Security analysis of Residential Gateways and ISPs: global network domination is (sneakily) possible

Residential Gateways (modems) have become a very common device around the world, usually provided by the ISP along with a broadband subscription. As consumer routers have frequently been compromised by botnets or exploited as infrastructure for nation-state attackers, RGs have seen little discussions yet on a position on par with consumer routers. We reviewed popular broadband network standards (DSL, DOCSIS, xPON), remote management standards (TR-069/CWMP), and reverse engineered 14 different RGs from 11 ISPs, across 8 different countries, including from G7. We analyzed all RG's hardware components, dissected and inspected all firmware, using a set of firmware dissectors and decryptors that we developed to deal with the proprietary formats. We discovered most RGs are lacking in modern software and hardware protection mechanisms such as ASLR, TrustZone and secure boot, and commonly being vulnerable to low complexity attacks such as weak credentials, buffer overflows and command injections, enabling installation of undetectable, persistent backdoors on RGs. Furthermore, we've found some ISP's infrastructure to be exposed directly to the Internet, often with either easily exploited, outdated or sanctioned devices, which we will demonstrate. Combined with vulnerabilities with low-to-mid attack complexities within RG and ISP's infrastructure, we're able to demonstrate one actual case of a full, permanent compromise, on estimated four million RGs of the largest ISP in a top-20 country. This was reported to the ISP and has been fixed since. Protocols, network stack or device drivers behind xPON are hard to test and inspect due to their proprietary nature and the difficulty to obtain upstream xPON equipment. We have developed a fuzzer to test against a popular SoC vendor's SDK's GPON device driver. We have also discovered a vulnerability in a very popular SoC vendor's SDK, allowing bypass of device's WAN firewall rule. In our presentation, we will explore the fragile situation of both RGs and ISPs, including shortcomings of their security paradigm in their hardware and software stack design. Additionally, we will share our results of observations on attacks against RGs, along with our observations on supply chain security around RGs and ISPs. By: Ta-Lun Yen | Senior Vulnerability Researcher, TXOne Networks, Research Full Abstract and Presentation Materials: https://www.blackhat.com/eu-24/briefings/schedule/#security-analysis-of-residential-gateways-and-isps-global-network-domination-is-sneakily-possible-42311