DeepSec 2015 Talk: Revisiting SOHO Router Attacks – Jose Antonio Rodriguez Garcia and Ivan Sanz de Castro
Have you seen Jon Schiefer’s film Algorithm? If you haven’t, then you should catch up. The protagonist of the story gain access by using the good old small office / home office (SOHO) infrastructure. The attack is pretty realistic, and it shows that SOHO networks can expose all devices connected to it, either briefly or permanently. Combined with the Bring Your Own Device (BYOD) hype, SOHO networks are guaranteed to contain devices used for business purposes. We haven’t even talked about the security of entertainment equipment or the Internet of Stuff (IoT). Like it or not, SOHO areas are part of your perimeter once you allow people to work from home or to bring work home. Be brave and enter the wonderful world of consumer devices used to protect enterprise networks. José Antonio Rodríguez García and Iván Sanz de Castro will give you a tour in their presentation at DeepSec 2015.
Domestic routers have lately been targeted by cybercrime due to the huge amount of well-known vulnerabilities which compromise their security. The purpose of our paper is to appraise SOHO router security by auditing a sample of these devices and to research innovative attack vectors. More than 60 previously undisclosed security vulnerabilities have been discovered throughout 22 popular home routers, meaning that manufacturers and Internet Service Providers still have much work to do on securing these devices. A wide variety of attacks could be carried out by exploiting the different types of vulnerabilities discovered during this research. The talk covers the common security problems which affect domestic routers nowadays, the brand new discovered security flaws (including multiple live demos), and the tools developed to help ease the audit process, among other topics.
We strongly recommend this talk to any vendor designing network equipment for small office and home use. Apart from that everyone else should attend, too. Unless you live in a cave without electricity, that is.
José Antonio Rodríguez García was born in Salamanca, Spain. He received his BSc degree in computer engineering from Universidad de Salamanca and his MSc degree in ICT security from Universidad de Madrid. Mr. Rodríguez is an independent researcher, who developed an expertise in computer hardware and performance benchmarking. He has published several articles and his own hardware monitoring tool, which gained great acceptance in the enthusiast community
Iván Sanz de Castro was born in Madrid, Spain. He received his BSc degree in telecommunications engineering from Universidad de Alcalá and his MSc degree in ICT security from Universidad de Madrid. Mr. Sanz has taken part in several security projects for multinational enterprises during the last years. He is currently working in the Ethical Hacking department at a Spanish security company.