The Ostrich Project: Attacks Against and Threats From Common SOHO Devices

Presented at ToorCon San Diego 13 (2011), Oct. 8, 2011, 3 p.m. (50 minutes)

Small-scale, single-purpose embedded devices - 802.11 routers, ISP CPE boxes, A/V players, VoIP adapters, and more - are a fixture in home and SMB networks. Other researchers have found vulnerabilities in many of these: default passwords, dns rebinding, and cross-site request forgery, among others. Yet today, thousands of these devices remain unprotected, and many flaws are unpatched. Why? We explore the extent of this problem in the first part of our talk, presenting data from nonintrusive surveys and previous anecdotal evidence that hint at the existence of large deployments of exposed devices. However, legal boundaries prevent researchers (and, in many cases, network operators) from identifying actually-exploitable devices. Consequently, many vendors and ISPs have apparently chosen to ignore these problems, while users remain unaware of them. Why? In the second part of this talk, we present Ostrich, a new remote-access and traffic-interception trojan for several popular embedded devices. Although the target platforms vary in architecture and underlying operating system, Ostrich presents a common interface for tools to interact with. We will discuss the challenges underlying reverse-engineering device firmware and dealing with proprietary network chipsets. In addition to Ostrich itself, we'll release API code, utilities, and examples for integration with open-source tools such as Wireshark and scapy.


  • Jim Rennie
    Jim Rennie is an attorney, currently specializing in privacy law in the San Francisco Bay Area. Previously, he was a public defender in Las Vegas for three years. Before becoming an attorney, he spent three years as a software developer specializing in custom content management systems. He has given several talks at DefCon on legal issues.
  • Brandon Creighton / cstone as Brandon Creighton
    Brandon Creighton is an engineer (forward and reverse) working as a researcher at Veracode, helping to push the limits of automated appsec analysis. Aside from work, he is part of the engineering team responsible for the Ninja Networks open-source electronic party badges, distributed for free at DEFCON. He has previously spoken at conferences about security analysis of webapps (various frameworks) and electronic badge design.

Similar Presentations: