A Look At TR-06FAIL And Other CPE Configuration Disasters by Darren Martyn

so ashamed when we speak to you about a a nation called 06 fail which was the silly branding we gave it because it seemed appropriate at the time another CP configuration management disasters I'll explain what all that means a minute so wow the clicker works Who am I I'm down screwed researcher its life loss I've been messing with a bad stuff for years it's kind of been like kind of got me into security as it was just getting bad with embedded device and routers part of it formerly forensic student pharmaceutical student before that internet miscreant before that apparently bad dodgy unprofessional childish and a bad influence if you believe certain people's opinions of me not well liked by some people in the

industry for hilarious reasons mostly in the vendor side when I disclosed bugs about their stuff but that's their problem so be talking about it is so we talk about the Tarot 64 protocols and related vulnerabilities the tea rose exhale 169 protocol related vulnerability smart miss fortune cookie and all that hacking ACS servers we can take over the world and some other miscellaneous crop in no particular order you know just stuff thats related so for weekend I device when you go home look up there's two talks by a guy called chart house he worked at checkpoint Simon think work somewhere else now once called icons heroes 69 admins and those presenter defqon and once the misfortune cookie talk that I

happen to see it 31 c 3 it's also worth reading through the 06 90 64 and all the other dsl forum specs this bloody loads them and having a polka disc of yourself because if you have a router at home from an isp you have all the equipment you need to have fun in your own you know you have the stop play with this so i guess start what is T or blah blah blah they're not or exceeds they're not like 32 p standard because they're not you know ietf standards their dsl forum specifications and the dsl forum is like consortium old people involved in getting robbed on to your house and they come up with specifications and

standardized stuff so that they can interoperate and you know bill you and get you internet and stuff and to find all the specifications for how to manage your broadband networks stuff he can follow so if we can implement stuff you can probably ignore there's tons of them view google broadband forum org i think it is and then extension PDF and then tea or dash you'll find is just tons of the pdfs all defining different specs cotu we're going to talk about today or tiro 640 69 there's loads of others and there's loads of good security research to be done by hopefully some of you looking at the other protocols new clothing because they're all absolutely

disgusting so tiro 64 is landslide dsl cpe configuration so dsl is a damn slow lines or you know dsl internet CP is consumer premise CP box on your network the consumer premises equipment I hate these acronyms so theorists for specification is outlines this silk based protocols hello configuration of CP device from the landslide so say when you got your router off your ISP sometimes it come with a cd-rom with the broadband setup software and you put that into your computer you'd run it this goes back a while by the way this is remember doing this in late two thousand six you click the cd-rom and it go okay put in your settings and to configure the router by magic it's not

magic it was taro 64 and that's the link to the specification there you can download it you can read it even go absolutely bloody mad because it's one of those boring specifications you'll ever read through basically it allows you to configure your router for the landslide 069 is the other end of it it's the one slide cp1 management protocol also in cwm p it outlines protocol for CP advisors being managed over one or internet by your isp and silk based its all this disgusting XML it's actually more than that it involves so the horribleness that involves done it involves jabber for some reason when i was reading through it was like there's a bunch of stuff in here about

XMPP being used for something I mean this loads of potential crap there and it's all xml-based it's disgusting you could read it it's on amendment 5 is probably going to be more amendments of future so firstly to6 4064 allows managing an e setting on your end point of on your CP on your router from the landslide in theory you can manage stuff like wireless keys you can set the dns servers you can set the entity servers you can set whatever you want it's got full read rice so you know they see SDNS wireless security and it comes a few security requirements so this is like how you manage and set up your router you can change all the settings you can

fiddle with old stuff yeah it's got security things so apparently any action that allows configuration changes to the cpe must be password protected access to any password protected action must require HTTP digest off blah blah blah not library pass routes you know it seems pretty solid and this interface should only be accessible from the landslide so maybe you know in theory that's all nice and lovely but in reality pastor protection nope don't have time for any of that um you know nobody's bothered preposterous new things password seems be entirely optional actual credentials yeah you can totally read them they're not actually obfuscated if they don't return some blank or null values you get the real

creds back out at the excess flow to the Internet oh yes this is the core problem here this thing which was only supposed to be ever landslide and explicitly say you know pretty much do not put this on the internet was putting the internet at scale by everyone oh and it also has the implementation sucks so you've got bonus trivial to my injection vulnerabilities because why not you know you might as well take the entire row of top 10 something you know broken access control clear tax credits like vulnerability bingo so you know you get old boxes so obvious outcome of this disaster well Deutsche Telekom had some problems they had some quite serious problems and they

were kind of there when this whole incident kicked off but i'm sure most do you remember is incident because it's recent um when this all kicked off their kind of the first one to have a serious outage but they weren't alone talk talk they suffered you know mass scale outages routers stopping working device being bricked kind of bricked you know they didn't work anymore um credentialing stolen um you know post office Eircom demon I mean name an ISP and they probably suffered some issues because this and it all happened all at once and this was home user siddeley going oh no my internet doesn't work what's going on because the software vulnerabilities being exploited scale so

you know what happened who did it you know is there an attribution parody going on can we all point fingers and blame somebody well actually we can so it was great pities you probably can't read the screenshots of Python code there that was the Python code used to do some of the effective phone on a script kiddies forum and what it does is it sends a set ntp server request which tells the routers update your ntp server which contains these magical back ticks and you put your commands into the mac ticks and suddenly they get executed on the box and everyone has a nice day so what they were doing was they were downloading and executing a boss to do

DDoS attacks and stuff and it was a Mariah variant called Annie and they were dropping this you know n mass and the idea was to build a giant DDoS partner and they no pocket things do skiddy things what caused the bricking though I should go back what caused of bricking is when you exploit this issue if you do that and you update the NTP server a bit with a shell command what happens is the device no longer knows what time it is and computers you know if you know things about computers you know the computer is really like know what time it is and a few they can't figure out what time it is anymore suddenly they go haywire and

just ship breaks and they start working and certainly no more computer for you the device is just said to malfunction you could start to reset them and they might start working again maybe so you know this wasn't the first time that the particular piece of software involved had issues for tier of sale there was miss fortune cookie it affects the same piece of software which is the ROM page your server on the devices and terrific fail impacted the tier 0 64 characters and miss fortune cookie impact the tiro 69 parent miss fortune cookie allowed all sorts of shenanigans the most important one was you can access advice that any authentication because you could do basically right what where you

can overwrite variables in memory with other things you could say / write the check for admin password variable with halal know who cares about the admin password or you could change access controls and stuff really trivially exploited vulnerabilities this the too long don't read a bit below is the proof of concept from a very intelligent chap by the name of kenzo that exploits an aircon one what it is is there's a major on this fossil and the first you've got key values right in cookies see if key value so the first one is the key to some it's you know pointer to something and second is what we're covering it with and the same point you know

addressed over rice crapped over writer with and what that does what this particular one does it says basically let people in without a password you know don't check you know if the common sense right port let them reconfigure the device remotely it'll be fine you send this request the router suddenly the state of the router changes Bhoomi ring he was the software is a crock of rubbish you know just crap software it's really poorly written and you know that was you know that was one of the first you know when people straight going on we should look at heroes of mine and you know what is it anyway so as I said before the dsl forms back it actually

has some security in a material 69 protocol so this would be important later but it's got a security features allegedly it's got TLS it's got all it took elite mass it was designed by committee you can see big steering wheel on revision finds that no they keep bolting crap on and what clearly happens if somebody goes who I really like this technology let's implement us as parent to this protocol which manages crap so you've got you know bloated rubbish the ssl/tls is optional I was reading through this back in it's like oh we you can use ssl/tls its wrestle or TLS it's recommended and some setups of it or really solid where you chew all off you

know you saw my speeds the device they ship a really good with this respect where this client slide start on device in your this mutual authentication it's really good or you know you can just use plain text HPD a store um actual off from CPD JCS is kind of optional so cpt crc is a basic alarm sort of it doesn't really in most cases the password is sometimes important but the username is normally like a customer ID or something it's an identifier for the device acs CP is often as i said the mutual off with a TLS client search or you can you know be really crap and use a shared secret which anyone can leak by just taking

