I Found a Thing and You Can (Should) Too: ISP's Unauthenticated SOAP Service = Find (Almost) All The Things!

Presented at ShmooCon X (2014), Jan. 18, 2014, 11 a.m. (60 minutes)

This presentation is meant to encourage individuals to put the applications and software that they may use on their own home or small business networks under the research microscope. This will be a discussion of a recent independent research project that eventually led to an information disclosure vulnerability by a major U.S. ISP. This is also an example of when a coordinated disclosure goes right.

What began with simple curiosity into the inner workings of an application lead to the ability to list wireless network names and wireless encryption keys (among other things) armed only with a WAN IP address.


  • Nicholas Popovich
    Nick Popovich's passion is learning and exploring the offensive side of IT security. He works as a penetration tester, trying to raise the overall security posture of organizations through infrastructure security testing. Nick's mission is to help individuals and organizations involved with the defensive side of InfoSec understand the mechanics and methods of the attackers they defend against and to assist in realistically testing those defenses. He's a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of two and a husband to one.

Similar Presentations: