Gateways to Chaos - How We Proved Modems Are a Ticking Time Bomb That Hackers Can Access Everywhere

Presented at DEF CON 33 (2025), Aug. 8, 2025, 3 p.m. (45 minutes).

Imagine your home modem as a loaded gun aimed at global security. Our research exposes critical vulnerabilities in ISP-supplied modems—ADSL, fiber, cable, 5G—that inherently threaten power grids, water systems, and ATMs. Over 35 severe flaws have been identified, rooted in outdated IoT SDKs, affecting millions globally. These issues allow attackers to manipulate essential services without direct hijacking. Despite the severity of these vulnerabilities, manufacturers and ISPs consistently refuse to address them, leaving these devices as perpetual threats. We provide essential tools for detection and defense against such negligence. In this session, you'll learn how to identify these inherent weaknesses that compromise infrastructures through device flaws. Gain practical skills in vulnerability hunting and crafting defenses, while navigating the landscape of responsible disclosure amidst industry inertia. Join us to confront a crisis long ignored. When hackers exploit these systemic failures, it's not just personal data at risk—it's the stability of our world's crucial infrastructure. References: - Peter Geissler & Steven Ketelaar - 2013 HITB AMS - [link](https://archive.conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Peter%20Geissler%20and%20Steven%20Ketelaar%20-%20How%20I%20Met%20Your%20Modem.pdf) - Sam Curry 2024 – DEFCON - [link](https://www.youtube.com/watch?v=MmpkfM8I33Q)

Presenters:

• Chiao-Lin "Steven Meow" Yu - Threat Researcher at Trend Micro Red Team
  Chiao-Lin Yu (Steven Meow) currently serves as a Red Team Cyber Threat Researcher at Trend Micro. He holds numerous professional certifications including OSCE³ , OSEP, OSWE, OSED, OSCP, CRTP, CARTP, CESP-ADCS, LTP, CPENT, GCP ACE. Steven has previously presented at events such as Security BSides Tokyo 2023, HITCON Bounty House, and CYBERSEC 2024, 2025. He has disclosed 20+ CVE vulnerabilities in major companies like VMware, D-Link, and Zyxel. His expertise spans red team exercises, web security and IoT security.