part of their router again the protocol just like material 641 it's a lot of xml rubbish are built on stun soap XMPP those words that you know some horrible enterprise developers love go here you know if it's disgusting and a few things that you know it's out a day never implemented it's probably going to be in there the attack surface is absolutely enormous so you know we know CP end of this is rubbish we know that your embedded device you know we knew this already your little embedded router in your house I mean there was another talk earlier today which said the same thing your router's crap your router has bugger all security it never will

because the vendors aren't really inclined to make secure routers yet there's no market for it they want cheap they want fearful they want stuff you can bang out a million of put them in as they work internet light comes on you get the wifis it all is fine so you know we know the cpn you know crap so uh I see it I please you know they've got you know business interest in their end of the things being secured because you know their end of things have stuff like money involved like billing and you know if you go over your usage cap on your broadband you know they can bill you're more you know accounting and stuff I

know on some providers you've got like 50 gig a month and then they screw you if you go over that you know surely there they've got some rock solid stuff surely it's good quality enterprise software you know we all know that you know enterprise is good um surely can't be that bad I mean surely they've you know they've got this sorted they don't want to lose money so I'm going to go into second act which is the bigger part of it in which we have to plan it by exploiting the ACS end now explain this very briefly so we want world domination Denny you remember this cartoon thinking the brain good so we won't take over the

world right and we want to do it now so we could you know go after you know take the more I approached you know hot CP you know the endpoint device we could take the more I approach hack loads routers technically one at a time you know or with our botnet you know scanning you know and you know hack loads and loads and loads routers but that takes time and effort and money and we just want them all now we want them cheap so you know we don't want to expend actual effort you know real AZ I mean I used to be somebody who was on the thread after side of things I used to do bad things people I used to

hack into shading mess stuff up so I know that people like me are lazy we want the easiest way to get stuff done so we want to hack loads of stuff but we want to do very little so I thought well you could hack all the TPS or you can hack the ACS and in theory hacking an ACS will be a lot faster because an ACS can send commands to all the CPUs attached to it so why not just hacked the one box instead of hacking millions box you hack the one box then just run your script on all the millions of boxes you get you know an instant wing and the cool thing is if you go home and play

around with some ACI software you'll discover that ACN software is amazing for botnet commanding control because that's literally what it is it's you've got like run shell script on device you've got like deploy binary is to device you've got like recover passwords options you've got change dns settings you've got all sorts of fun you've got like all these options to you know mess with you know millions of device solemn one go you know the world's your oyster you know you can reflash firmware images so you could you know create firmer backdoors upload them and deploy them all in one go except they're designed for deployment at scale provisioning hola you can you know turn that instead

use it as your provisioning server is now my botnet or whatever arm or you know you could just you know you could mean have to think about it you know i mean i have sat down and gone what could i do with this and it's just infinitely it is you go on for days thinking of all the horrible world domination you could do like you could just change everyone's dns settings and one go to redirect them all to something nasty like you know shock images or whatever the world's your oyster fishing you could do fishing its tail with this see I decided alone at night AF server or a few ACS servers and today I'm going to talk about a

particular one which is been around for quite a while called free ACS and if in you know it's been slow work because you know these are horrible horrible horrible piece enterprise software you know their enterprise grade their enterprise written as in which means they're completely disgusting the codes a mess and you know you you know you go mad looking at us so yeah this free ACS are about to have a very fun time so before I start with the explanation of all the bugs I found here's the disclosure timeline it's very responsible disclosure a while ago found boats between them now weaponized bugs I'm kind of forgot about them today public disclosure bugs how I contacted the

people behind free acs know why they don't deserve it they've written this absolute [ __ ] you know it's just probably some of the worst software about it and I've been doing this for quite a while you know just it's disgusting and you know it's like these people you know they've written this to be deployed on ISPs to do you know critical things and you know you think they put some carrying attention to it when I look through it it's like you haven't even tried you know there's there's just no concept of you know actually trying to do security all in free ICS so just figured I'd drop the bugs and you know let them burn you know

