2025-10-21 –, Europe
The operating systems of many proprietary consumer- and enterprise-grade
networking devices do not allow for easy customization. Even when SSH access is
available, it often supports only a limited set of tightly controlled commands,
offering no way to install new binaries — or to understand what the existing
ones actually do.
The Internet is full of guides on “jailbreaking” proprietary routers — an
unfortunate necessity for users who want deeper control over the hardware
they've paid for.
In contrast, open-source router OSes like OpenWrt provide full SSH access. This
seemingly simple feature sends a clear message: “This device is truly yours, and
you're welcome to inspect or improve it — even find security bugs, if you're so
inclined.”
But what happens when a proprietary OS is built on top of an open one like
OpenWrt?
In this talk, we’ll take you on a journey through reverse engineering OS
binaries based on OpenWrt, used by a major vendor [REDACTED]. We were surprised
to discover that they had patched the Lua compiler for the sole purpose of
hindering static analysis.
We'll demonstrate several techniques for “owning” a line of devices from this
vendor — from rediscovering a "patched" backdoor in the restricted SSH service,
to identifying an authenticated OS command injection vulnerability buried deep
in a custom Lua module.
These findings could enable full remote takeover of the devices — so it’s no
wonder the vendor didn’t allow SSH access in the first place...
N/A
Stanislav Dashevskyi is a Security Researcher at Forescout. He received his PhD from the International Doctorate School in Information and Communication Technologies (ICT) at the University of Trento (Italy) in 2017. His main research interests are open source software, software security, and vulnerability analysis.