1
00:00:00,399 --> 00:00:09,720
*32C3 preroll music*

2
00:00:09,720 --> 00:00:13,680
Herald: The next talk is going to be
“Beyond Your Cable Modem”

3
00:00:13,680 --> 00:00:17,590
– how not to do DOCSIS networks.

4
00:00:17,590 --> 00:00:21,760
Sorry, I’m not a hardware guy.
But Alexander Graf is going to

5
00:00:21,760 --> 00:00:25,790
hold the talk and he has
done a lot of virtualization

6
00:00:25,790 --> 00:00:29,299
and stuff other people
think is too complicated.

7
00:00:29,299 --> 00:00:32,550
Now he is going to talk about

8
00:00:32,550 --> 00:00:36,740
the outside of your apartment.
Give him a warm welcome.

9
00:00:36,740 --> 00:00:43,740
*applause*

10
00:00:44,850 --> 00:00:47,250
Alexander: Hi and welcome to my
talk “Beyond Your Cable Modem”.

11
00:00:47,250 --> 00:00:50,390
This is going to look at what’s beyond
the stuff you usually see at home

12
00:00:50,390 --> 00:00:54,420
where you just plug in a network cable
and you happen to have Internet available.

13
00:00:54,420 --> 00:00:56,000
So, who am I?

14
00:00:56,000 --> 00:00:58,600
I’m Alexander Graf – I’m usually
more of a virtualization developer.

15
00:00:58,600 --> 00:01:00,690
I have nothing to do with
hacking in my day work,

16
00:01:00,690 --> 00:01:04,610
I don’t usually go around and
hack embedded devices.

17
00:01:04,610 --> 00:01:06,440
Usually, at least.

18
00:01:06,440 --> 00:01:09,370
But, during the last year, I had
a lot of spare time at night

19
00:01:09,370 --> 00:01:11,670
because the baby was
crying, so I figured:

20
00:01:11,670 --> 00:01:17,010
I could as well spend that time
and do something useful.

21
00:01:17,010 --> 00:01:19,930
So, what happened?
We moved to a new home.

22
00:01:19,930 --> 00:01:22,790
I was living in a home
where I had DSL available,

23
00:01:22,790 --> 00:01:26,540
I had a real phone line, everything
was great, things were just awesome.

24
00:01:26,540 --> 00:01:32,400
But then we moved into
this new home where…

25
00:01:32,400 --> 00:01:35,389
where there was no DSL available. Well,
there was DSL available but there were

26
00:01:35,389 --> 00:01:39,890
different circumstances why I couldn’t use
it. So instead, I figured: You know what?

27
00:01:39,890 --> 00:01:43,940
Try this cool new technology:
Internet over your cable TV.

28
00:01:43,940 --> 00:01:46,100
Ehh, cable. TV cable.

29
00:01:46,100 --> 00:01:48,870
So I got myself a cable
modem from the provider,

30
00:01:48,870 --> 00:01:52,690
got myself registered and
now had Internet over cable TV.

31
00:01:52,690 --> 00:01:56,650
Also, along the same lines, I figured:

32
00:01:56,650 --> 00:01:59,820
Why not go and also do your phone
line over that cable provider

33
00:01:59,820 --> 00:02:04,530
with your old phone number so that people
still can contact you when they want to.

34
00:02:04,530 --> 00:02:08,199
Now, the thing is, when I finally
received the whole package,

35
00:02:08,199 --> 00:02:12,219
I realized: Woh! Wait!
Something’s wrong here!

36
00:02:12,219 --> 00:02:18,950
That’s an analogue phone line!
Are we, like, in 2015 or is it 1994?

37
00:02:18,950 --> 00:02:21,660
So, instead of the usual digital
stuff that I am used to,

38
00:02:21,660 --> 00:02:25,029
I just got myself an analogue phone line.

39
00:02:25,029 --> 00:02:27,880
So I had to put myself
another box in there

40
00:02:27,880 --> 00:02:30,599
that would convert the analogue phone
line back to a digital phone line,

41
00:02:30,599 --> 00:02:33,249
so I could route it in my house to
another line, to another machine

42
00:02:33,249 --> 00:02:36,269
that would then go and
route it to my phone.

43
00:02:36,269 --> 00:02:38,349
You see the problem in there?

44
00:02:38,349 --> 00:02:41,859
Yeah, that whole stuff over there
just doesn’t look right, right?

45
00:02:41,859 --> 00:02:45,089
Why would you go and convert
something that is obviously digital?

46
00:02:45,089 --> 00:02:48,200
I mean, the stuff that goes into
your cable is obviously digital, right?

47
00:02:48,200 --> 00:02:50,149
Kind of obvious…

48
00:02:50,149 --> 00:02:52,639
and convert it back to analogue
and then back to digital

49
00:02:52,639 --> 00:02:55,209
just to be able to do a phone call.

50
00:02:55,209 --> 00:02:59,989
So I called up the technicians, Support,
and said: “Hey guys, you know what?

51
00:02:59,989 --> 00:03:02,519
Isn’t there a way I can,
like, directly access

52
00:03:02,519 --> 00:03:07,719
whatever you have there and go
and use digital throughout?”

53
00:03:07,719 --> 00:03:10,969
And the guy said: “Well, you know what?
Actually, behind the scenes,

54
00:03:10,969 --> 00:03:14,389
we’re all just running SIP.
It’s just a normal SIP server.

55
00:03:14,389 --> 00:03:17,360
Just normal voice-over-IP,
nothing special about it.

56
00:03:17,360 --> 00:03:22,799
So, if you know what you’re doing,
just go ahead and connect to it.”

57
00:03:22,799 --> 00:03:31,689
*laughter and applause*

58
00:03:31,689 --> 00:03:34,580
Challenge accepted.

59
00:03:34,580 --> 00:03:39,529
So, what we learned from
Felix earlier in his car talk:

60
00:03:39,529 --> 00:03:42,220
It was: What do you do when you
don’t want to brick your own system?

61
00:03:42,220 --> 00:03:45,670
Of course, you buy a new one
on ebay. They’re really cheap,

62
00:03:45,670 --> 00:03:49,700
just go and get a cable modem
and then you can go away and

63
00:03:49,700 --> 00:03:53,330
treat it with the kind of love that you
want a device to be treated with.

64
00:03:53,330 --> 00:03:55,980
*laughter*

65
00:03:55,980 --> 00:04:00,039
Turns out, my modem is actually
just running Linux. Hooh! Nice!

66
00:04:00,039 --> 00:04:02,419
That fits me pretty well!

67
00:04:02,419 --> 00:04:05,269
And it’s just a normal ARM system.

68
00:04:05,269 --> 00:04:07,449
Well, the only special
thing is: It’s Big-Endian.

69
00:04:07,449 --> 00:04:11,869
But then again, I’m kind of used to
ARM by now, why not just go away

70
00:04:11,869 --> 00:04:14,659
and like go around and just
look at how this thing works.

71
00:04:14,659 --> 00:04:18,340
And, well, we really just want to
get this voice-over-IP stuff working,

72
00:04:18,340 --> 00:04:22,340
so take a look at how this
voice-over-IP stuff works on the device!

73
00:04:22,340 --> 00:04:24,480
Turns out, there’s actually a normal SIP.

74
00:04:24,480 --> 00:04:28,540
SIP works on port 5060 usually.

75
00:04:28,540 --> 00:04:33,419
Normal SIP client running on
there, but this IP looks weird.

76
00:04:33,419 --> 00:04:35,490
So, my external IP looks different.

77
00:04:35,490 --> 00:04:40,920
And my internal IP is different, so
where does this IP come from?

78
00:04:40,920 --> 00:04:44,130
So I looked at the IP list
of my device and figured:

79
00:04:44,130 --> 00:04:47,729
Well, something’s weird here. I have
a lot of IPs in there and connections

80
00:04:47,729 --> 00:04:52,960
that I really don’t know
anything about. Hm.

81
00:04:52,960 --> 00:04:56,899
So down here, is obviously my phone line.

82
00:04:56,899 --> 00:05:02,849
And up here, is something else
that I have no idea what this is about.

83
00:05:02,849 --> 00:05:06,749
So I figured: Let’s go
and dig a bit deeper.

84
00:05:06,749 --> 00:05:09,810
And see what’s actually happening there.

85
00:05:09,810 --> 00:05:13,810
So how does DOCSIS work?
This is just a small introduction,

86
00:05:13,810 --> 00:05:16,816
like high-level introduction,
on how the routing runs.

87
00:05:16,816 --> 00:05:21,699
So basically, you have the cable modem
that is connected using your TV cable line

88
00:05:21,699 --> 00:05:25,970
to a CMTS, just a translation service,

89
00:05:25,970 --> 00:05:29,840
that then takes all of the DOCSIC-specific
stuff and just basically gives you

90
00:05:29,840 --> 00:05:35,849
an IP routing over into something-
something-something behind it.

91
00:05:35,849 --> 00:05:39,500
However, it doesn’t just give you one
line. It actually gives you three.

92
00:05:39,500 --> 00:05:42,689
It gives you one line for your Internet.
Makes sense, right? You want

93
00:05:42,689 --> 00:05:46,279
to get online. That’s the one you actually
see when you plug into the device.

94
00:05:46,279 --> 00:05:49,299
It also gives you another line for VoIP.

95
00:05:49,299 --> 00:05:51,690
And it gives you one more line
that I would call the “Admin” line.

96
00:05:51,690 --> 00:05:55,710
It’s the provisioning line.

97
00:05:55,710 --> 00:05:59,549
Now, let’s start with the Admin line.
That sounds the most interesting, right?

98
00:05:59,549 --> 00:06:00,920
*laughter*

99
00:06:00,920 --> 00:06:03,819
What does the Admin line do?

100
00:06:03,819 --> 00:06:09,080
Well, in the end, a modem in the DOCSIS
network is just a normal client

101
00:06:09,080 --> 00:06:11,159
like in your Ethernet network.

102
00:06:11,159 --> 00:06:13,890
So the first thing it does
when it gets online is:

103
00:06:13,890 --> 00:06:16,750
it does a DHCP request.
And on the DHCP request

104
00:06:16,750 --> 00:06:20,229
it goes and gets an IP address
and gets all the information it needs.

105
00:06:20,229 --> 00:06:25,340
And it also, well, it’s kind of sane,
it’s just a normal DHCP request.

106
00:06:25,340 --> 00:06:28,949
It also, however, gets something
similar to PXE booting

107
00:06:28,949 --> 00:06:32,960
where it gets usually… in PXE booting you
would get an executable that you’d run,

108
00:06:32,960 --> 00:06:35,709
here, you get something different.
Here, you also get a file

109
00:06:35,709 --> 00:06:39,159
that you need to download
using TFTP just like with PXE.

110
00:06:39,159 --> 00:06:44,769
However, in this case,
it’s a configuration file…

111
00:06:44,769 --> 00:06:46,900
– There you go –
…configuration file…

112
00:06:46,900 --> 00:06:50,109
…that you just receive using
PXE to your cable modem;

113
00:06:50,109 --> 00:06:52,989
and then, the cable modem is configured.

114
00:06:52,989 --> 00:06:56,680
Now what is inside this Provisioning
File, that’s what I call it? Well,

115
00:06:56,680 --> 00:07:01,360
there’s interesting information like: What
is your firmware update filename called?

116
00:07:01,360 --> 00:07:04,530
If you want to update your firmware
or if the provider wants to have you

117
00:07:04,530 --> 00:07:09,799
update your firmware.
How much bandwidth do I have?

118
00:07:09,799 --> 00:07:14,189
*laughter*

119
00:07:14,189 --> 00:07:17,370
I hear, people have been
playing with that one…

120
00:07:17,370 --> 00:07:20,289
*laughter*

121
00:07:20,289 --> 00:07:23,749
And, well, since it’s just a normal TFTP
request you can just do it yourself, too.

122
00:07:23,749 --> 00:07:28,499
This is my configuration. You just go, get
it, and you have your configuration file.

123
00:07:28,499 --> 00:07:34,219
Now, the interesting thing that I realied
when I first started doing this was:

124
00:07:34,219 --> 00:07:36,999
Sure, this is my configuration file.
But what about configuration files

125
00:07:36,999 --> 00:07:42,080
from other people? Well, you
go and get the MAC address,

126
00:07:42,080 --> 00:07:44,560
if you have the MAC address you
just go and get it and there you go:

127
00:07:44,560 --> 00:07:47,339
You have the other people’s
configuration file.

128
00:07:47,339 --> 00:07:48,460
*laughter*

129
00:07:48,460 --> 00:07:51,440
Easy as that, right? That’s the
way it’s supposed to work.

130
00:07:51,440 --> 00:07:58,440
*applause*

131
00:07:59,690 --> 00:08:03,099
The actual effects of that,
we’re going to come to that later.

132
00:08:03,099 --> 00:08:05,909
Let’s just declare TFTP,
the whole access to that,

133
00:08:05,909 --> 00:08:08,920
as “slightly insecure” for now.

134
00:08:08,920 --> 00:08:11,840
*laughter*

135
00:08:11,840 --> 00:08:16,329
But now, if you’re an ISP, you want to
monitor what your people do, right?

136
00:08:16,329 --> 00:08:18,910
So imagine, you’re the admin there.

137
00:08:18,910 --> 00:08:21,619
Just imagine, you’re one
of the good guys, right?

138
00:08:21,619 --> 00:08:24,650
And you want to see what are those
people on your modem doing.

139
00:08:24,650 --> 00:08:27,060
Are they, like, downloading
too much content?

140
00:08:27,060 --> 00:08:32,410
Because you obviously cannot filter
or find that out from the other side.

141
00:08:32,410 --> 00:08:35,890
So, what do you do? Well, you obviously
send the industry standard for that:

142
00:08:35,890 --> 00:08:42,130
An SNMP request. Using a
password that only you know.

143
00:08:42,130 --> 00:08:47,220
*laughter*

144
00:08:47,220 --> 00:08:50,190
Send it over to the cable modem
and the cable modem then goes in

145
00:08:50,190 --> 00:08:54,010
and replies with the respective
reply saying “Oh, yeah, sure,

146
00:08:54,010 --> 00:08:57,250
I got that piece of information,
there you go, you have it.”

147
00:08:57,250 --> 00:09:00,580
Oh, that was too quick!

148
00:09:00,580 --> 00:09:07,580
But how does your modem
actually verify that password?

149
00:09:07,940 --> 00:09:10,740
Yeah, you guessed right: Using
the Provisioning File, obviously!

150
00:09:10,740 --> 00:09:12,810
*laughter*

151
00:09:12,810 --> 00:09:17,010
Once you download the Provisioning File
from any random modem in there

152
00:09:17,010 --> 00:09:22,640
– including yours – you end up
getting an interesting password.

153
00:09:22,640 --> 00:09:27,800
*laughter*

154
00:09:27,800 --> 00:09:30,480
However, they actually
did at least one thing:

155
00:09:30,480 --> 00:09:35,150
They limited the address range you are
allowed to access those devices on.

156
00:09:35,150 --> 00:09:39,540
*laughter*

157
00:09:39,540 --> 00:09:46,540
Yeah…
*applause*

158
00:09:47,090 --> 00:09:50,210
As a hint for those who did not clap:

159
00:09:50,210 --> 00:09:54,740
This means, everybody
who is in that network.

160
00:09:54,740 --> 00:09:57,250
But how big is this network?

161
00:09:57,250 --> 00:10:01,520
I figured: Why not just give it a try
and ask some people in Hannover

162
00:10:01,520 --> 00:10:03,930
whether I could just get
their MAC addresses

163
00:10:03,930 --> 00:10:06,850
and see how far I could get.

164
00:10:06,850 --> 00:10:10,920
Just send an SNMP request over,
I had the password now, right?

165
00:10:10,920 --> 00:10:15,060
And ask that modem:

166
00:10:15,060 --> 00:10:18,380
“Please tell me everything you know!”

167
00:10:18,380 --> 00:10:22,770
And it replied!
*laughter*

168
00:10:22,770 --> 00:10:25,130
There’s a lot of interesting information,
SNMP, you wouldn’t believe it!

169
00:10:25,130 --> 00:10:28,880
So this is obviously just stuff like
“Oh, yeah, I’m this and that modem!”

170
00:10:28,880 --> 00:10:31,160
But there’s more in there.
There’s, for example…

171
00:10:31,160 --> 00:10:34,280
this is my public IP address!

172
00:10:34,280 --> 00:10:38,170
– in case you’re searching
for someone specific. Or…

173
00:10:38,170 --> 00:10:41,250
these are my internal MAC
addresses and IP addresses.

174
00:10:41,250 --> 00:10:43,790
In case you’re searching for some
specific notebook that someone

175
00:10:43,790 --> 00:10:49,530
stole from you or so.
*laughter*

176
00:10:49,530 --> 00:10:53,390
Or… this is my Provisioning File, in
case you just happened to port scan

177
00:10:53,390 --> 00:10:56,110
all of the machines out there and
ask them using the same password

178
00:10:56,110 --> 00:11:01,040
that they all share on what their
Provisioning Files could be called.

179
00:11:01,040 --> 00:11:02,410
*clears throat*

180
00:11:02,410 --> 00:11:04,596
Of course, I never did that. Right?

181
00:11:04,596 --> 00:11:08,040
*laughter*

182
00:11:08,040 --> 00:11:15,040
So, I would say, the whole SNMP story
isn’t “really” all that secure either.

183
00:11:15,970 --> 00:11:19,610
But at a certain point in time, like when
the modem actually doesn’t work

184
00:11:19,610 --> 00:11:22,310
like the way you would envision
it to be or if you just need to do

185
00:11:22,310 --> 00:11:25,990
more administrative stuff, the admin wants
to have more access than just SNMP, right?

186
00:11:25,990 --> 00:11:31,020
This is kind of isolated to a few
specific pieces of information.

187
00:11:31,020 --> 00:11:36,940
You want some more hardcore access.
Like real go down into a real shell.

188
00:11:36,940 --> 00:11:40,430
How do you do shells in 2015?
Audience: TELNET!

189
00:11:40,430 --> 00:11:44,470
Alexander: Telnet. Exactly!
*laughter*

190
00:11:44,470 --> 00:11:51,470
*applause*

191
00:11:52,650 --> 00:11:58,820
We’ll actually get to the point why
Telnet was a good idea later, but…

192
00:11:58,820 --> 00:12:04,260
that’s 30 slides down or so.

193
00:12:04,260 --> 00:12:07,420
We already managed to get an SNMP
connection working to a different modem,

194
00:12:07,420 --> 00:12:12,660
let’s just try the same with Telnet
and see how far we can get.

195
00:12:12,660 --> 00:12:19,090
We can go in and just Telnet in and it
replies and says “please give me a login”

196
00:12:19,090 --> 00:12:23,930
Hm. Now where do I get this login from?

197
00:12:23,930 --> 00:12:26,160
*laughter*

198
00:12:26,160 --> 00:12:29,900
Turns out, the administrator needs to
provide that password just the same

199
00:12:29,900 --> 00:12:33,100
to the modem, which needs to verify it.

200
00:12:33,100 --> 00:12:37,550
Based on configuration. Which it gets
from the Provisioning File. That…

201
00:12:37,550 --> 00:12:41,490
I think you see the point.

202
00:12:41,490 --> 00:12:44,680
So in the same Provisioning File that you
can obviously again download for every

203
00:12:44,680 --> 00:12:49,880
single user in the network
you also have the password.

204
00:12:49,880 --> 00:12:52,980
In plaintext.

205
00:12:52,980 --> 00:12:56,250
That’s the part that actually took
me the longest in this whole thing.

206
00:12:56,250 --> 00:12:59,980
I spent weeks trying to
figure out what hash this is.

207
00:12:59,980 --> 00:13:05,210
*raging laughter*

208
00:13:05,210 --> 00:13:11,550
*big applause*

209
00:13:11,550 --> 00:13:15,880
So if we try to log in to the server
using those credentials we got,

210
00:13:15,880 --> 00:13:18,200
we get greeted with a nice
command line interface

211
00:13:18,200 --> 00:13:22,180
for poor Mr. Admin at our provider’s side.

212
00:13:22,180 --> 00:13:26,540
But I don’t really like those,
like, boiled-down interfaces.

213
00:13:26,540 --> 00:13:29,210
I want a real shell.
I want to load kernel modules.

214
00:13:29,210 --> 00:13:31,730
I want to filter all my network traffic.

215
00:13:31,730 --> 00:13:35,730
I want to reroute everything that
modem does to a different machine.

216
00:13:35,730 --> 00:13:41,110
I want to rewrite the VoIP
client to instead do… either way!

217
00:13:41,110 --> 00:13:44,520
So I want to do something real.
Let’s do the help command

218
00:13:44,520 --> 00:13:47,480
and it tells us that there’s a
cool command called “shell”.

219
00:13:47,480 --> 00:13:49,550
*laughter*

220
00:13:49,550 --> 00:13:52,890
Ah yeah, there you go, got a shell!

221
00:13:52,890 --> 00:13:57,070
By now, at that point, I can actually
go and do anything I want to that modem.

222
00:13:57,070 --> 00:14:01,760
I got full root access. By the way,
all the modems run every single

223
00:14:01,760 --> 00:14:05,390
piece of software running on there,
including your web server and your

224
00:14:05,390 --> 00:14:11,280
SIP server and anything as UID 0.
Which is a good idea, right?

225
00:14:11,280 --> 00:14:14,680
So, I now got shell access so
I can do anything I want.

226
00:14:14,680 --> 00:14:18,510
I can re-route all your traffic,
I don’t, obviously, but

227
00:14:18,510 --> 00:14:21,980
this is basically where we
went half a year ago.

228
00:14:21,980 --> 00:14:25,390
Another thing to note is that
– since it’s so annoying to generate

229
00:14:25,390 --> 00:14:29,660
different passwords for different devices…

230
00:14:29,660 --> 00:14:31,780
Yeah, yeah, I know.

231
00:14:31,780 --> 00:14:36,080
You just use one password
for all, right? It’s good enough.

232
00:14:36,080 --> 00:14:42,620
So you don’t even have to read your
other person’s Provisioning File,

233
00:14:42,620 --> 00:14:45,040
you can just use your own password
that is in your own Provisioning File

234
00:14:45,040 --> 00:14:50,330
which you already have on your modem
because you’re provisioned yourself.

235
00:14:50,330 --> 00:14:54,300
The only notable exception that
I found to this whole scheme

236
00:14:54,300 --> 00:14:57,690
– I mean, you could basically go
and log in to any modem out there,

237
00:14:57,690 --> 00:15:02,140
except for Fritz!Boxes.
*applause*

238
00:15:02,140 --> 00:15:07,920
Yeah, congratulations everyone! Kudos!

239
00:15:07,920 --> 00:15:11,570
So, apparently, AVM are the only ones
who did not follow the standard scheme

240
00:15:11,570 --> 00:15:15,480
from my provider and instead said: “No
no no, guys! You don’t do the firmware.

241
00:15:15,480 --> 00:15:20,170
WE do the firmware”, and they just
don’t like to enable Telnet. Apparently

242
00:15:20,170 --> 00:15:25,430
there are people in that company that
actually know what they’re doing.

243
00:15:25,430 --> 00:15:31,010
So, I would say the whole Telnet
access thing isn’t exactly…

244
00:15:31,010 --> 00:15:36,660
I wouldn’t mark it “secure”
either. Naahhh… naaah…

245
00:15:36,660 --> 00:15:39,240
But we didn’t really come here
for the Admin network, right?

246
00:15:39,240 --> 00:15:45,020
I was just… it happened to be around.
I just looked at it and… njeeeeeh.

247
00:15:45,020 --> 00:15:48,420
We wanted to go and do
voice-over-IP! Hah!

248
00:15:48,420 --> 00:15:52,030
Yeah, so how does VoIP look
like? It’s kind of similar.

249
00:15:52,030 --> 00:15:54,130
It also does a DHCP
request in the beginning.

250
00:15:54,130 --> 00:15:59,600
DHCP is usually fine, I mark
it with a green tick here.

251
00:15:59,600 --> 00:16:04,770
I’ll leave it to others to further
dig down into that part.

252
00:16:04,770 --> 00:16:09,690
It does the same TFTP bit so if you just
go and – instead of downloading your

253
00:16:09,690 --> 00:16:16,660
Provisioning File from your own modem,
from the RAN, from the admin network –

254
00:16:16,660 --> 00:16:23,200
you just go and get it from the other MAC
address and there you go, you have it.

255
00:16:23,200 --> 00:16:29,250
Nicely enough, all those cable providers
registered consecutive MAC addresses,

256
00:16:29,250 --> 00:16:35,770
so if you have one,
you also have the others.

257
00:16:35,770 --> 00:16:40,070
Just… You basically just ask a friend:
“Give me your MAC address that’s

258
00:16:40,070 --> 00:16:44,090
written on the box” and you basically
have everything you need.

259
00:16:44,090 --> 00:16:46,760
SNMP is the same thing.
You can access it using SNMP.

260
00:16:46,760 --> 00:16:49,280
The really nice thing about
SNMP here is that the box also

261
00:16:49,280 --> 00:16:53,980
tells you the other accesses it has, so
if you only have one IP address, or…

262
00:16:53,980 --> 00:16:57,950
I also have a nice DNS service internally
that tells you what the IP address is

263
00:16:57,950 --> 00:17:01,210
to a certain MAC address, so you just
ask the DNS for the MAC address of

264
00:17:01,210 --> 00:17:09,409
the VoIP access, then you go and
SNMP, ask it for the IP address

265
00:17:09,409 --> 00:17:14,169
of the admin network, and
there you go. You’re in the box.

266
00:17:14,169 --> 00:17:17,940
However, the really interesting bit
on the voice-over-IP network is SIP.

267
00:17:17,940 --> 00:17:22,330
Since… you want to do VoIP, right?
That’s what the whole thing is about.

268
00:17:22,330 --> 00:17:28,330
So VoIP basically works… the way that your
modem wants to go and do a phone call.

269
00:17:28,330 --> 00:17:30,730
So how do you do a phone call with SIP?

270
00:17:30,730 --> 00:17:38,690
You need to provide data like credentials,
like, tell the other side, the server,

271
00:17:38,690 --> 00:17:40,470
how you authenticate yourself.

272
00:17:40,470 --> 00:17:43,890
Which, obviously, is written
in your Provisioning File.

273
00:17:43,890 --> 00:17:47,640
So, you use those and tell the
server: “I want to do a phone call”

274
00:17:47,640 --> 00:17:49,580
and there you go: You do a phone call.

275
00:17:49,580 --> 00:17:54,000
Now if we look at this Provisioning File,
you can see that it contains your server

276
00:17:54,000 --> 00:17:57,560
and your user name and your phone number

277
00:17:57,560 --> 00:18:03,870
and your… well, basically everything
you’d need to log in into an SIP server.

278
00:18:03,870 --> 00:18:10,310
Now, since I can read, anybody
else’s Provisioning Files, …

279
00:18:10,310 --> 00:18:11,590
*laughter*

280
00:18:11,590 --> 00:18:16,440
So, imagine I’m this user up there. Right?

281
00:18:16,440 --> 00:18:21,400
And I’m just doing a normal call
as this phone number up there.

282
00:18:21,400 --> 00:18:24,330
Well, maybe there’s this
other guy in the network

283
00:18:24,330 --> 00:18:27,700
who just goes in and downloads
your Provisioning File

284
00:18:27,700 --> 00:18:31,070
and, well, he gets all the credentials
he would need, so he gets

285
00:18:31,070 --> 00:18:35,870
the same phone number and
then he can just go and do a call.

286
00:18:35,870 --> 00:18:46,800
Hm. Yeah. Maybe I should have
registered a few 0900 numbers.

287
00:18:46,800 --> 00:18:50,500
Now the really interesting part here is –
it also works the other way!

288
00:18:50,500 --> 00:18:53,900
You register for it and if you’re
the fastest one registering it,

289
00:18:53,900 --> 00:18:58,580
the other modem doesn’t get the
chance to receive calls which means

290
00:18:58,580 --> 00:19:02,360
now you receive the calls and then you can
just tell the other modem that there was

291
00:19:02,360 --> 00:19:06,910
a call, just that, by now, you actually
route all the traffic through your modem

292
00:19:06,910 --> 00:19:13,000
and you can listen to all the voice data
that there is on the line. Yay!

