The operating systems of many proprietary consumer- and enterprise-grade
networking devices do not allow for easy customization. Even when SSH access is
available, it often supports only a limited set of tightly controlled commands,
offering no way to install new binaries — or to understand what the existing
ones actually do.

The Internet is full of guides on “jailbreaking” proprietary routers — an
unfortunate necessity for users who want deeper control over the hardware
they've paid for.

In contrast, open-source router OSes like OpenWrt provide full SSH access. This
seemingly simple feature sends a clear message: “This device is truly yours, and
you're welcome to inspect or improve it — even find security bugs, if you're so
inclined.”

But what happens when a proprietary OS is built on top of an open one like
OpenWrt?

In this talk, we’ll take you on a journey through reverse engineering OS
binaries based on OpenWrt, used by a major vendor [REDACTED]. We were surprised
to discover that they had patched the Lua compiler for the sole purpose of
hindering static analysis.

We'll demonstrate several techniques for “owning” a line of devices from this
vendor — from rediscovering a "patched" backdoor in the restricted SSH service,
to identifying an authenticated OS command injection vulnerability buried deep
in a custom Lua module.

These findings could enable full remote takeover of the devices — so it’s no
wonder the vendor didn’t allow SSH access in the first place...