Owning the Network: Adventures in Router Rootkits presented at DEF CON 20

by Michael Coppola,

Tags: Security

Summary : Routers are the blippy switchy boxes that make
up the infrastructure of networks themselves,
yet few administrators actually care to change
the default login on these devices. Interestingly,
nearly all consumer (SOHO) routers allow a user
to reflash the device by uploading a (presumably
vendor-provided) firmware image. By abusing
this feature, it is possible for an attacker to craft
his or her own malicious firmware image and
execute arbitrary code on the device, granting
full control over the OS, the network it manages,
and all traffic passing through it. Additionally,
interesting persistence and pivot opportunities
are realized, allowing an attacker to maintain
access or target internal hosts in a covert way.
Based on personal experience, well examine the
process of backdooring firmware images for SOHO
routers from start to finish. A generalized technique
to backdoor firmware images will be outlined,
and a new framework to abstract and expedite
the process will be publicly released. Working
examples will be presented which demonstrate
the ability to pop shells, hide connections, sniff
traffic, and create a router botnet of doom.