 So our next speaker is Darren Martin. Hi. Hi So he's going to talk about or he's going to take a look at one of the things you've been looking at the past time in TR 64, I believe right and that's being used a lot in UK and Ireland as well or all of all over the world in customer preferences equipment So he's doing some work on that. So he's going to talk about that I read on his Twitter accounts that he once got recalled by the NCC UK So I'll leave it to you if you want to discuss that or I'll leave it to you on the Q&A to see what was that all about I'm not sure if anyone is trying to recruit us here, but please do if you if you want So let's just hand it over to Darren and give him a round of applause. Thank you Thanks All right, so hi everyone I'm going to talk to you about Tiro 6 fail another CP misconfiguration management disasters, which is a bit of a mouthful But hopefully it'll make sense in a minute. So who am I? I'm a software arsonist at Xifos I burned down full software stacks for fun. I love playing with embedded software and embedded weird stuff Before that I was a forensic student Pharmaceutical student an internet miscreant. So it's been a bit of a weird way of getting to here I also absolutely despise XML and everything to do with XML and it's weird angle bracket at bullshit Which you know kind of suck because every single bit of this research involved like dealing with tons of horrible horrible XML stuff Which kind of the hate kind of drove me and kind of helped me break more things And again as when I was introduced I once got rickrolled by the NCSC Which is like the British government's cyber something something something group because apparently they've tried to develop a sense of humor so What I'll be talking about is Some wonderful protocols Tiro 64 Which is full of holes and Tiro 69 which also has a bunch of related flaws Hacking ISPs ACS servers so you can take over the world and a bunch of other miscellaneous bits in between in no particular order So I don't know how to order a slide deck in a logical format So before we begin there's some wonderful prior art at CC and Defcon. There was a couple talks by Shahar Tal One was my own Tiro 69 admins and the other was his work on the misfortune cookie bug They're well worth like looking at those talks because they contain a lot of the prior art that led to allowing me to do this work Also some links some specifications for the 069 and 064 protocol and slide deck You might want to download the protocols and go mad trying to make sense of them Because they're just a complete mess, but they're good to read through and try make sense of it all So firstly a primer what Tior some numbers here means their specifications put out by the DSL form which is like a industry working body of Internet service providers who come together and they come up with these really stupid protocols to try make Introperability and try make compatibility so everything works together. Of course, none of it works because it's all shit that's signed by committee They try really hard and the two I'm going to be talking about are the 064 and 069 There are a whole bunch of others They're all disgusting in their own special and unique way and I'm fairly sure they all involve XML somewhere So 064 is land side DSL CP configuration. So that's For configuring a CP from the land side of the network Specification outlines this wonderfully hideous soap-based protocol that allows you to set up your router So back in the day you get your broadband router up your service provider And it come with an internet setup disk and you'd connect up your router You'd put the disk in and the disk would use tier 064 to talk to your router and configure it So it would do all the setup stuff over this soap service, which is only supposed to listen on the land side But we'll get to what happens there later 069 is the CWM peak CP one management protocol It's for the other side of the network. It's so that your ISP can manage your router in your house remotely It's effectively not to beat around the bush. It's a back door So your ISP can snoop on your stuff see what devices on your network reconfigure your stuff and do tech support calls the Spec outlines like this disgusting protocol for management of CP over one. It's also soap-based It's also got a bunch of Jabber stuff in it for no fucking reason And it's on amendment five They'll probably be like an amendment six soon because they can't make up their mind. They just keep adding more stuff to it So we'll start with 064 the land side one So it allows managing any setting on your home router So on your home router You've got a lot of settings like DNS servers the ACS server configuration wireless security settings and all this The idea with 064 is if you're on the land side like the trusted internal network side of a device You should be able to manage it So instead of just doing what normal people do and using like SNMP or something, you know normal They invented their own shit protocol to do this and it comes with a bunch of these wonderful security requirements Because they actually thought about the word security. So it says stuff like Any action that allows configuration changes the CP must be password protected It all says access to any password protection action must require HTTP digest off And then so stuff like sensitive information such as passwords must not be readable at all And these are you know must and must not things and you think the people implementing it would stick to these and It's not explicitly stated in the spec But this is only