One of the most obvious routes to shell access would be to subvert the firmware upgrade process.
Using ethereal to analyse network traffic turned up lots of interesting information about how the radio functions. Unfortunately it also showed that new firmware is transferred via an encrypted protocol - RTP (Reciva Transfer Protocol?). The curl application has been modified to implement this and accept urls of the form "reciva://xxx.xxx.xxx".
Ideally it would have been possible to intercept a firmware upgrade, analyse the contents and produce a version which would enable a telnet or SSH server. The encryption makes this a tougher task.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment