Connected Chaos: Uncovering Router Vulnerabilities Via Cloud API Connections

[Music] hello can you hear me excellent first of all really happy to see you all uh we are at the tie right now I don't know if I'm going to disclose the zero day or not so are you here for the zero days or just for the fun part just make it fun okay let's go so my do is as Mr Baza said connected chaos un covering Brut vulnerabilities via Cloud API connections which means that we are going to look at some routers that were not correctly configured uh that I hear myself sorry uh that research was in two parts three of them were disclosed and fixed 3 years ago two of them are still vulnerable and

we want to see if we are going to haug them that's me stias I'm the CTO at atropos which is an web application security penetration firm located in the states I'm also a security researcher my research interest is obviously if you're here you know it on API on iot and general stuff I'm also in the past year the person who goes after malware and their C2 uh you can find me at TV stickers on Twitter on X or whatever it is and my personal website is stickers.com although I don't really update it so how it all started it all started when someone had that great idea that uh he wanted to put his router on the cloud R

is by definition on the cloud but managing it from the cloud is easy easy but not a great idea in my point of view we're going to see routers whyi access point switches and generic connectivity devices I have this really nice picture which explains what the router is so it's the device that conect all your devices connect to so that they can get internet honestly if you don't know what the router is router however you pronounce it you probably need to do some reading what are the reader responsibility provide access to all devices I just said some of them have DPM capabilities so you can have pointto Point connections some of them also have firewall so that they can protect you or

Den my access to your network and usually they have access to most if not all of the internal Network uh devices and subnets and Vons and everything else uh I had to Google to understand why people uh use cloud managed RS so the the bare advantages are out of band management buildin security which prevents unauthorized access to Applications is of scalability and extensibility indepth defense with Integrated Security and comprehensive insights and Reporting so this is how I see it so the out of band management means out of band hacking the building security it's like come on it's really not uh the ease of scalability and extensibility means that if you hack the cloud you hack

everything uh the indepth defense is so in depth that you just need to know how how to count to hack them we're going to see later most of them most of the people here know that I'm just a plus one guy so my hacking is just counting and changing numbers and the comprehensive insight and Reporting makes it way easier to identify and move later laterally on the network my tool set that's a slide that I use pretty much in all my toes burb suit jadex the compiler if there is an Android developer app a browser enough patients to read through all your burp logs and the friend who owns all the devices so that you are not breaking the

semi because I the methodology that we are going to use is we're going to find the cloud URL we're going to create an account on all the cloud uh Dev all the clouds review the traffic break out of our account and then report that vulnerability for a year or two and wait for it to be fixed it's not going to be fixed the goals is move laterally laterally I mean access devices that you shouldn't access other devices access services from the cloud and if possible go H get remote command execution on uh the devices how did I do all the devices all the cloud uh routers that are in here have all have obviously some kind of

issue so on all of them I could move laterally and access other devices on allb one I could access other services too and on allb one I also had remote command execution on devices first one is Mimosa uh I don't know who is familiar with those devices they were acquired from mpan than Geo they specialize in a long high speed antennas they're doing some military stuff for Israel and the us at least that's what they have announced and they are easily configurable from the cloud the vulnerability that we're going to show it was released and fixed in 2020 is going to see is when you were registering registering a user you could uh just uh say on which organization

organization you will registering it this user to you wouldn't have to be an member of that organization and you could make him an administrator so you could be an admin on the organization of uh with the id5 and you could make him an Administration an administrator on the organization with an id8 which is not actually secure it seems what I was able to do access and control devices I could access and move laterally on all the internal networks H and I had remote command execution on all the antennas that's how it should be so I reported something on 7th of August of 2020 it was fixed on 10th of August on 2020 I verif the fix it was just one

business day they were really really really good I'm also introducing this nice meter this is they give a fomer they give all the facts of the world they fixed everything they did what they want what what they should not what they want brrm uh they are really known for the pbxs uh they're Boston base they found it in 2002 uh their ownership is kind of strange I don't really couldn't find who owns them they're known for their pbxs and their asterisk uh servers spoiler alert there's going to be a talk later this year for their asterisk Cloud it's not the same talk but different so they don't really know how to Cloud it seems uh they entered

the Wi-Fi Market a decade ago and they're also easily configur from cloud vulnerability that ah had is as you can see you could add the user to any network ID uh that network ID didn't have to be you you could add them any Ro ID and you could have access to change the Wi-Fi password turn all devices off get access point info get SSH password get system log get all the info about the devices that were connected to that Wi-Fi they were pretty good too as you can see by 7th of August in 2020 I reported the buag and in 10 days I was notified that a patch was issued and confirmed that the issue was fixed was

resolved so all in all as you might see they are also really good but uh I was teaching my kid my younger son how ID do work don't judge me that's me so I teach him I try to explain how idos worked and how they fixed it last March last January this the exact same thing happened 3 years later I reported it they fixed it in a month and a half there's a special place on Earth to people who reintroduced the buag that you have reported and they take more time to fix it so my fomer is they at least fixed the issue so that's good enough in my point of view okay sonic wall is anyone familiar