293
00:19:14,450 --> 00:19:18,260
Yeah…
*laughter*

294
00:19:18,260 --> 00:19:22,160
Not sure it’d be a good idea to
talk to your lawyer around…

295
00:19:22,160 --> 00:19:27,030
Using this line for secure stuff
is probably not the best.

296
00:19:27,030 --> 00:19:33,080
I wouldn’t mark SIP as secure
on this thing, either.

297
00:19:33,080 --> 00:19:38,240
But at this point, so on the Telnet
access and on all the other parts,

298
00:19:38,240 --> 00:19:40,870
I was, like, sure,
I can fix it for myself.

299
00:19:40,870 --> 00:19:44,230
I’m an egoist, right?
I can fix it for myself.

300
00:19:44,230 --> 00:19:46,650
I don’t care about the rest of mankind…

301
00:19:46,650 --> 00:19:51,270
I do, but I can claim that!

302
00:19:51,270 --> 00:19:54,490
I can just as well ignore all the
others and say: I fix it for myself.

303
00:19:54,490 --> 00:19:58,420
But for voice-over-IP, I can’t.
Because I’m completely out of the loop.

304
00:19:58,420 --> 00:20:05,090
This other guy, he could just go and
steal my credentials, because he can…

305
00:20:05,090 --> 00:20:07,050
and there’s nothing I can do about it.

306
00:20:07,050 --> 00:20:12,080
So at that point, I was kind of scared
that someone would be able to hack me.

307
00:20:12,080 --> 00:20:17,120
So I started to think about
how to fix this thing.

308
00:20:17,120 --> 00:20:22,540
Now, the first thing that comes to
mind is obviously: You as a user

309
00:20:22,540 --> 00:20:28,910
go and pick up the phone and call
the service line from your provider.

310
00:20:28,910 --> 00:20:31,540
*laughter*

311
00:20:31,540 --> 00:20:34,410
Yeah, I don’t think, that’s a good idea.
*laughter*

312
00:20:34,410 --> 00:20:38,590
Nah, no I didn’t want to go down that
road, nah… So, instead, I figured,

313
00:20:38,590 --> 00:20:41,730
I’m going to call someone else.
I’m going to call a couple friends.

314
00:20:41,730 --> 00:20:44,250
*laughter and applause*

315
00:20:44,250 --> 00:20:50,960
*applause*

316
00:20:50,960 --> 00:20:54,430
Gonna call a couple of friends from
Heise, thanks to my Linux work, I knew

317
00:20:54,430 --> 00:20:59,640
a few of those, and they also tend to
do security, which kind of falls into

318
00:20:59,640 --> 00:21:02,160
this whole thing and used them as a proxy.

319
00:21:02,160 --> 00:21:09,160
So that nobody could actually go and
sue me until things were public.

320
00:21:11,690 --> 00:21:15,100
So, imagine what the provider
would do when he hears

321
00:21:15,100 --> 00:21:19,229
that I hacked into their Telnet account.

322
00:21:19,229 --> 00:21:23,670
Sure, you’d do the obvious thing:
You’d replace Telnet with SSH, right?

323
00:21:23,670 --> 00:21:26,350
It’s what everybody would do. It’s the
first thing. You look at this and think,

324
00:21:26,350 --> 00:21:29,610
like, “Oh my god, this is 2015,
why would you be doing Telnet?”

325
00:21:29,610 --> 00:21:35,720
Well, the answer is pretty simple. Emm…
*laughter*

326
00:21:35,720 --> 00:21:38,989
Take a look again. It’s not as simple
as you think. Take a look at it again,

327
00:21:38,989 --> 00:21:43,060
there’s this Provisioning File. SSH
actually gets different credentials!

328
00:21:43,060 --> 00:21:46,790
So, the SSH credentials
are actually down here.

329
00:21:46,790 --> 00:21:49,530
And the password is different
from the one on the top.

330
00:21:49,530 --> 00:21:51,410
I don’t know what the password is.

331
00:21:51,410 --> 00:21:56,310
But I can tell you that the
password hash is really cool!

332
00:21:56,310 --> 00:21:59,890
So, the password hash is something
that comes from VxWorks, so I’m pretty

333
00:21:59,890 --> 00:22:04,390
sure that there are more devices out there
that might be interesting to look at.

334
00:22:04,390 --> 00:22:06,970
The VxWorks hash actually
works in a really simple way:

335
00:22:06,970 --> 00:22:12,850
It creates a checksum of your input that
lies somewhere between those 2 numbers

336
00:22:12,850 --> 00:22:16,940
and then creates a fancy String out
of them based on some heuristics.

337
00:22:16,940 --> 00:22:21,860
But essentially, the whole password down
there boils down to just a single number

338
00:22:21,860 --> 00:22:26,740
that is basically, in a realistic case,
the upper limit is 40 characters,

339
00:22:26,740 --> 00:22:28,980
so you’re not going to see
a password that long,

340
00:22:28,980 --> 00:22:33,280
realistically you basically check around
100 passwords and any hash out there,

341
00:22:33,280 --> 00:22:37,460
any password that’s available, you
already cracked it. Which means,

342
00:22:37,460 --> 00:22:41,580
there are so many collisions in this
hash, which I wouldn’t even call a hash,

343
00:22:41,580 --> 00:22:44,390
that I don’t know what the original
password is like… I don’t know.

344
00:22:44,390 --> 00:22:47,380
But this one works pretty well!

345
00:22:47,380 --> 00:22:50,730
*laughter and applause*

346
00:22:50,730 --> 00:22:56,940
*applause*

347
00:22:56,940 --> 00:23:00,750
So we go ahead and we log into this
machine and we type in our collision

348
00:23:00,750 --> 00:23:04,080
and… there you go! We got
the same thing as before!

349
00:23:04,080 --> 00:23:07,900
So we told them again: “Guys,
look, it’s not as easy as that.

350
00:23:07,900 --> 00:23:10,860
You should probably take a bit
deeper breath and take a look

351
00:23:10,860 --> 00:23:14,390
at how things actually are broken.”

352
00:23:14,390 --> 00:23:18,030
Which, turns out, they did!
So what happened next?

353
00:23:18,030 --> 00:23:24,010
We had this whole huge mess with
lots of services that are all attackable

354
00:23:24,010 --> 00:23:27,210
and everything’s just wholly broken.

355
00:23:27,210 --> 00:23:31,960
That was two months ago.

356
00:23:31,960 --> 00:23:35,530
There were some circumstances
why we just couldn’t tell them earlier.

357
00:23:35,530 --> 00:23:39,780
And we basically told them: “Guys, you
know, in 2 months’ time we’re going to do

358
00:23:39,780 --> 00:23:43,050
a talk here and everything’s going to
be public so you might want to fix

359
00:23:43,050 --> 00:23:46,840
your network until then.”
*laughter*

360
00:23:46,840 --> 00:23:51,660
So the first thing that they did is: They
added a check to their TFTP server

361
00:23:51,660 --> 00:23:56,630
to verify whether you’re actually eligible
to download this Provisioning File.

362
00:23:56,630 --> 00:24:01,770
*applause*

363
00:24:01,770 --> 00:24:04,720
So now, you can only download your
own Provisioning File. Which is great…

364
00:24:04,720 --> 00:24:09,330
finally! I mean, this is the obvious
thing to do. So that one’s fixed.

365
00:24:09,330 --> 00:24:13,180
Then, they went ahead and said: Well,
there’s no real reason why one modem

366
00:24:13,180 --> 00:24:16,280
should do SNMP traffic with another.
So they just added a firewall, saying,

367
00:24:16,280 --> 00:24:19,570
we’re blocking SNMP traffic
between different machines

368
00:24:19,570 --> 00:24:22,610
– problem solved!

369
00:24:22,610 --> 00:24:26,780
*applause*

370
00:24:26,780 --> 00:24:30,439
The same for SSH – they went ahead and
said: There’s no reason why you should

371
00:24:30,439 --> 00:24:34,120
be doing TCP between
one modem and another.

372
00:24:34,120 --> 00:24:36,360
Problem solved!

373
00:24:36,360 --> 00:24:39,610
*applause*

374
00:24:39,610 --> 00:24:44,610
And because the VoIP access credentials

375
00:24:44,610 --> 00:24:47,910
are actually part of your Provisioning
File which you can now

376
00:24:47,910 --> 00:24:51,140
no longer download from somebody
else, that one is fixed too.

377
00:24:51,140 --> 00:24:56,689
Awesome! *shy applause*
Go ahead, go ahead, clap! It’s awesome!

378
00:24:56,689 --> 00:25:00,210
*applause*

379
00:25:00,210 --> 00:25:04,809
Thank you, ISPs. So after two months,
you actually managed to limit me

380
00:25:04,809 --> 00:25:07,900
into the borders that I was supposed
to be in, in the beginning.

381
00:25:07,900 --> 00:25:11,800
It’s cool!
So what do we have…

382
00:25:11,800 --> 00:25:16,110
Please guard your networks even if you
believe that somebody couldn’t go in

383
00:25:16,110 --> 00:25:17,970
– they probably will.

