to avoid a socialist state in East Germany. However, the truth for the construction of this wall was to prevent the emigration from the Eastern Bloc to the West Bloc due to the fact that most people didn't want to live in a comunist state.

Another important fact for these years was the Civil Rights Movement in the EEUU from 1955 to 1968 that it is also referenced in this book. African people and black communities claimed civil rights like the right to vote and non-discrimination policies which was led by Martin Luther King who was killed by a robber and thief white man in Tennessee when King was supporting a strike. However, according to some conspiracies, King was killed with the government support. In addition, John F. Kennedy was also killed in 1963 while he was in a political tour in Texas.

Returning to Europe, comunism and the URSS was harassing the East Europe. For instance, the reformist Alexander Dubcek launched an action programme of liberalizations to Czechoslovakia called the Prague Spring with the aim of building non-totalitarian policies, ligalize political parties and trade unions, freedom of the press, freedom of the speech and movement, right to strikes and demonstrations, etc. However, the Soviet Union along with Bulgaria, Hungary, Poland and the East Germany, which were in the Warsaw Pact, invaded Czechoslovakia in 1968 to avoid the reform movement led by Dubcek. In the end, Czechoslovakia was dominated by Soviet Union till 1991 when the URSS was dismantled.

At the end of this book, we are going to read how the Soviet Union, with Mijaíl Gorbachov in the power, was broken up when Gorbachov gave freedom and democracy to the population and he wanted to reduce corruption as well. In addtion, the Reagan Doctrine which supported the yihad against the Soviet Union and the low prices of petrol in Saudi Arabia exhausted the URSS which didn't have enough money to maintain all Soviet Republics. Therefore, the communism was abolished and with this historical fact the Berlin Wall was demolished too in 1990.

Regards my friends and remember, study your history because it's a shame that this kind of facts seem too old when it was just some years ago.

Endesa ransomware hunted by SIEM

Last week was disturbing and cautious with the new ransomware which cheats users with a fake bill of the Spanish electricity company Endesa. As always and at the beginning, antimalware and malicious webfilter tools didn't detect and block this ransomware because it was unknown until then. It's “easy” to create a new malware and a new phishing campaign, and take advantage of DGA techniques to deploy ransomware jumping security controls. However, if we have a SIEM with a threat intelligent engine (Event Correlation, IDS, HIDS, etc), we can detect that something is wrong due to the mix and correlation of multiple events from different systems and tools.

In fact, this time I want to show how we detected this ransomware with the Ariolo Probe even before we knew it was a massive phishing campaign. Next we can see the three alarms we received when the SIEM warned us that something was wrong.

SIEM Alarms

 

Malicious website – Phishing activity

The first alarm said that an user was downloading from a Czech webserver a Java Script file inside of a ZIP file which is observed as lure in malspam campaigns. This was true as we checked into the firewall logs. The user had clicked to download the fake bill and the firewall allowed it because the endesa-clientes.com domain was unrated by webfiltering services, while today it's already as malicious website.

Phishing activity

Logs Firewall

Java Script inside a ZIP file

 

Client Side Exploit – Known Vulnerability – Malicious Document

The second alarm said that an user was downloading from a Italian webserver a malicious document, which was an EXE or DLL Windows file. As we can see, the Java Script inside ZIP file had redirected to another website to download an executable file called 1.exe, which maybe take advantage of a Windows vulnerability realeased in February.

Malicious Document

EXE Windows file

Anonymous channel – TOR SSL

The third alarm said that the user had connected to the EEUU with a covert SSL channel which used the anonymous Tor Network. Two domains (www.ekqcloky6as531jvixio.com and www.335efhjio6xjyzsx.net) were used against Tor Network and there is to highlight that tcp/80 has always been used to jump firewall filtering.

Once here … we couldn't track any connection, we don't know what happened after this communication. Did they steal something? Who knows. Think about it.

TOR SSL

tor2www proxy detected

 

This is an example of how we can detect ransomware or whatever goes wrong regardless of whether antivirus or webfiltering are updated because the infection pattern usually is the same.

What can we do to block this kind of infection? Warning every user, awareness sessions are the best, blocking every downloaded ZIP and EXE file with a firewall, users are users and they shouldn't have administrator privileges to install applications, updating every system is mandatory, trusting in professional people is a requirement, etc, etc.

Regards my friends and remember, be careful, pay attention to your alarms and contact with professionals if you want to protect your information.