Reversing and Exploiting BT CPE Devices presented at 44Con 2013

by Zachary Cutlip,

Summary : In this talk I’ll describe the process by which I reverse engineered the firmware for the BT HomeHub 3.0b and developed a remote exploit that yields root access. The BT HomeHub 3.0b was fairly challenging to reverse engineer and exploit compared to many SOHO routers on the market today. The talk will describe several strategies I pursued in search of an exploitable 0-day. Although some strategies were fruitful and some not, all were instructive.
Live demos and root prompts are the funnest part of any good security talk, and this one will not disappoint. I’ll demonstrate the exploit and pop root on a HomeHub 3.0b in front of the live audience. Then I’ll demonstrate how to upload tools to the device for instrumentation and attack. If all goes well, I’ll up the ante by attempting a parlor trick made possible by the technical nature of this specific exploit.