they can deal with it because quite frankly you know you get really sick a disclosure like you disclose the crowd they don't fix it for six months and you're like do i drop it joy sit in it do i leave them and i figure if I burn free ACS some of the other ACS vendors might perk up and start securing their stuff so I'm sorry that one person who probably is responsible for maintaining this project but we've been used to worst example in the world so it's been around a while I actually think it's maintained by one person I was having a look at it and it seems that you know it's either a very small group or one

guy who writes it it uses Tomcat on my sequel so it's written disgusting Java which made me hate it even more I refuse to program in Java and I normally refuse to look at soft words written in Java because just know I like to go outside I like to not go insane the only job I want my life is you know coffee not this you know weird object orientated crop of absolute rubbish you know just know so immediately you know just kind of felt this just taste you know when I looked at it so it's the most complete hero 6 9 acs available for free under the MIT license most complete means most attack surface um I think we

can all agree on that if you stuck on a million of one features that's a million and one bits of attack surface and in my auditing I don't think of even scratched the attack surface all that much I think there is way more there there are tons of bugs in it to be found so if they ever actually patch the bug that I disclosed and their next release you can just go find more and then you can go back to hacking ACS servers you know taking over the world and you know preferably get yourself a nice cat to stroke while you're doing it and demand a billion dollars so um this is this is the first thing I saw when I went to the

free ACF site looked up how to install it yeah so they said do this on an abundant 14.04 LTS server which is you know that's a pretty old version of on do I think we run like 16 or 17 or you know we're on one that's a bigger number than that anyways I'm not in a bun to user ID go download this old is 0 which isn't available you know to go to the mirror you know that you know go back in time find the download and then I was like right now how do i install it on this you know already outdated box and it goes do this and nope you know you see some problems here right go to your

home directory w get this shell script from a non ssl/tls site um so download a shell script over plain text make it executable and then running as root you know his secure deployment practice and all that and then read on in chapter 4 to complete the remaining ten percent of the installation weeks we couldn't pop it into a crop shell script because you know reasons and all the remaining surely running a couple of shell commands I could send them a patch for their shell script which it means that you don't have to do the other ten percent but they'd still be serving a shell script over you know HP on a server that's probably trivially

compromised with hey um so the lowest hanging fruit I found was the default login creds I've main XA PS do people change this do people ever change default passwords I mean you know that's a that's a question that answers itself you can find a bunch of them and Showtime I just put in the query you'll need to be logged in to show down to do a title search but just put in title 3 acs or you can find a couple of them on google's is like five on google in tight little free acs web web because when you go to the login page for some absurd reason it says free acs web web logging because you know if the login for the

web or the web web login or maybe we should put an extra w in there you know I should send them a patch that's like free ACS web web web login you can find them on census you can find them you know via Bing search by n you know whatever way you want or you could you scan the internet to HT title grab you can come up with your own way of finding these things they're pretty easily finger printable and for some reason they're connect to the internet or get onto there's a little side note not in a couple minutes but yeah you can find them and they probably have admin XA PS as the login and another note about the

login but why is that and I thought this is really interesting when is going through the log in when I was testing it when I burp suite open those like right we're going to find some bugs and i'll type in the admin and then i type in X aps and i hit enter and i look to where the password shows up in the data being sent from my browser to the server and it turns out that it seems to hash it does a shower one of the password before sending it to the server and the sha-1 is just a shell on the password which is also from the database so there's some weirdness there you know there's something odd

like it's literally passing a hash to do off instead of sending the password in plain no idea why but you know it doesn't matter because you can just capture that and just ship it across so there's you know some weird smelly stuff here and I'm just wondering why are they doing that it hints at something weird so after I logged in the ACS server realized that it was actually made of access it was like an XSS test website instead of an ACS so I'm pretty much any parameter you can imagine will reflect you know will reflect back some input it's post also carries the most of a reflected exercise but some of them are persistent some of them stick around and

because I was an idiot when I was testing this and every time i go back to reach has to to make the same mistake and I don't differentiate between which you know which payload for which parameter when i'm spamming in my access requests one of them just keeps coming back and I'm like I'm not sure where you're coming from I know where all the other ones are coming from book that alert box that just won't go away you know it's following me around the ACS offer you know I click on random bits from the alert box I'm like whoa hang on where do you come from you know it's like it's literally like damn vulnerable

web app except you know it's got optional you know commanding control for a whole fleet of cpe devices built in which is not you know premium features so I've got some screenshots of the excess bugs because everyone loves the lair boxes and here is the first one and get from you can see it's like the lowest of the low of like finding XSS would just spam something in see what comes out and yes another box pops what do you do and another one this one in a post request to somewhere oh that that's the that's the bloody one the kept popping up I think that's the one I'd know where that one comes from but it

just keeps coming back we've got more I started numbering them at this point I started each request I'd records request and I go okay I'm putting a number in for each one so they can uniquely identify my cross-site scripting vulnerable yes so you know we've got XSS posts off but that's not quite what we're here for what we want for world domination and following demands we wanted to be pre old we don't want have to crack a login we don't have to rely on default creds we want a pre auth exploit that's no knowledge required of Krebs it needs to be remote we don't want any of this local nonsense we need to be able to

fire it at something and it just bloody works so needs to be exploitable over the internet and we need a pre off now that's already pretty much crossed off all that post salt softer we found we also wants to give us privileged access as in an admin role in the ACS server except we're after we want control the ACM server so we want admin on it um we also want to be easy because you know we won't do this cheaply we don't want to spend weeks and weeks and weeks developing some absurd memory corruption exploit that works you know if I present the time because he players and ASL or and all that no we want something that

just works reliably easily cheaply and we can you know build and weaponize in like five minutes and deploy where we can just ship it the minimum viable world domination plan pinky and stuff so that's what we want you know and that seems like we've set you know pretty high bar you know because you don't often find these things all in one basket you know you know some of these seem to be often quite you know sometimes you've got three or four you know sometimes you get to you normally don't get all four and one go this time we did this time you know we hit the jackpot with what's coming up next with the actual jackpot so preauth attack

surf is actually using a huge lights like the wall and trumped and all that you know it's not it's like bigger than its hands so it's huge the pre-op attack surface is literally enormous so because it has to interface for tier 069 clients you've got a whole client-server model there you've got as well as like the admin doing admins door from the ACS you also fatir all 69 clients CPS have to communicate with it and do stuff at the same time so I was looking at it and the first thing that CP device sends when it's talking to an ACS is the cwp notify of yes hi I'm here and I stayed looking at and I

found it was surprisingly difficult to find a good sample one these eventually I found one um and it's xml and it's disgusting and I won't oh no oh no no no no I just xml know some found a demo see wmp client and this is the nonsense that it sends and there's just loads of parameters and loads of fields and just loads and loads and loads of attack surface to play with their it just enormous so we've got all of this to play with and I hate XML xml Java you know we're an enterprise land here so at first I tried closing the XML you know I tried messing about with the trying stuff that had caused you know cause

server to hang I got it to cease responding i got just fall over and die with various loops and stuff in the XML I got bored looks like Hayes XML so said okay I want to do something with the cwp notify that doesn't involve having to write any XML at all or deal with this XML parser so immediately said the XML is out of scope so look for something else I could attack so yeah there's the XML but I hate XML you don't want to play with it you know I just know I want to do other things with my life that example that I that example there is missing a header missing the base of

golf header so don't they use basic odds to identify the devices and do stuff yeah okay let's see let's see where we got here you know this possibly some fun here so basically in 03 MP notify messages is used for the passwords optional some people require password some implementations require passwords you can pass so only you know proper clients can talk to the ACS but ever the username is actually used by the ACS identify the device in some fields for some circus quite often that's like a customer number of something is the username in a few device would take an apparent so the user name parameter is it's put into stuffs and it smashed with then it gets

terraced and it gets handled so you know this there could be something there and also when I looked at the speck of you know what face of goth is you know what stopped you can put into a username field in it it's really loose you can stick them over the hell you want so long as you know it doesn't mangle hv headers so we straight to play around and we found something really quick when I stuck in a quote we found the sequins action bug which disappointingly I haven't been able to reliably exploit something useful yet but that's fine you know that's fine because that doesn't matter you know we'll find other books there's a lengthy sequel query which

when the device registers it gets inserted and then later on when the admin does something and it queries that table the input the single quote you've jammed in gets stuck into another sequel query and because it's coming from the database it's seen as trusted it ends up somewhere it ends up somewhere else and ends up coming out breaking something else along the way this is horrible chain of disgustingness that leads to your entire race their server is going nope no theater says nope not doing it can't do it and the problem is if you screw up with your sequel injection attempt you brick the ACS it starts working so you got one shot so it's like

let's let's not do that let's find something easier because I'm lazy and I'm sick of reimaging this VM every you know reverting snapshot going up bricked it again revert snapshot sit there and wait while the computer chokes along for a bit and eventually goes okay we can test it again and another one oak broke back to the start so there was you know we didn't get lucky there but hey we found something else username completely unsanitized as I mentioned it also shows up in the UI bunch signs from the admin sighs so new login to the a CSS I've min to do your acs admin things you know to cut off that BTW customer hasn't paid the bills at six months to

you know check usage deploy a firmware update to fix some nasty bugs whatever the user name field pops up and surrendered in HTML well once another box in there exceeds made of excess and I thought yeah maybe we can do that justjust full deployed I normally hate cross-site scripting right I think the cross-site scripting normally is was useless thing in the world until I started doing this this is the first time of may cross site scripting actually useful and fun because what we do next will shock you probably not but anyway that's a click they titled trivially exploitable excess happens so it worked from the username that we send we stick our script alert whatever in

and then when the admin logs in later on weeks later whatever suddenly in our box so like okay so from an unauthenticated somewhere off on the internet land we can get an alert box into the admin session you can see where this is going now you know some limitations you know we've got Caroline it's in it gets passed through a bunch of sequel statements as well as we don't want to break anything so we've really really really careful with it kind of not really you know we have some restrictions but they're not that serious and this is a screenshot of it works you know we got the alert box yay you know we login as admin um it pops up

and success and I was like okay because he's the Carolyn the character length limit in there we can't fit like an entire big blob a jay s and they're sooo fun thing this is like can we load a script from somewhere remote and if he's a short enough domain name like say x SS IO or something you know just get one the three-letter ones on the two-letter tlds is loathsome available it's get some short yes you can can easily get your script in got a remote script executing it just magically worked we had you know loading in remote jazz which made testing stuff way easier because now what I could do is I could just start changing the jazz

and the remote side re log in and see what was going on so we started to get you know we're getting somewhere with this so if we can check remote cast into the admin session one the ovens logged in we can probably take over the ACS right you know we could probably do something so it's all about little bit i started looking you is there any file upload book so i can trivially exploit and i was like a effort you know or i could deploy some threat i'll just add a user so i had to sit down write some javascript but because it's been lazy i copy and paste it from Stack Overflow because I had this little rule in my

head we're being the lazy world domination type so as much copypasta as we can to write the exploit you know as much as laziness as much you know 14 year old from hack forums as we can get with this you know low-hanging fruit deserves you know low complexity exploits so there's no CSRF tokens or excess protections or any of that fancy governance that you hear about in the OAuth security guides because this is enterprise software written in Java and it's crap so we must send a post request to the endpoint that let us add a user so sat down copied and pasted the example of sender post request in JavaScript from the first hit and

Google's doc overflow went select all copy paste right edited a little bits do need to do and see if it works because again we wanted low effort and right in this exploit oh yeah it works so this is a this is the test this is this is the most disgusting piece of pie that I've ever written it's actually probably the worst piece of code of ever written but it works you can take over an ACS an ACS system with like so leopard so we inject or excess payload in and we get a response going you're you know cool your device cool everything's fine you just get this blob of crop back and then we wait we spin off our server serving

our malicious JavaScript and we sit there and we wait and then we wait for the admin login so admin logs in you know we get a kind the oven logs into the ACS the admin then loads the script from our web server you know standard soft and runs the script and magic happens and what's really useful because as a slight problem of okay so you've got your whole thing set up how do you know which ones you've owned so in the headers there is the referer header and the refer tells you the URL of the ACS you've just added an admin user to in a later version the exploit added a function to parse that out and check if

