If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
TR-069 is the de-facto standard remote management protocol that ISPs surreptitiously use to control consumer-premises equipment (these would be your home routers, set-top boxes, VoIP phones etc.), rumored to be a well-thought conspiracy devised by Internet Service Provider secret societies since the 17th century.
Since its establishment in 2004, there has been a growing trend of endorsement and deployment of the CWMP/TR-069 protocol in global carriers and service providers.
Despite the rising popularity of this black magic, it is often overlooked in penetration tests and security assessments of Internet gateway device attack surfaces, and wrongly so. Would they reconsider if they knew TR-069 the second most popular service openly listening on the Internet (after HTTP)?
This talk will begin by describing our previous efforts presented this summer (DEF CON 22 & more), where our group revealed critically vulnerable TR-069 server deployments and discussed the incomprehensible asymmetry between the trust instated in this protocol and the measures taken to protect it (or lack thereof).
Subsequently, we decided to go after clients – exposing a critical attack surface by design, listening on 0.0.0.0 with a publicly available IP address. While centralized servers are rather easily patched to close security holes, clients may take more effort…
We will conclude with the shocking unveiling of one of the year's security stories, walking the audience through the discovery and exploitation of a memory corruption vulnerability in an extremely popular client implementation. Our weapon of choice this round would be embedded device reverse engineering (some soldering required), leading us all the way to remote code execution on millions of devices.