Exploring the Hidden Attack Surface of OEM Routers

Delve into the hidden vulnerabilities of OEM routers in this 45-minute conference talk from Ekoparty 2022. Explore the challenges faced during the analysis of a top-selling router, leading to the discovery of a zero-click remote unauthenticated RCE vulnerability (CVE-2022-27255). Gain insights into the poor state of firmware security, where vulnerable code introduced down the supply chain often goes unreviewed, potentially causing significant impact. Learn how this research demonstrates that security is not a priority for vendors and opens opportunities for attackers to find high-impact bugs with low investment and minimal prior knowledge. Presented by Octavio Gianatiempo, a Security Researcher at Faraday and Computer Science student at the University of Buenos Aires, this talk combines expertise in reverse engineering, fuzzing, and vulnerability exploitation with a unique background in molecular biology and neuroscience.