with sonic wall they are a security a cyber security company based in the US they were owned by Dell now they owned by I don't know some kind of VC they were sold for 2.4 billion and current valuation is 4 billion they do all things networks they a software as a service provider for the past 10 years and they had that vulnerability as you can see I could add a user to any party group ID can you see the yellow thing in there party group ID it seems like an inder do you right let's keep that in mind let's see what they said later what they do uh what I could access was routers firewalls VPN

security reports all the SAS web application Cloud app security I was admin in their Cloud infrastructure it took them long enough I guess considering that I was root in their Cloud so I had to chase three times and on the 25th I had to go directly to their ciso on LinkedIn to fix it in 48 hours uh that's what the CIS said they also said that once he knew in 40 hours in 48 hours it it was fixed so any exploitation of the vulnerability would first require a higher to obtain an account blah blah blah blah a specific tenant ID which are fully protected and not publicly available it was a [ __ ] integer

number I just had to count to go up and down down one but yeah fully protected as you see it and then associate a new user with a tenant ID like okay like not okay not really bad fresh out of facts and that was all my research that I was done that was done 3 years ago um let's do another things like should I discl those the zero days or no yeah if you want raise your

hands [ __ ] okay let's go so keep out from here on I'm going to give you some really good hits I'm not going to give you the exact request because that's illegal but if you want to go and look at it I don't know go reging it it's one of the biggest uh come on China based and known WiFi uh providers their valuation is 4.5 billion they do all kind of network uh devices so they have routers uh WiFi pretty much everything that has a cable or goes TCP goes through it they create it and they're easily managed and controll from the cloud which yeah I really love that statement that they spent 15% of sales income is

invested in R&D and over 30% of that R&D funds is high tech pre research whatever the heck that means so the iders were not idor it was not really adorable because they had to be on the same tenant and they they used the one network per tenant uh configuration but not all of the request were uh bound to a tenant one of them the remote access in the create tunnel and some others uh were not tenant specific so they were vulnerable what does that means I don't know if you're familiar with AWS if you are not I'm really happy for you stay like that so there is two or three things that don't have a region in AWS that's the

same thing with rigi one of them was the create access to that device and that device had also a really strange Stant iner so if you can count you can probably go in there and create a tunnel to a device ID that has either a lower a lower or a high higher integer ID than the one that you are creating right now and what you could have you could access other devices you could access internal networks remote command execution VPN access configuration backup and at the end of the day Total Access because they you have access to the router I cannot really underestimate what having access to the r means it means that you could add the VPN there

and connect to it

directly so if my report was a kid it should have started working by now my first report was on 20th on 2nd of December of 2022 I re reported at 24th of December of 2022 because that's how I like passing my ch Chas reporting bags I then sent 43 more emails I had two different journalists reach out to rigi because I don't know I wanted to fix before I report before I talk about it I connected to 28 different employees on LinkedIn and talked with them I sent Twitter DMs I sent Twitter mentions I also had besides London mention them they like no like that he like nothing nothing at all but at some point I saw

that I think it was in August there was new design new experience so I was really hopeful that they fixed everything but the new design was just that they changed from a JavaScript library to another JavaScript library the back end was 100% the same the vulnerability is still there sorry like they really don't give a [ __ ] about anything you we can release that talk and they're not going to fix anything and again it's a company that is 4 billion valuation with with a 4 billion valuation last one wi Tech it's uh a wireless tech uh owned subsidiary it's incent based IS F it was founded in 20 2008 it has an unknown valuation they create

CCTV uh Wireless ISP W Lan and fiber to whatever smv networking uh they created a cloud s back in 2018 and I I I don't have to do a proper disclosure of them they have no kind of authorization every every ID every parameter is no parameter is at all uh checked at any point you can just change IDs and see other people devices so I could access devices I could access internal networks I could get a remote command execution I could leak data I could get all that I could do pretty much everything I was root in their account and their disclosure procedure that's a little bit better it's just nine months I reported on on their help desk uh on the second

of March the case closed I hope automatically on the 2nd of April I then re reported again on the 2nd of June of 2023 my case was closed and I also got an email that said your email is banned because they didn't want to do anything with me uh on 23rd of June after my birthday that's how I pass my holidays in my birthdays I just recort bags I'm just weirdo I emailed the bag I didn't get anything I sent nine more emails I Twitter the end I Twitter mentioned uh I sent a LinkedIn invite They didn't accept me one of them also blocked me so I think that's again they don't don't give a

flying [ __ ] and we're coming to the strange position of I have to uh say my uh point of view and how I approach these kind of things am I the body like I'm giving everyone that I found my really simple vulnerabilities I'm a simpon I don't like doing like super strange stuff I cannot do it's not I don't like I'm competent of doing reverse engine or simple stuff I'm just counting and founding things all of them are as easily fixed as they're as they're found but at some point there is a red line that we I have to pass and say I'm going to publish that because it's insecure and if you if we are talking about a

