Residential Gateways (modems) have become a very common device around the world, usually provided by the ISP along with a broadband subscription. As consumer routers have frequently been compromised by botnets or exploited as infrastructure for nation-state attackers, RGs have seen little discussions yet on a position on par with consumer routers.

We reviewed popular broadband network standards (DSL, DOCSIS, xPON), remote management standards (TR-069/CWMP), and reverse engineered 14 different RGs from 11 ISPs, across 8 different countries, including from G7. We analyzed all RG's hardware components, dissected and inspected all firmware, using a set of firmware dissectors and decryptors that we developed to deal with the proprietary formats. We discovered most RGs are lacking in modern software and hardware protection mechanisms such as ASLR, TrustZone and secure boot, and commonly being vulnerable to low complexity attacks such as weak credentials, buffer overflows and command injections, enabling installation of undetectable, persistent backdoors on RGs.

Furthermore, we've found some ISP's infrastructure to be exposed directly to the Internet, often with either easily exploited, outdated or sanctioned devices, which we will demonstrate. Combined with vulnerabilities with low-to-mid attack complexities within RG and ISP's infrastructure, we're able to demonstrate one actual case of a full, permanent compromise, on estimated four million RGs of the largest ISP in a top-20 country. This was reported to the ISP and has been fixed since.

We present a User Impersonation Attack in multiple SSL VPNs, including Cisco, Palo Alto, Fortinet, SonicWall. Our attack allows the attacker to bypass any intended firewall and routing rules and therefore able to explore freely within an SSL VPN-protected network without restrictions, while being connected from the Internet. We dubbed this attack “VPN Gremlin” as if a gremlin has tampered with the intended firewalling and routing rules. We will also present our research behind this vulnerability which includes our analysis and reverse engineering of network firewalling and routing mechanisms of popular SSL VPNs.

Our findings stemmed from our research focused on multiple major SSL VPN implementations, as vendors has saw rapid expansion during the rise of need of teleworking, yet it’s another example of “security through obscurity” as breach incidents around SSL VPN gateways are unusual. We, however, are also astonished by the fact that we can demonstrate our attack using the same method on four different vendors.

We intend to shed light again by diving into implementation of routing and firewall rules on different vendors, from firmware extraction to reverse engineering of its networking stack and will demonstrate our methodology of fuzzing its VPN tunneling implementations. We will also demonstrate our (to-be open-sourced) tools for testing multiple SSL VPN tunneling protocols.