384
00:25:17,970 --> 00:25:22,930
Because, as soon as a customer
can access your device physically,

385
00:25:22,930 --> 00:25:26,290
which kind of happens to be the
case with a modem that’s sitting

386
00:25:26,290 --> 00:25:31,920
in your apartment,

387
00:25:31,920 --> 00:25:35,020
that guy can access your network.
There’s no way you can prevent it.

388
00:25:35,020 --> 00:25:38,950
So don’t believe that the border
of your network is the home.

389
00:25:38,950 --> 00:25:43,980
The border of your network is
the cable going into that home.

390
00:25:43,980 --> 00:25:46,640
The same way goes the other way
around: If an ISP gives you a device,

391
00:25:46,640 --> 00:25:48,590
don’t trust that thing.

392
00:25:48,590 --> 00:25:51,030
Seriously. They can do anything they like.

393
00:25:51,030 --> 00:25:55,230
And sometimes, somebody else can, too.

394
00:25:55,230 --> 00:26:02,510
In this case, according to my provider, I
was able to access 3 million devices.

395
00:26:02,510 --> 00:26:05,405
*applause*
That’s quite some number.

396
00:26:05,405 --> 00:26:10,590
*applause*

397
00:26:10,590 --> 00:26:16,730
Also, the press is your friend. If you
are afraid of revealing something,

398
00:26:16,730 --> 00:26:18,680
tell someone who can do it for you

399
00:26:18,680 --> 00:26:25,130
and usually, things go out well.
Let’s hope for the best.

400
00:26:25,130 --> 00:26:29,110
And then, this whole thing went
online in the beginning of the week

401
00:26:29,110 --> 00:26:32,640
and there were a couple of questions
on the forums that I read

402
00:26:32,640 --> 00:26:35,880
and I just wanted to take
the time to reply to those.

403
00:26:35,880 --> 00:26:38,200
First thing that always comes
up is: “Is this a conspiracy?”

404
00:26:38,200 --> 00:26:41,270
Like “Oh my god, this
is the NSA backdoor!”

405
00:26:41,270 --> 00:26:44,710
No way. I mean, seriously,
those guys are not that stupid.

406
00:26:44,710 --> 00:26:47,990
They have their own front doors,
they don’t need backdoors.

407
00:26:47,990 --> 00:26:50,080
*laughter*

408
00:26:50,080 --> 00:26:54,549
This really is just a case of “If we don’t
secure things, it’s going to be easier

409
00:26:54,549 --> 00:26:59,630
for us.” Njee, it was
easier for everybody,

410
00:26:59,630 --> 00:27:03,070
including the ones who
shouldn’t have access.

411
00:27:03,070 --> 00:27:07,930
So, no, this is not a conspiracy. This is
not some backdoor from some agency.

412
00:27:07,930 --> 00:27:13,110
This is really just a matter of a
company not doing their homework.

413
00:27:13,110 --> 00:27:15,970
The same thing goes for other providers.

414
00:27:15,970 --> 00:27:20,360
My cable just wasn’t long enough
to connect to some other country

415
00:27:20,360 --> 00:27:24,310
so I don’t know whether other
DOCSIS networks are affected.

416
00:27:24,310 --> 00:27:30,540
From the best of my knowledge:
Yes, they are.

417
00:27:30,540 --> 00:27:33,639
I’m not allowed to tell you to check.

418
00:27:33,639 --> 00:27:37,049
But if you happen to have
that idea on your own…

419
00:27:37,049 --> 00:27:40,480
*laughter and applause*

420
00:27:40,480 --> 00:27:47,480
*applause*

421
00:27:47,480 --> 00:27:50,269
No animals were hurt during
the production of this movie.

422
00:27:50,269 --> 00:27:51,320
*laughter*

423
00:27:51,320 --> 00:27:55,330
All the passwords were changed, so if you
happen to know the real passwords,

424
00:27:55,330 --> 00:27:58,049
you probably had a good laugh
during the presentation.

425
00:27:58,049 --> 00:28:03,660
If you don’t know the real passwords,
njeeee, they are different.

426
00:28:03,660 --> 00:28:07,130
To the best of my knowledge, all of that
knowledge that I just gave you is

427
00:28:07,130 --> 00:28:13,810
completely useless to you,
because all the issues are fixed.

428
00:28:13,810 --> 00:28:16,630
Thank you.

429
00:28:16,630 --> 00:28:32,020
*applause*

430
00:28:32,020 --> 00:28:33,690
Herald [to Alexander]: Q&A?
[Alexander nodding]

431
00:28:33,690 --> 00:28:36,009
Alexander: So now we can
go for questions if you like.

432
00:28:36,009 --> 00:28:39,399
So please… or… you go
ahead and announce it.

433
00:28:39,399 --> 00:28:43,650
Herald: So if you have questions,
run towards a microphone and

434
00:28:43,650 --> 00:28:49,020
stand behind it visibly.
The first one was on number 4.

435
00:28:49,020 --> 00:28:54,430
Q: You were talking about taking
a couple of weeks to get to know

436
00:28:54,430 --> 00:28:57,990
that the password wasn’t
hashed but plaintext.

437
00:28:57,990 --> 00:29:02,500
So how long did this whole
exchange in total go on?

438
00:29:02,500 --> 00:29:07,010
How much facepalming and
how many hours did it take for you?

439
00:29:07,010 --> 00:29:10,070
A: So I didn’t spend full time on it,
I really literally just whenever

440
00:29:10,070 --> 00:29:14,250
the baby was crying I just went up
and figured “I can do something”.

441
00:29:14,250 --> 00:29:21,550
It’s not… I basically got
cable access two years ago.

442
00:29:21,550 --> 00:29:25,210
I first got into the modem
about one year ago, I think.

443
00:29:25,210 --> 00:29:31,610
That’s when I started looking for real.

444
00:29:31,610 --> 00:29:34,670
I basically ended up digging
deeper and deeper, right? It’s not…

445
00:29:34,670 --> 00:29:38,840
VoIP, for example, I only realized the
whole voice-over-IP story in August.

446
00:29:38,840 --> 00:29:42,650
Since I just didn’t look before. I was
like so excited to see all the other bits.

447
00:29:42,650 --> 00:29:44,250
*shy laughter*

448
00:29:44,250 --> 00:29:46,350
Just didn’t look.

449
00:29:46,350 --> 00:29:48,900
Herald: Now number 1, please.

450
00:29:48,900 --> 00:29:54,220
Q: Are you really sure that the TFTP
Provisioning File fetching is secure now?

451
00:29:54,220 --> 00:30:01,429
Because… do they do some MAC
integrity tests for MAC spoofing?

452
00:30:01,429 --> 00:30:04,670
A: Yeaaaaah…

453
00:30:04,670 --> 00:30:09,259
*laughter*

454
00:30:09,259 --> 00:30:13,870
The problem is the law, right? I’m not
allowed to tell you to try it yourself,

455
00:30:13,870 --> 00:30:18,580
I’m not allowed to tell you that I don’t
think that anything on the physical layer

456
00:30:18,580 --> 00:30:23,089
is insecure. I’m not allowed to tell you
that… I mean there’s so many things

457
00:30:23,089 --> 00:30:29,109
I’m not allowed to tell you about
this whole network… I haven’t tried.

458
00:30:29,109 --> 00:30:36,109
I really just went in and said “TFTP
Fetch and see whether I can get it.”

459
00:30:36,109 --> 00:30:41,080
*laughter and applause*

460
00:30:41,080 --> 00:30:45,760
*applause*

461
00:30:45,760 --> 00:30:48,690
Herald: Number 7 up
there on the balcony.

462
00:30:48,690 --> 00:30:52,309
Q: Hello. My question is, in the
beginning in your config files,

463
00:30:52,309 --> 00:30:56,870
I think there was something about traffic
priority or network priority as well.

464
00:30:56,870 --> 00:31:00,760
Did you play around with that one as well?
Is that something about Net Neutrality,

465
00:31:00,760 --> 00:31:03,180
maybe?
A: Ahh, that’s an interesting…

466
00:31:03,180 --> 00:31:05,390
OK, so, it’s not about
Net Neutrality at all.

467
00:31:05,390 --> 00:31:11,240
It’s about QoS of different services,
so they basically say that

468
00:31:11,240 --> 00:31:15,110
VoIP traffic gets higher
priority than the other bits

469
00:31:15,110 --> 00:31:18,200
since you want to have low latency
on voice-over-IP traffic, obviously.

470
00:31:18,200 --> 00:31:20,860
So that has nothing to do with
Net Neutrality in this thing at all.

471
00:31:20,860 --> 00:31:28,210
I did play around with
those settings, just because…

472
00:31:28,210 --> 00:31:31,410
coincidentally, right the day after
the Fahrplan got released,

473
00:31:31,410 --> 00:31:35,230
my account got throttled to 80 kBit/s.

474
00:31:35,230 --> 00:31:38,130
I don’t know why.
Could be related, could be not.

475
00:31:38,130 --> 00:31:43,400
But I figured, “I’m paying for 100 MBit/s”
so I should probably get 100 MBit/s

476
00:31:43,400 --> 00:31:46,330
and started to look at those things.

477
00:31:46,330 --> 00:31:50,280
I did not manage to actually convince
my modem to get me more.

478
00:31:50,280 --> 00:31:52,820
Q: Did you change the
bandwidth in the settings?

479
00:31:52,820 --> 00:31:55,140
Herald: No dialogues, please.

480
00:31:55,140 --> 00:31:59,670
A: Yes, I did change the bandwidth.
It’s not… my guess is,

481
00:31:59,670 --> 00:32:02,359
they’re also QoS’ing on the
other side. But if you want to

482
00:32:02,359 --> 00:32:05,260
verify it, I’m not telling you not to.

