Ta-Lun is a Sr. Vulnerability Researcher at TXOne Networks, with focus on compromising everything that runs on 1 and 0’s: robot protocols (BHEU 21), proprietary bluetooth protocols (BHEU 19), QNAP NASes and factory HMIs (CODE BLUE), WinCE PE binary repair tool (hardwear.io USA).

Backdooring an entire country’s 4 million modems with 6 bugs in a week

Telecommunication industry is one of the crucial sectors, and we’ll demonstrate how we have found how we found 6-bugs in a week in a particular telecommunication company, while chained together, allows full takeover launched from the Internet, to network infrastructure, to all modems of the country, and an estimated of 4 million devices can be affected. 

The research stems from a study to reversing engineer of Passive Optical Network (PON) modems. Assuming a dedicated nation-actor’s perspective, we have put every attack surfaces including firmware, software and hardware under extensive study, and have found 6+ critical vulnerabilities, misconfigurations within telecom’s network infrastructure, to the modems provided to the end-users in the country. We’ll also demonstrate an attack scenario where modems could be backdoored while undetected, being able to participate in botnets to be further weaponized. We’ll not only present the findings, but also the way we have found it, including attacks from a hardware hacker’s perspective and demonstrating the feasibility of the attacks: how we started from board component analysis to flash dumping, firmware analysis, ISP compromise, and finally, compromise of all modems. 

We’ll also present a couple of viable defense options for vendors to further strengthen their defense in end-user devices, even in a hostile environment. We’ll also be elaborating on how disclosure process went with such kind of vulnerability, as it requires cooperation from multiple parties, in the situation when it’s not just vulnerabilities, but also a national security concern.