Router RTA04N Backdoor

De Área31 Hackerspace
Revisão de 23h45min de 9 de dezembro de 2015 por Coffnix (discussão | contribs)
Responsáveis: 
* Raphael Bastos aka coffnix
* Ewerson Guimarães aka Crash
* Gabriel Lanzi aka Glanzi

Who put the backdoor in my router?

Research Information

This is a INDEPENDENT research conduced by two freaks:

  • Raphael Bastos(Coffnix) - That efectvitly found the backdoor.
  • Ewerson Guimarães (Crash): Continue the research, did more device tests and contact with vendors.


Abstract

For quite some time we have been seeing espionage cases reaching countries, governments and large companies.

A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TPLink, Dlink, Linksys, Samsung and other companies which are internationally renowned.

This article will discuss a backdoor found on the modem / router XXX, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed. Which lead us to question on the research title: “Who put the backdoor in my modem?”

Detailed Outline

In a recent research on a RTA04N device, supplied by GVT (Brazilian ISP) we have found some intriguing facts:

The vendor’s website does exist, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware


The device

Router GVT from Belo Horizonte-Minas Gerais / Brazil.

Strange default SSID and Password based on MAC Address and S/No.:

Router 01

Click to enlarge:

Router 01 frente Router 01 verso

Router 02

Click to enlarge:

Router 02 frente Router 02 verso


Internal

Click to enlarge:


Legal

The device is approved by ANATEL (Brazilian National Telecomunication Agency)

http://sistemas.anatel.gov.br/sgch/HistoricoCertificado/Homologacao.asp?NumRFGCT=217112&idtHistoricoCert=9349313


More strange stuffs..

BayTech

Address: Rua Aluisio Azevedo - 40 - Rocha - Rio de Janeiro-RJ / Brazil - CEP: 20960-050

Observa Telecom

In the device manger you can see Observa Telecom but....

The device has the mac started by E4:C1:46 referring to the company: Objectivo y Servicios de Valor Anadido – which in the end, refers directly to ObservaTelecom

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf;hb=HEAD

The vendor’s website “exist”, but has only one screen with its logo, without any other links to other areas such as manuals, support and firmware.

Of course, they dont reply emails...

https://www.nic.es


Of course, he dont reply (11)emails...

GVT (Global Village Telecom)

This device is distributed by GVT. (internet service provider).

According to GVT technical support and site, this modem/router is not supported by them.


Dont belive? Take a look at:

http://www.gvt.com.br/PortalGVT/Atendimento/Area-Aberta/Documentos/Lista-de-Modens


Hex dump

Opening its firmware in hex viewer... Wow wait, its made by TPLINK??????

Cookies nos ajudam a entregar nossos serviços. Ao usar nossos serviços, você concorda com o uso de cookies.