CableTap: Wirelessly Tapping Your Home Network

Presented at DEF CON 25 (2017), July 29, 2017, 4 p.m. (45 minutes)

We discovered a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. Our research shows that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through the affected gateways, impacting millions of ISP customers. Imagine for a moment that you want a root shell on an ISP-provided wireless gateway, but you're tired of the same old web vulns. You want choice. Maybe you want to generate the passphrase for the hidden Wi-Fi network, or log into the web UI remotely using hard-coded credentials. Don't have an Internet connection? Not to worry! You can just impersonate a legitimate ISP customer and hop on the nearest public hotspot running on another customer's wireless gateway. Once online, you can head on over to GitHub and look at the vulnerability fixes that haven't yet been pushed to customer equipment. In this talk, we will take you through the research process that lead to these discoveries, including technical specifics of each exploit. After showcasing some of the more entertaining attack chains, we will discuss the remediation actions taken by the affected vendors.


  • Chris Grayson - Founder and Principal Engineer at Web Sight.IO
    Christopher Grayson (OSCE) is the founder and principal engineer at Web Sight.IO. In this role he handles all operations, development, and research efforts. Christopher is an avid computing enthusiast hailing from Atlanta, Georgia. Having made a habit of pulling things apart in childhood, Chris has found his professional home in information security. Prior to founding Web Sight.IO, Chris was a senior penetration tester at the security consultancy Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations, Chris became a specialist in network penetration testing and in the application of academic tactics to the information security industry, both of which contributed to his current research focus of architecting and implementing high-security N-tier systems. Chris attended the Georgia Institute of Technology where he received a bachelor's degree in computational media, a master's degree in computer science, and where he organized and led the Grey H@t student hacking organization.
  • Logan Lamb - Security Researcher at Bastille Networks
    Logan joined Bastille Networks in 2014 as a security researcher focusing on applications of SDR to IoT. Prior to joining Bastille Networks, he was a member of CSIR at Oak Ridge National Lab where his focus was on symbolic analysis of binaries and red-teaming critical infrastructure.
  • Marc Newlin - Security Researcher at Bastille Networks
    Marc is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.


Similar Presentations: