Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape - ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. During the talk (pending patch availability), we will release exploits to vulnerabilities we discovered in ACS software, including RCE on a popular package, leading to ACS (and managed fleet) takeover.
Shahar Tal leads a team of Security & Vulnerability Researchers at Check Point Software Technologies. Prior to joining Check Point, Shahar held leadership roles in the Israel Defense Force (IDF), where he was trained and served as an officer in elite technology R&D units. Shahar (that's Major Tal, for you) brings over ten years of experience in his game, eager to speak and share in public domain. Shahar is a proud father, husband and a security geek who still can't believe he's getting paid to travel to awesome infosec cons. When you meet him, ask him to show you his hexdump tattoo.