Routers are the blippy switchy boxes that make up the infrastructure of networks themselves, yet few administrators actually care to change the default login on these devices. Interestingly, nearly all consumer (SOHO) routers allow a user to reflash the device by uploading a (presumably vendor-provided) firmware image. By abusing this feature, it is possible for an attacker to craft his or her own malicious firmware image and execute arbitrary code on the device, granting full control over the OS, the network it manages, and all traffic passing through it. Additionally, interesting persistence and pivot opportunities are realized, allowing an attacker to maintain access or target internal hosts in a covert way.
Based on personal experience, we'll examine the process of backdooring firmware images for SOHO routers from start to finish. A generalized technique to backdoor firmware images will be outlined, and a new framework to abstract and expedite the process will be publicly released. Working examples will be presented which demonstrate the ability to pop shells, hide connections, sniff traffic, and create a router botnet of doom.
Michael Coppola is currently an undergraduate student at Northeastern University and works as a security consultant at Virtual Security Research in Boston, MA. In past years, he won the U.S. Cyber Challenge NetWars and MIT Lincoln Lab/CSAIL CTF competitions, and is noted for finding security bugs in various Google services. His interests include memory corruption, poking at the Linux kernel, and burning things with a soldering iron. More information may be found at: www.poppopret.org Twitter: @mncoppola