Modem Operandi, or: How I Owned Hundreds of Millions of Broadband Basebands

Presented at DEF CON 32 (2024), Aug. 11, 2024, 11:30 a.m. (45 minutes).

The world runs on broadband, be it fiber, cable, or faster variants of DSL. The 5G revolution may be here, but cellular modems just connect users to the internet. 8 in 10 US adults subscribe to a broadband internet service at home, connected via modern fiber, cable, and DSL modems, not to mention 4K set-top boxes. These devices often run Linux, but what you might not realize is that recent devices secretly have a second CPU running a proprietary RTOS, akin to the baseband of mobile devices. And like mobile basebands, the security of the embedded OS can undermine the security of the device as a whole. In this talk, we will discuss the proprietarty embedded RTOS used by modern broadband devices. We'll start with an overview of how the RTOS works, when and why it was introduced, and discuss its true lineage and identity. We will then dive into the low-level internals of the RTOS and how it shares resources with the "frontend" Linux OS. Lastly, we will discuss the "private bridge" IPC mechanism that the RTOS uses to communicate with the frontend OS, and the threat model that should have been applied to such multi-OS devices. Along the way, we'll discuss several vulnerabilities we discovered in the layers of the RTOS and the private bridge, and how they can be abused to remotely take over both the RTOS and Linux. 1. Quentin Kaiser [link](https://ecos.wtf/) 2. Joseph C. Lehner [link](https://github.com/jclehner/bcm2-utils) 3. rikka0w0 [link](https://github.com/rikka0w0/Arris-CM8200B-Reverse-Engineering) 4. Eric Sauvageau [link](https://github.com/RMerl/asuswrt-merlin.ng/tree/master/release/src-rt-5.02hnd) 5. Gertrude [link](https://www.mobile-computer-repairs.co.uk/arris-tg2492.html) 6. Danman [link](https://blog.danman.eu/about-adding-a-static-route-to-my-docsis-modem/) 7. Amir Etemadieh, CJ Heres and Khoa Hoang [link](https://www.blackhat.com/docs/us-17/wednesday/us-17-Etemadieh-Hacking-Hardware-With-A-$10-SD-Card-Reader-wp.pdf) 8. WatchMySys [link](https://watchmysys.com/blog/2022/02/) 9. Lyrebirds [link](https://github.com/Lyrebirds) 10. Matt Oh [link](https://github.com/ohjeongwook/dumpflash) 11. OSResearch [link](https://github.com/osresearch/dumpflash/tree/ecc-2k) 12. Jean-Michel Picod [link](https://github.com/Hitsxx/NandTool) 13. Jeroen Domburg [link](http://spritesmods.com/) 14. Bjoern Kerler [link](https://github.com/bkerler/NANDReader_FTDI) 15. threat9 [link](https://github.com/threat9/routersploit)

Presenters:

  • Riley Hassell - Principal Security Researcher, Security Research team at ServiceNow
    Riley Hassell is a recognized industry expert in the fields of application security assessment, software reverse engineering and malware analysis. Mr. Hassell was responsible for the discovery of the first critical remote vulnerabilities in Windows 2000 and Windows XP. He also discovered the vulnerability that triggered the Code Red Internet worm. His initial dissection of the worm was used to develop and put in place protective measures to safeguard the network targeted by Code Red, the Whitehouse public network. Mr. Hassell routinely assesses security software and has discovered critical vulnerabilities in leading security products over the years, pushing on security vendors to do better. He has spent much of his career as a security engineer and researcher, often working with startup ventures to pioneer product technologies in the patch management, intrusion prevention, vulnerability analysis and malware analysis fields. Currently, Mr. Hassell is as Principal Security Researcher on ServiceNow's Security Research team, performing offensive security research and analysis of threats to ServiceNow's platform and customers.

Similar Presentations: