Francesco La Spina
Francesco La Spina holds an MSc in Computer Science from the University of Trento, Italy. He began his career as a software engineer, focusing on IT/IoT security gateway development, where he honed his expertise in crafting robust security solutions for digital infrastructures. Having served as a security engineer for an ISP and financial institutions, he also gained invaluable experience in fortifying networks against potential threats. Currently, Francesco is engaged in cutting-edge security research within the realms of IT and IoT at Forescout Technologies - Vedere Labs.
Session
The operating systems of many proprietary consumer- and enterprise-grade
networking devices do not allow for easy customization. Even when SSH access is
available, it often supports only a limited set of tightly controlled commands,
offering no way to install new binaries — or to understand what the existing
ones actually do.
The Internet is full of guides on “jailbreaking” proprietary routers — an
unfortunate necessity for users who want deeper control over the hardware
they've paid for.
In contrast, open-source router OSes like OpenWrt provide full SSH access. This
seemingly simple feature sends a clear message: “This device is truly yours, and
you're welcome to inspect or improve it — even find security bugs, if you're so
inclined.”
But what happens when a proprietary OS is built on top of an open one like
OpenWrt?
In this talk, we’ll take you on a journey through reverse engineering OS
binaries based on OpenWrt, used by a major vendor [REDACTED]. We were surprised
to discover that they had patched the Lua compiler for the sole purpose of
hindering static analysis.
We'll demonstrate several techniques for “owning” a line of devices from this
vendor — from rediscovering a "patched" backdoor in the restricted SSH service,
to identifying an authenticated OS command injection vulnerability buried deep
in a custom Lua module.
These findings could enable full remote takeover of the devices — so it’s no
wonder the vendor didn’t allow SSH access in the first place...