Routers are the blippy switchy boxes that make up the infrastructure of networks themselves, yet few administrators actually care to change the default login on these devices. Interestingly, nearly all consumer (SOHO) routers allow a user to reflash the device by uploading a (presumably vendor-provided) firmware image. By abusing this feature, it is possible for an attacker to craft his or her own malicious firmware image and execute arbitrary code on the device, granting full control over the OS, the network it manages, and all traffic passing through it. Additionally, interesting persistence and pivot opportunities are realized, allowing an attacker to maintain access or target internal hosts in a covert way.
Based on personal experience, we'll examine the process of backdooring firmware images for SOHO routers from start to finish. A generalized technique to backdoor firmware images will be outlined, and a new framework to abstract and expedite the process will be publicly released. Working examples will be presented which demonstrate the ability to pop shells, hide connections, sniff traffic, and create a router botnet of doom.