Hey Guys, im not sure if this is a new point. But i´m thinking about a possible security hole by design which exists at maybe many (german) cable providers. German cable providers like Unitymedia/Kabel Deutschland provides u a Fritzbox or any other Cable-Router for internet access. As you know, this routers have a mac-address on every Interface like on wifi, ethernet and so on. By default, the Wifi-SSID is public available. The SSID gives you he MAC to the wifi-iface, right? If so, then you can calculate the MAC of the other Interfaces by adding or substracting the last oktekt by one or maybe two. So, my theory: If you are able to fetch the SSID by wardriving, you should also get the MAC of the other interfaces, especialy of the cable-interface. Means: you should be able to calc the MAC of any interface of the device. If so: With a hardware debug interface you should be able to modify the firmware of a router like the well known Fritzbox. This should enable you the possibilty to modifiy the MAC of the interfaces. When im Right, then it must be easy by simply do some wardriving and collection some SSID´s from this provider. With this fetched and public available data i should be able to clone a Fritzbox. As i know, routers like the Fritbox get provisioned by the TR069 protocol. This means, the router Identifies it selfs via MAC against a TR069 provisioning-server to get its configuration on the first Contact. So with this in mind, i should be able to clone the router, identify against at an TR069 Server, grab the config from the TR069 provisioning-server and setup a clone oft he official customer router. Am i right or do miss something in this idea??? Mit freundlichen Grüßen, Sebastian Michel
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment