Shahar Tal – I hunt TR-069 admins: pwning ISPs like a boss
Residential gateway (/SOHO router) exploitation is a climbing development in the protection landscape

At any time so normally do we listen to of nonetheless a different vulnerable machine, with the occasional campaign qualified from specific variations of equipment as a result of independent scanning or Shodan dorking. We shine a vivid light on TR-069/CWMP, the beforehand beneath-researched, de-facto CPE system management protocol, and particularly concentrate on ACS (Vehicle Configuration Server) application, whose pwnage can have devastating consequences on vital quantities of consumers. These servers are, by style, in full command of whole fleets of customer premises units, intended for use by ISPs and Telco companies. or nation-point out adversaries, of system (sorry NSA, we know it was a cool assault vector with the greatest study-several hours-to-mass-pwnage ratio). We investigate numerous TR-069 ACS platforms, and reveal a number of cases of inadequately secured deployments, where we could have attained handle around hundreds of countless numbers of devices.


Leave a Reply

Your email address will not be published. Required fields are marked *