company that is on the billions of valuation they should do better how the companies should uh handle this kind of issues have a security contact I I cannot stress that enough I'm I found something I want to just go and find a security contact I don't want to search about it about it and also another thing if you have a back Bounty don't accept only request from back Bounty I don't want the money I want to report it and then publish it I don't want to go into a back boundy that might might not give me money but we'll also have an NDA with it uh respond promptly send a response in a day in a week you have to say yeah we

have respon uh we have gotten your uh vulnerability disclosure we are going to work on it and we're going to say if this is an issue provide a timeline when uh you try to fix things this timeline hasn't does not have 90 days I'm and I think most of the researchers are opening to a normal is timeline you cannot say that you are going to fix an ID door in 3 years but if you say this is deeping inside my code or this cloud is being the commission so we need to have some kind of engineer back from his other staff you are going to get some more months communicate with the researchers again uh explain to them what is the

issue how you're going to approach it and if you can provide CVS I know I don't have CVS because Cloud means no CVS I'm okay with that but if someone has reported something on your device please provide the CV because that will help the researcher and make him a better person security advisories and change logs when when you fix this uh disclose it issue an advisory say what it was fixed and if someone was uh uh affected say that this this person was affected and that's not great for me but if you can provide a back bound or something to the researcher that spend his time to research this thing and give it for you do

it the researchers stay legal I cannot stress that enough please don't go and plus one stuff that you don't own because you will end up breaking the CMA you will end up in jail this is ridiculous don't do it respect the privacy of everyone don't go around accessing other people devices if uh besides London said a really good thing don't go around spamming ble don't go around taking Advance advantage of things that you shouldn't make all the effort uh of the world to conduct uh with the company that's as you have seen way more difficult than it should but you should try and retry and retry and hope that at some point they're going to respond

properly report don't just say oh there is a vulnerability in your Cloud you have to send the full thing that says this parameter should be checked this has an SQL injection or this parameter has to have proper authorization checks don't be a beggar and that by that I mean don't ask for a report if you want to earn money there are proper back bound platforms that you are going that you should use and not just go and randomly hack clouds to ask for money and I don't know if you are a company be a mimosa not be not uh be rigi you have to act better thank you for my talk

I don't know can we do questions or no no yeah cool we have a lot of time so if anyone know like not him K give it to him what do you mean no CV if you are in Cloud well there's no C in the cloud that's you still can arrange the CV no there's no difference no go go ask a CV board they're going to say this is something which is cloud-based so we don't we are going to have an advisory that says this is that but this is not a product that you own so there's no CV I don't know the reason I'm with you with that I have done like 90 of them and no

CV so tough luck I guess how how many how many systems did you test in total to identify these five targets that were vulnerable like what's your hit

rate way more than my wife would allow me because I have to buy most of them but I would say depending on the industry and the uh and the origin of them 10 to 15% are vulnerable depending like the medical stuff is usually more vulnerable I know this sounds bad but it is what it is anyone else um you famously say that you plus one or minus one do you ever just go Rogue and just plus two I once used one yeah that's me I'm simple them anyone else there's uh we have to walk sorry you want me to go do you want me to walk

there um have you tested anything else other than um these Cloud connected routers such as IP cameras or you know baby monitors that type of stuff that are all Cloud connected too I have tested pretty much any iot that you can think of you can Google my name plus iot camera you're going to see something iot wallet you not wallet cameras Chargers photovoltaic like if you have think I probably have looked at it most of them are failed attempts but yeah anyone else oh

next there's some obvious organizations that sprung to mind when I saw what you were talking about and I was thinking about like obviously ISP routers being something that gets Cloud managed and like using tr69 or you or um like this Mori stuff that's like Cloud managed would there be any recommendations on how to make them most secure I didn't understand the question sorry so what is my recommendation for the people who use those router as their own routers I don't know disabled their Cloud I don't know if it's disabled I don't see the the point in sh something connected uh a cloud managed router I don't see the point at all but I'm not an IT person I think it's way

easier for them to manage it remotely but these kind of things happen all vulnerabilities happen what I usually say is go with a company that will fix the vulnerability as soon as possible and work on it so don't go with r at any point they're going to fix it I hope that right now that it's out somebody will go Rog and hack the world and they're going to fix it but it's there for a year don't go vote with your money and go with a company that is really good that is good enough who that is giving a [ __ ] about your security too okay think we're all

oh I didn't hear it what's the worst industry for intera what's the worst industry to interact with photo volti I think photo like routers usually respond those two like photovoltaic like one out of nine reports that I sent had a response so right now there are eight photov volti PV clouds that you can turn off you can have RCS you can do whatever and they don't really care so I guess for the Vol in my point of view there might be words that I haven't looked at thank you guys [Applause]