We discovered a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. Our research shows that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through the affected gateways, impacting millions of ISP customers.
Imagine for a moment that you want a root shell on an ISP-provided wireless gateway, but you're tired of the same old web vulns. You want choice. Maybe you want to generate the passphrase for the hidden Wi-Fi network, or log into the web UI remotely using hard-coded credentials.
Don't have an Internet connection? Not to worry! You can just impersonate a legitimate ISP customer and hop on the nearest public hotspot running on another customer's wireless gateway. Once online, you can head on over to GitHub and look at the vulnerability fixes that haven't yet been pushed to customer equipment.
In this talk, we will take you through the research process that lead to these discoveries, including technical specifics of each exploit. After showcasing some of the more entertaining attack chains, we will discuss the remediation actions taken by the affected vendors.