the credentials we've out of work but yeah it works we can now add nap and user remotely by sending one post request to be a CS and then just listening and waiting for once and Lee boom we've got madman and this is what it looks like added a nice alert dialog for debugging purposes so the admin would definitely know they've been hacked and we use the very unsubtle username pass through of hacker hacker you know just just to be polite you know so when acs admin logs in they go who's this user named hunter you know if you won't be more stealthy you could change it's like totally legit or if you want to have a bit of fun you could change is

like GCHQ or something and feel free to you know feel free to do what you like so you know we've we've now got a pin user objectives and it's been added and we're in the admin group boom worked magic so you know success by the way all the code the exploit code will be released once i'm done um it'll be on on online on Twitter and stuff so I'll tweet it with like the PSI Denver a hashtag so yeah so what do you know we're taking over the world here so we've got our nice that a nasty we scanned the internet will use showdown census Google we find all the free ACS servers we blast out our excess you know one post

request to each you know that'll take I mean just a couple of hours you script it let it run boom then we wait a couple days we may be released in advisory about free ACS to acs admins have to go log in to acs servers and i check for updates hypothetically payloads fire hack the planet and then yeah we've we've got everything so we've got hacked ACS servers now we just reconfigure all the settings change the dns paypal calm is now ours or maybe you know for all them clients or we redirect them to you know lemon party or something take your pick of all the chalk images in the internet we can reflash member and all

the devices so we could do for cystic mass route kitten all in one go you know suddenly you've got a bunch of firmware flash infected devices good luck have fun imagines cleanup costs allah or weekend massive billings provision new devices we could migrate all of them over to our acs so the isp totally loses control of them forever you know it's we can do whatever we want regard now we've take that ice that is p is now us we are the isp we're like these guys who by the way of the most badass logos all the intelligence things like yes you know with nothing you can you can start reaching into people's home networks corporate networks grabbing data you can

like you could tell the AC the CP device start sniffing packets and send your back logs you've got basically mass surveillance in a box here or global domination yeah that's pretty much it have fun take over the world and thanks to all of these people the organizers yourselves various people have helped along the way and software vendors to keep me in a job if you want to get in touch contact details i generally ignore email because I keep forgetting answer it because I just saw goody know Jabbar a more reach belong Twitter or this weird and you mastered on thing I managed to black myself a three-letter user name on one of the instances but it'll probably

fall over in a few days base in the user account yeah [Applause]

Thanks that's who it is that's causing this crop unless this market pressure

honestly I think we need to just burn them the entire thing start from scratch like I've been reading through the specs and stuff for quite a while like I think the first time I heard tiras Klein which when I was like 17 years old has chatting to one of my uncle's is a network engineer and he was randy was going on about it he was saying that you know he was explained to me that's how the ISP was able to log into my router remotely and you know fix my internet basically and he was like you know it's basically a huge back door and I was like oh I should look up this but the 17

year old doesn't read like me at least no 17 early I didn't have the patience to read through the massive bloody PDF of the spec and make sense of it it was only a while later when cherez hull said doing his work on it but I got interested in getting I went oh that's the stuff that i was going to mess with ages ago but got really bored and soft you know it was made interesting and I've realized that it's screwed is too much crap in it we could reimplement the whole thing from scratch way better using modern technology that's not rubbish like you could do it with JSON set of XML and that removes all the XML

parser issues which are never going away you could you know how proper mutual all proper crypto it does it's not going to happen and so some of those will have this stuff enabled on them and the ifc ones are pre-configured the IST settings I know with some they know at least the micro tech one that I have at home my tub you know if I wanted to allow the ISPs do provisioning I'd have to input the stuff myself and let them have access to my advice which would end in furs lolno mostly is ist supplied stuff but you'll find that a lot of people do configure it or auto configures in the setup you know set up

the connection nonsense it's you know it's pretty much ubiquitous like everywhere there is the spec to that I think it's 111 yes yeah it's in the hundreds the spec for those yeah free to the skate escape some questions [Applause]