Radek Domanski and Pedro Ribeiro

Pwn2Own’ing Your Router over the Internet

Abstract

The network router defines the boundary between a trusted home or enterprise network and the Internet. Controlling a router is of great interest for lawful operators, botnets and ransomware groups and allows for stealthy infiltration of a home or enterprise network. This is clear with the recent expansion of botnets created from insecure network routers by exploiting WAN (Wide Area Network) / Internet facing interface vulnerabilities.However, in the last couple of years most vendors have drastically improved the security of their newer products, especially in the WAN interface side. A locked down firewall, use of binary protections and secure default configurations raise the bar and force an attacker to be more creative. It’s not a walk in a park anymore!

In this talk, we will present a series of techniques that we used to discover multiple vulnerabilities affecting the WAN / Internet facing network interfaces of consumer and enterprise grade routers. These techniques and vulnerabilities are unique due to complexities of exploitation over the Internet, however, mostly result in 100% reliable, unauthenticated code execution as root in the target devices, and in some cases install permanent “backdoors” that survive factory resets.

Using these techniques, we have won multiple prizes in several Pwn2Own competitions as the Flashback Team, winning it outright in 2020 and amassing over $150,000 in cash prizes over the course of three years. We will explain and demonstrate three different exploits we used in these competitions, with a step-by-step tale of our adventures while researching, discovering and exploiting each vulnerability.

BIO

Radek Domanski started his professional career 12 years ago securing large networks and systems and transitioned afterwards into offensive security. He worked on high profile projects within the largest Internet Service Provider in Europe and in the research center of one of the world's largest telecommunications equipment companies. Radek found a number of critical vulnerabilities in real products and systems that are used by millions of users worldwide. At the moment Radek is working as a security expert in hardware and automotive hacking, exploitation and reverse engineering of embedded systems. Radek regularly competes in the famous Pwn2Own hacking competitions as part of the Flashback Team.

Pedro Ribeiro is a vulnerability researcher and reverse engineer with over 12 years of industry experience. Pedro has found and exploited hundreds of vulnerabilities in software and hardware products. He has over 150 CVE identifiers attributed to his name (most of which resulting in unauthenticated remote code execution) and has authored over 50 Metasploit modules that have been released publicly. Besides his vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London. Pedro regularly competes in the famous Pwn2Own hacking competitions as part of the Flashback Team.