Small-scale, single-purpose embedded devices - 802.11 routers, ISP CPE boxes, A/V players, VoIP adapters, and more - are a fixture in home and SMB networks. Other researchers have found vulnerabilities in many of these: default passwords, dns rebinding, and cross-site request forgery, among others. Yet today, thousands of these devices remain unprotected, and many flaws are unpatched. Why?
We explore the extent of this problem in the first part of our talk, presenting data from nonintrusive surveys and previous anecdotal evidence that hint at the existence of large deployments of exposed devices. However, legal boundaries prevent researchers (and, in many cases, network operators) from identifying actually-exploitable devices. Consequently, many vendors and ISPs have apparently chosen to ignore these problems, while users remain unaware of them. Why?
In the second part of this talk, we present Ostrich, a new remote-access and traffic-interception trojan for several popular embedded devices. Although the target platforms vary in architecture and underlying operating system, Ostrich presents a common interface for tools to interact with. We will discuss the challenges underlying reverse-engineering device firmware and dealing with proprietary network chipsets. In addition to Ostrich itself, we'll release API code, utilities, and examples for integration with open-source tools such as Wireshark and scapy.