483
00:32:05,260 --> 00:32:07,600
*laughter*

484
00:32:07,600 --> 00:32:09,309
Herald: Number 2, please.

485
00:32:09,309 --> 00:32:12,370
Q: Yes. So at first, thank
you for the nice insights.

486
00:32:12,370 --> 00:32:15,140
I’m a cable user, so I’m interested here.

487
00:32:15,140 --> 00:32:19,219
And I want to, again, make a
statement on the Provisioning File.

488
00:32:19,219 --> 00:32:23,940
You should have told them that the
Provisioning File fetching in this way

489
00:32:23,940 --> 00:32:26,210
isn’t a good idea anyway.

490
00:32:26,210 --> 00:32:30,460
And I personally would believe
if they do not can transfer it

491
00:32:30,460 --> 00:32:36,490
via a completely different channel,
it will not get really secure.

492
00:32:36,490 --> 00:32:39,869
A: They can not do it differently
because it’s part of a standard.

493
00:32:39,869 --> 00:32:42,849
There’s a DOCSIS standard which
all the modems have to adhere to

494
00:32:42,849 --> 00:32:46,259
and that’s part of the standard.
They cannot do it differently.

495
00:32:46,259 --> 00:32:48,350
If you want to have it done
differently, you have to tell

496
00:32:48,350 --> 00:32:53,310
the DOCSIS standardization
committee which is in India.

497
00:32:53,310 --> 00:32:56,910
Q: Yes, so I’ll talk to them. Thanks!

498
00:32:56,910 --> 00:33:00,159
Herald: Now, we’ll have a
question from the Internet.

499
00:33:00,159 --> 00:33:03,650
Q: Could two modems be
programmed to talk among

500
00:33:03,650 --> 00:33:07,169
themselves directly,
bypassing the ISP firewall?

501
00:33:07,169 --> 00:33:09,109
A: Say it again.

502
00:33:09,109 --> 00:33:15,270
*Signal Angel repeats question more slowly*

503
00:33:15,270 --> 00:33:17,110
A: You mean with the new scheme
or with the old scheme?

504
00:33:17,110 --> 00:33:21,150
With the old scheme, it was…
you could just go and route through it.

505
00:33:21,150 --> 00:33:29,200
With the new scheme… you…
not with the official modems.

506
00:33:29,200 --> 00:33:33,450
*laughter and applause*

507
00:33:33,450 --> 00:33:39,060
*applause*

508
00:33:39,060 --> 00:33:42,860
Herald: And number 8 on the balcony.

509
00:33:42,860 --> 00:33:47,199
Q: Did you find any traces
of TR-069 in this thing?

510
00:33:47,199 --> 00:33:52,450
A: I did on the AVM boxes
that were secure, yeah.

511
00:33:52,450 --> 00:33:55,939
So that was the only bit that actually
ended up making a lot of sense.

512
00:33:55,939 --> 00:33:59,470
TR-069 is a pretty nice standard.
You basically have authenticated

513
00:33:59,470 --> 00:34:03,090
– I think it was even HTTPS – traffic that
basically goes and pokes the server

514
00:34:03,090 --> 00:34:07,899
to get you a firmware update. It’s a
perfectly nice way of provisioning

515
00:34:07,899 --> 00:34:10,728
such a system. It’s definitely a
lot different from the usual way

516
00:34:10,728 --> 00:34:15,409
so on those DOCSIS modems, the usual
way to tell it to get a new “firmware” is

517
00:34:15,409 --> 00:34:19,469
either to tell it to reboot and get a new
file from the provisioning server or

518
00:34:19,469 --> 00:34:24,679
to just poke directly through SNMP to tell
it: “Go to this TFTP server over there

519
00:34:24,679 --> 00:34:27,879
with this file name and
flash it onto your Flash.”

520
00:34:27,879 --> 00:34:29,179
*laughter*

521
00:34:29,179 --> 00:34:35,039
No, I have not tried to spoof the
privileged IP address range.

522
00:34:35,039 --> 00:34:38,610
*laughter*

523
00:34:38,610 --> 00:34:41,099
Herald: Now it’s number 4 again.

524
00:34:41,099 --> 00:34:45,328
Q: The question I have is:

525
00:34:45,328 --> 00:34:49,259
When you tried to first
contact them via Heise,

526
00:34:49,259 --> 00:34:54,339
was there any way they
might have tried to

527
00:34:54,339 --> 00:34:58,470
convince you to not
do the talk and if so,

528
00:34:58,470 --> 00:35:02,460
would there be an itch on your head?

529
00:35:02,460 --> 00:35:07,229
A: They did not try in any
way whatsoever. Zero.

530
00:35:07,229 --> 00:35:10,319
Q: Do you think that was due to
the credibility or do you think

531
00:35:10,319 --> 00:35:13,580
they thought “Oh, we screwed up”?

532
00:35:13,580 --> 00:35:20,190
A: I don’t know. I don’t think they
thought any other way would work at that

533
00:35:20,190 --> 00:35:24,009
point in time. Since the press was already
involved, they are not gonna pull back

534
00:35:24,009 --> 00:35:28,099
their story, there’s nothing
else they can do.

535
00:35:28,099 --> 00:35:29,470
Q: Thank you again.

536
00:35:29,470 --> 00:35:34,339
Herald: Before I hand the microphone,
do you want to do the entire 24

537
00:35:34,339 --> 00:35:38,009
remaining minutes Q&A or
do you want to put a limit?

538
00:35:38,009 --> 00:35:41,660
Graf: No, I think 24 minutes Q&A is fine.
We can always cap it later on, right?

539
00:35:41,660 --> 00:35:44,399
Just go and ask. Ask as much as you like.

540
00:35:44,399 --> 00:35:50,749
*applause*

541
00:35:50,749 --> 00:35:53,570
Herald: The Internet, again.

542
00:35:53,570 --> 00:35:57,499
Q: How much of this would have been
possible if the modem had been

543
00:35:57,499 --> 00:36:01,729
in bridge mode?
A: My modem was in bridge mode.

544
00:36:01,729 --> 00:36:04,529
*laughter*

545
00:36:04,529 --> 00:36:07,060
Herald: And number 6.

546
00:36:07,060 --> 00:36:12,049
Q: Do you have an idea how
long this has been that way?

547
00:36:12,049 --> 00:36:16,180
And do you have any
specific reasons to believe

548
00:36:16,180 --> 00:36:20,759
what group of people

549
00:36:20,759 --> 00:36:25,499
might have abused these problems?

550
00:36:25,499 --> 00:36:29,289
A: I don’t know. I did not see anybody
else on the network but it’s really hard

551
00:36:29,289 --> 00:36:33,819
to see someone in a
sea of 3 million devices.

552
00:36:33,819 --> 00:36:38,329
I am not aware of anybody exploiting this,

553
00:36:38,329 --> 00:36:41,940
so I can only state what Vodafone said.

554
00:36:41,940 --> 00:36:45,880
And they said that nobody else
did exploit those problems.

555
00:36:45,880 --> 00:36:49,660
According… as far as time… and
I believe that one actually… it’s…

556
00:36:49,660 --> 00:36:51,709
I don’t think that anybody
did. Which is surprising

557
00:36:51,709 --> 00:36:55,169
since this whole stuff was kind of obvious

558
00:36:55,169 --> 00:36:59,209
but apparently nobody thought of
digging into their modem before.

559
00:36:59,209 --> 00:37:03,149
The one thing about the timing is:

560
00:37:03,149 --> 00:37:05,489
Apparently, they already,
Kabel Deutschland,

561
00:37:05,489 --> 00:37:08,649
basically already does
Internet for 10 years by now

562
00:37:08,649 --> 00:37:13,690
and there’s very little reason to believe
it’s been different in the beginning.

563
00:37:13,690 --> 00:37:18,740
So it was probably vulnerable 
for about ten years.

564
00:37:18,740 --> 00:37:22,330
That said, in the beginning, they
were not even using DOCSIS 3.0,

565
00:37:22,330 --> 00:37:25,619
which did not really do real encryption,
so at the end of the day you could

566
00:37:25,619 --> 00:37:29,640
just do whatever, any ways on the network.

567
00:37:29,640 --> 00:37:35,440
Back in the day. By now,
it’s only halfway complicated.

568
00:37:35,440 --> 00:37:37,999
Herald: Now number 1.

569
00:37:37,999 --> 00:37:40,779
Q: Yes, thank you for the talk, too.

570
00:37:40,779 --> 00:37:47,040
So it’s completely possible that they may
have not found out that somebody else

571
00:37:47,040 --> 00:37:52,189
accessed this before and maybe already
flashed a lot of devices with another

572
00:37:52,189 --> 00:37:55,760
firmware which is still
listening to his commands?

573
00:37:55,760 --> 00:37:59,270
With the new setup. Because
he changed the firmware.

574
00:37:59,270 --> 00:38:03,769
A: They did not… okay, they did update
the firmware at that one point in time

575
00:38:03,769 --> 00:38:06,210
when I showed that they switched to SSH.

576
00:38:06,210 --> 00:38:08,949
They did not change the
firmware ever since. So

577
00:38:08,949 --> 00:38:13,679
all the services that I was talking about,
they are still running on your modem.

578
00:38:13,679 --> 00:38:17,789
Q: Okay, but they can’t be sure that there
is another firmware by somebody else

579
00:38:17,789 --> 00:38:23,190
on routers running. If somebody else
maybe thought of making a bot net,

580
00:38:23,190 --> 00:38:26,239
before all of this came up,
in the last 5 years or 10 years,

581
00:38:26,239 --> 00:38:28,459
and already controls some devices

582
00:38:28,459 --> 00:38:32,170
and they can’t be sure that their firmware
is not running on those devices.

583
00:38:32,170 --> 00:38:35,739
There can be still devices somewhere
controlled by somebody else.

584
00:38:35,739 --> 00:38:38,439
A: Sure. You have to, obviously, fake
all the information they receive

585
00:38:38,439 --> 00:38:40,999
from the modem pretty well,
otherwise they get you onto the

586
00:38:40,999 --> 00:38:46,450
security block that I am on.
But if you do that correctly,

587
00:38:46,450 --> 00:38:49,089
you can probably just replace
all the pieces of firmware,

588
00:38:49,089 --> 00:38:53,459
just ignore all the updates and try to
behave the same way as they’d expect

589
00:38:53,459 --> 00:38:55,570
and then hope that nobody finds out.

590
00:38:55,570 --> 00:38:58,360
It’s entirely possible –
I don’t think it’s very likely

591
00:38:58,360 --> 00:38:59,869
but it is definitely entirely possible.

592
00:38:59,869 --> 00:39:03,269
Q: Let’s hope there are no more
networks like this out there.

593
00:39:03,269 --> 00:39:07,099
Herald: Usually, there
are no 2nd questions,

594
00:39:07,099 --> 00:39:11,139
so… we still got comfortable time

595
00:39:11,139 --> 00:39:15,089
but try to limit yourself to one question.

596
00:39:15,089 --> 00:39:17,179
Now it’s number 2.

597
00:39:17,179 --> 00:39:21,029
Q: Have you tried to change your
MAC address on the DOCSIS level

598
00:39:21,029 --> 00:39:22,710
or also for the DHCP request

599
00:39:22,710 --> 00:39:25,999
or how do they do authentication
of the modem over the network?

600
00:39:25,999 --> 00:39:30,279
A: So, the authentication
works using certificates.

601
00:39:30,279 --> 00:39:34,389
I’m actually not sure, I haven’t
read the standard on that side

602
00:39:34,389 --> 00:39:38,039
whether the MAC address is part
of the certificate. I don’t know.

603
00:39:38,039 --> 00:39:42,539
If it’s not, you can easily just
change it. I haven’t tried.

604
00:39:42,539 --> 00:39:49,289
But then again, the modems
are – what? – 8 Euros?

605
00:39:49,289 --> 00:39:51,219
Herald: Number 7.

606
00:39:51,219 --> 00:39:55,529
Q: What other recommendations
do you have

607
00:39:55,529 --> 00:40:00,309
– if someone were to have a
suspicion about a vulnerability –

608
00:40:00,309 --> 00:40:05,729
for the research part and
for the disclosure part?

609
00:40:05,729 --> 00:40:09,669
A: What do you have to do… I can’t give
you any legal or any advice on that one.

610
00:40:09,669 --> 00:40:13,089
I can tell you that getting
somebody involved

611
00:40:13,089 --> 00:40:16,129
that has done this before
is a really smart idea.

612
00:40:16,129 --> 00:40:18,909
Because they’ve gone
through a lot of pain points.

613
00:40:18,909 --> 00:40:22,430
The press is even better because
they have a really, really big lever

614
00:40:22,430 --> 00:40:25,780
nobody wants to be in the press
for 2 months or whatever

615
00:40:25,780 --> 00:40:31,169
just on negative news that there was
somebody who was legitimately trying

616
00:40:31,169 --> 00:40:35,360
to tell them to improve their
network and they sued them.

617
00:40:35,360 --> 00:40:39,729
So there’s a really good chance that
going via the press is going to keep

618
00:40:39,729 --> 00:40:43,959
problems away from you,
but there’s no guarantee.

619
00:40:43,959 --> 00:40:50,049
I cannot give you real – I mean legal
or any coherent – advice on that one.

620
00:40:50,049 --> 00:40:53,589
I would… I mean, if I would find such
a thing again, I would definitely go

621
00:40:53,589 --> 00:40:57,139
the same route. I would just call
up Heise and tell them and…

622
00:40:57,139 --> 00:41:00,259
That went pretty smoothly.

623
00:41:00,259 --> 00:41:03,609
And if… I mean, the really cool thing
is, they actually listen to the press.

624
00:41:03,609 --> 00:41:05,630
If I had gone to the service,
they would have just said

625
00:41:05,630 --> 00:41:10,800
“Sorry, wrong number,
I can’t help you.”

626
00:41:10,800 --> 00:41:13,519
Herald: Now the Internet.

627
00:41:13,519 --> 00:41:17,199
Q: How did you obtain the
original data? Did you use JTAG

628
00:41:17,199 --> 00:41:22,470
or dump the device’s firmware
and run it virtualized?

629
00:41:22,470 --> 00:41:27,779
A: Ahhhhh. Not sure how much of
that I should actually tell everybody.

630
00:41:27,779 --> 00:41:30,909
Let’s say, I replaced…

631
00:41:30,909 --> 00:41:34,150
You can actually see
this on the slide, wait.

632
00:41:34,150 --> 00:41:39,049
*makes “Tchtchtchtchtch” sound*

633
00:41:39,049 --> 00:41:42,250
Oh my god, this is going to take forever.

634
00:41:42,250 --> 00:41:46,980
Okay, dududum, where’s my
mouse cursor? There it is.

635
00:41:46,980 --> 00:41:50,960
Okay… So, I got a
picture of the modem…

636
00:41:50,960 --> 00:41:55,820
…here. There you go. So…

637
00:41:55,820 --> 00:41:59,799
…what you can see here, down there,
the white and the yellow cables,

638
00:41:59,799 --> 00:42:02,250
those are the serial port.

639
00:42:02,250 --> 00:42:06,130
And the IDE cable up there
that’s where the flash chip was

640
00:42:06,130 --> 00:42:09,499
before I started fiddling with the modem.
*laughter*

641
00:42:09,499 --> 00:42:12,039
Now, the flash chip is actually
in that socket up there.

642
00:42:12,039 --> 00:42:15,569
Which means I could swap the
flash chip between a device I own

643
00:42:15,569 --> 00:42:18,050
– BeagleBone Black, for example,
that’s a really nice spy interface

644
00:42:18,050 --> 00:42:20,479
that you could just use to write those

645
00:42:20,479 --> 00:42:22,170
– and then plug it back into the modem.

646
00:42:22,170 --> 00:42:28,049
So I could replace the firmware
and get myself an initial shell.

647
00:42:28,049 --> 00:42:32,989
As I mentioned earlier, I really
do not like to lose Internet access.

648
00:42:32,989 --> 00:42:37,790
So this is not the modem that
I was actually using at home.

649
00:42:37,790 --> 00:42:40,769
Instead, I just used that modem
to fetch a firmware image

650
00:42:40,769 --> 00:42:44,719
so I could then look and see
whether there might be other bugs

651
00:42:44,719 --> 00:42:48,829
that you could use.

652
00:42:48,829 --> 00:42:51,520
Herald: Now number 8.

653
00:42:51,520 --> 00:42:54,789
Q: Earlier, you’ve said that
– who was it… –

654
00:42:54,789 --> 00:42:59,469
Fritz!Box was more secure and they
didn’t have the same vulnerabilities.

655
00:42:59,469 --> 00:43:03,079
Do you think they simply didn’t use
hardcoded passwords and stuff.

656
00:43:03,079 --> 00:43:07,099
So do you think they’ll be vulnerable
to similar attacks and that someone

657
00:43:07,099 --> 00:43:10,670
probably, like you wouldn’t tell them,
but maybe they should look into it

658
00:43:10,670 --> 00:43:14,499
or do you think that it isn’t possible
and someone should, like, prove you wrong.

659
00:43:14,499 --> 00:43:17,999
A: From all I can tell, but this is…
I mean, just a gut feeling that I get

660
00:43:17,999 --> 00:43:20,469
from looking at different firmware files,

661
00:43:20,469 --> 00:43:22,789
the usual way, at least
the Linux based firmware

662
00:43:22,789 --> 00:43:28,629
works on those systems is
that there’s TI creating a BSP

663
00:43:28,629 --> 00:43:31,920
then they give it out to Motorola.
Then Motorola gives it out to CBN.

664
00:43:31,920 --> 00:43:35,729
Then CBN gives it out
to Kabel Deutschland.

665
00:43:35,729 --> 00:43:40,829
And then, each party of those
adds a few pieces of stuff.

666
00:43:40,829 --> 00:43:44,519
That’s the usual way it
works in those devices.

667
00:43:44,519 --> 00:43:47,559
Whereas in the AVM boxes,
things looked vastly different.

668
00:43:47,559 --> 00:43:49,559
There was one firmware image
that even contained information

669
00:43:49,559 --> 00:43:51,970
for some Austrian provider.

670
00:43:51,970 --> 00:43:58,040
So instead of giving full
control to the cable provider,

671
00:43:58,040 --> 00:44:04,860
AVM kept control on their own and actually
audited the stuff they were doing.

672
00:44:04,860 --> 00:44:07,639
That’s the major difference.

673
00:44:07,639 --> 00:44:13,420
*applause*

674
00:44:13,420 --> 00:44:16,620
Herald: One more question
from the Internet.

675
00:44:16,620 --> 00:44:20,499
Q: Do you know if they
still use unencrypted SIP?

676
00:44:20,499 --> 00:44:24,119
A: Oh yeah. *chuckles*
*slight laughter*

677
00:44:24,119 --> 00:44:27,320
A: Oh yeah.
*loud laughter*

678
00:44:27,320 --> 00:44:29,519
A: Nothing in the protocols
changed at all, whatsoever.

679
00:44:29,519 --> 00:44:32,329
They really just added a few firewalls.

680
00:44:32,329 --> 00:44:37,759
So once you are on the physical layer,
you can read everything you like, yes.

681
00:44:37,759 --> 00:44:42,189
Well, and you break through
the DOCSIS encryption, obviously.

682
00:44:42,189 --> 00:44:45,019
Herald: Now the newly adjusted number 2.

683
00:44:45,019 --> 00:44:47,889
Q: Thank you. Mine is
not so much a question

684
00:44:47,889 --> 00:44:51,149
as I’d like to add some insight
and perspective to this.

685
00:44:51,149 --> 00:44:54,549
I, myself, worked for several ISPs

686
00:44:54,549 --> 00:44:57,500
and the… we… actually
I worked for an ISP

687
00:44:57,500 --> 00:45:01,350
that had not this particular
issue, but a similar issue.

688
00:45:01,350 --> 00:45:04,159
The way that it was fixed and

689
00:45:04,159 --> 00:45:07,030
– you can look me up, I’ve worked
for several ISPs, you won’t know

690
00:45:07,030 --> 00:45:08,679
which one had this problem –

691
00:45:08,679 --> 00:45:13,709
but what was actually the fix
was a simple IP check.

692
00:45:13,709 --> 00:45:17,820
So once you downloaded
from the TFTP server,

693
00:45:17,820 --> 00:45:21,519
it was just checked if you did it
from the IP that was suspected.

694
00:45:21,519 --> 00:45:26,910
So this issue may actually be
reproducible if you can somehow

695
00:45:26,910 --> 00:45:30,429
get hold of an IP [address]
you weren’t supposed to have.

696
00:45:30,429 --> 00:45:34,580
Like, say, spoof MAC address
or something like that.

697
00:45:34,580 --> 00:45:39,860
That being said, I’d like to attach
a comment to the whole SIP thing, too.

698
00:45:39,860 --> 00:45:45,439
You indicated that it’d be possible
to silently intercept the conversations

699
00:45:45,439 --> 00:45:50,039
which is not necessarily the issue
because many SIP servers

700
00:45:50,039 --> 00:45:52,860
can be configured
to allow multiple endpoints

701
00:45:52,860 --> 00:45:55,879
so as the
– what’d you call it? –

702
00:45:55,879 --> 00:45:58,419
the bad guy would be able
to pick up your calls,

703
00:45:58,419 --> 00:46:01,209
you would also hear you
phone calling yourself.

704
00:46:01,209 --> 00:46:04,500
A: Right, and if your phone picks
up within 0.01 microseconds,

705
00:46:04,500 --> 00:46:06,970
then, yeah, there’s nothing
you can do about it.

706
00:46:06,970 --> 00:46:10,070
It just rings again.
That’s the point about it.

707
00:46:10,070 --> 00:46:13,609
Also, the other bit that
you have on the SIP server

708
00:46:13,609 --> 00:46:17,309
is that that particular server actually
only allowed one endpoint

709
00:46:17,309 --> 00:46:20,690
to be registered at a time.
At least from what I could tell.

710
00:46:20,690 --> 00:46:25,170
It was some Huawei
box. I don’t know.

711
00:46:25,170 --> 00:46:28,630
Herald: Number 3, please.

712
00:46:28,630 --> 00:46:30,669
Q: Yeah, I attended this talk today

713
00:46:30,669 --> 00:46:36,720
because I know that at the beginning,
when DOCSIS was introduced,

714
00:46:36,720 --> 00:46:39,960
the modem were asking
for the configuration file

715
00:46:39,960 --> 00:46:44,899
also over the Ethernet
port which is great.

716
00:46:44,899 --> 00:46:48,339
And my question is:

717
00:46:48,339 --> 00:46:54,479
Is there a way within the DOCSIS standard
so that the ISP can verify their hardware?

718
00:46:54,479 --> 00:47:00,209
I mean, you… I have seen
the type and the vendor name

719
00:47:00,209 --> 00:47:06,349
and the SNMP but you can
obviously spoof that.

720
00:47:06,349 --> 00:47:11,490
Of course, firmware
binaries won’t run on the

721
00:47:11,490 --> 00:47:15,360
wrong hardware, but…

722
00:47:15,360 --> 00:47:17,349
A: I’m not quite sure
I’m getting what you’re…

723
00:47:17,349 --> 00:47:21,889
Q: The question is: Is there
a way to control for the ISP

724
00:47:21,889 --> 00:47:25,639
which hardware there is they’re using?

725
00:47:25,639 --> 00:47:27,929
A: So I come from a
virtualization background.

726
00:47:27,929 --> 00:47:31,629
And in my world, there is
no such thing. It doesn’t exist.

727
00:47:31,629 --> 00:47:33,159
*slight laughter*

728
00:47:33,159 --> 00:47:38,940
Sorry. If you can somehow
abstract it, you can abstract it.

729
00:47:38,940 --> 00:47:42,839
Q:OK.
Herald: 8, please.

730
00:47:42,839 --> 00:47:48,189
Q: Hi. I wanted to add on the
part with the MAC spoofing.

731
00:47:48,189 --> 00:47:52,129
Because I had a modem
like that, like 5 years ago,

732
00:47:52,129 --> 00:47:55,709
and actually I never went
inside the modem,

733
00:47:55,709 --> 00:47:59,959
but I had some applications where
I needed a new IP address

734
00:47:59,959 --> 00:48:02,639
in a short period of time…

735
00:48:02,639 --> 00:48:06,779
*loud laughter*

736
00:48:06,779 --> 00:48:10,339
And I remember that actually… the thing…

737
00:48:10,339 --> 00:48:16,830
if you told the modem your MAC
address, a different MAC address,

738
00:48:16,830 --> 00:48:20,979
you got different external
IP addresses back then.

739
00:48:20,979 --> 00:48:24,359
I don’t know if things have changed
because it was 5 years ago

740
00:48:24,359 --> 00:48:28,180
but… yeah… after what
I’ve heard from you,

741
00:48:28,180 --> 00:48:30,619
I’m kind of unsure that things changed.

742
00:48:30,619 --> 00:48:33,579
A: No, I’m fairly sure this is actually
accurate. From what I understand,

743
00:48:33,579 --> 00:48:37,670
I never did that myself but I
heard from people who did,

744
00:48:37,670 --> 00:48:42,789
the MAC address check and the
certificate check are actually separate.

745
00:48:42,789 --> 00:48:47,910
So that if you own a valid certificate
from some random dude who happens to

746
00:48:47,910 --> 00:48:52,529
actually pay for the service,
and you get that certificate,

747
00:48:52,529 --> 00:48:55,609
and you’re not on the
same CMTS as that guy,

748
00:48:55,609 --> 00:48:59,219
then you can actually go and, well,

749
00:48:59,219 --> 00:49:03,269
basically say that you’re him even if
you have a different MAC address.

750
00:49:03,269 --> 00:49:06,260
Which then, again, implies that if you
change the MAC address, you can just

751
00:49:06,260 --> 00:49:09,060
be somebody else. Which
then again implies that…

752
00:49:09,060 --> 00:49:13,609
maybe you can actually go and get
somebody else’s Provisioning Files, yeah.

753
00:49:13,609 --> 00:49:15,449
*slight laughter*

754
00:49:15,449 --> 00:49:18,409
Q: Well, yeah… not up to you.

755
00:49:18,409 --> 00:49:20,459
A: Not going to try out.

756
00:49:20,459 --> 00:49:22,319
Herald: Number 2, please.

757
00:49:22,319 --> 00:49:28,009
Q: Yeah, you had this one
with one particular provider

758
00:49:28,009 --> 00:49:30,389
and I happen to know that
there’s a second provider

759
00:49:30,389 --> 00:49:36,019
using the same technology in Germany:
were they somehow involved in this loop?

760
00:49:36,019 --> 00:49:40,260
I mean, it took Kabel Deutschland
two months to fix this and…

761
00:49:40,260 --> 00:49:42,109
A: No, but they better hurry up!

762
00:49:42,109 --> 00:49:45,870
*laughter and applause*

763
00:49:45,870 --> 00:49:48,130
Q: Thanks!
*applause*

764
00:49:48,130 --> 00:49:53,689
A: And, quite frankly, I do not believe

765
00:49:53,689 --> 00:49:58,489
that this is limited to Germany
at all, whatsoever.

766
00:49:58,489 --> 00:50:06,949
So… Yeah. Let’s see who’s faster.

767
00:50:06,949 --> 00:50:08,950
Alright, end of questions, right?
Or is there any…?

768
00:50:08,950 --> 00:50:11,359
Herald: It looks like we’re
at the end of questions.

769
00:50:11,359 --> 00:50:13,279
The Internet maybe…?

770
00:50:13,279 --> 00:50:15,520
No, the Internet doesn’t
have any questions.

771
00:50:15,520 --> 00:50:17,730
There are 8 empty microphones.

772
00:50:17,730 --> 00:50:24,800
So thank you very much for your talk
and thank you very much for the Q&A.

773
00:50:24,800 --> 00:50:30,954
*applause*

774
00:50:30,954 --> 00:50:34,904
*postroll music*

775
00:50:34,904 --> 00:50:41,841
Subtitles created by c3subtitles.de
in 2016. Join and help us!