supposed to listen on the internal network the land side of a device It's not supposed to be exposed the internet at all. So we know this story goes You know someday dreams So what I found was Password protected God. No, nobody seems to bothered implementing that Fritz box have actually implemented password protection, but there's probably a default That stuff about not being able to read passwords in plain text. Oh, no We can't be bothered sticking in dummy values or any of that nonsense Of course, we're just going to let them be readable and clear text no crypto there And of course because it's a shitty embedded device It's accessible over the internet because why not, you know we might as well make it your router configurable by somebody half the way across the world and Also one the implementations that I was looking at came with a bonus trivial command injection bug just you know make it even worse So the obvious outcome and why this matters was some stuff happened like some pretty serious stuff happened when The people started looking at this and when this got out so And you hear from Germany might remember when Deutsche telecom decided to cease functioning for a while The poor chap who did it was recently given a suspended sentence. He was recently in court He was an English guy got caught because Somebody decided to worm the command injection bug and in fact like a million routers, but the worm was a bit sucky So it ended up just toasting the internet for loads people and it wasn't just Deutsche telecom talk talk in the UK I know you're familiar with the ISP talk talk Well, if some other ISP is going to screw up really badly talk talk or like hold my beer I got this and you know, they jump straight in and try to fuck it up even worse. So Talk talk got completely wrecked Demon internet post office internet air come back in Ireland now known as air they all got absolutely destroyed like Customers had to like, you know customers wire internet just ceased functioning They to in some cases apparently ship replacement devices they to like ship out firmware updates They just scrambled to try fix it and they also Like people's wireless keys are being stolen remotely and it was just complete bloody mayhem and they were all just kind of going Oh shit, we should have you know fix this when we made aware about it ages ago, but they didn't so whatever Who was behind this? Where's our attribution party? Or we you know, it was like so who done it? Do we roll a dice and lands in Iran and we blame them today like clown strike do no turned out with script kiddies from the internet and Okay, that's completely unreadable But basically in the new NTP server variable that you can send to the device You just stick in some back ticks and whatever shell commands you want to run the router I just run them as route So these guys are doing with spaffing these all over the internet W getting down a piece of malware then continue to run And they'd written quite an efficient little worm, you know for a bunch of script kiddies And all they want to do is packet the crap out of things And here's the mandatory eye to screenshot of their malware with the spready bit because you can't talk about at the malware related without having An eye to screenshot. It's how people know, you know what you're doing See how they this lovely little binary that spread itself all over the internet and fucked up the internet for loads of people Also, they could DDOS kiddies and Xbox live or whatever it is the script kiddies do So it wasn't the first time that this piece of software in particular had some issues before the tier 6 fail bug Which completely toasted like internet for loads of people We've misfortune cookie which is disclosed with 31c3 by shower and that affected the same wrong page page server It however it affect the tier o69 component and it was this wonderful bug It was effectively what I'd consider the simplest form of write what where because You'll see in a minute It was you could overwrite configuration variables on the device remotely by memory address value key value in the cookies So this is one of the proof of concepts from guy called Kenzo for a specific aircomb router and basically the String the C blah blah blah numbers there is where you want to write to And what it's equal to is what you're writing to that location So it was a really trivial bug to exploit and if you screwed it up the router just reboot and you could try again So that particular payload for that particular router disables the authentication for the web administration panel And it also disables the firewall so you can remotely then reconfigure the router as you see fit and just send one request Boom router suddenly opens up open sesame Which I thought was quite magic and quite a wonderful fuck up So Now that we've kind of gone on to o69 Um o69 is another dsl forum spec. It's got a bit about security in it. Um, it supports tls It supports authentication. Um the protocol is complete garbage It was designed by committee where everyone had their one bit that they wanted to put into it And none of them quite agrees they put all the shit together. So it's like It's like the xml fan club decided to design something Um You know, I don't know if there's any xml fans here, but you'd love this. Oh, we've got one right there the one xml fan So um in o69 the s7 tls are optional. You've got some setups that are just clear text You've got some with like wonderful mutual auth and client-side certs and cert pinning Which is all pretty cool And you know, it it really varies it depends on how it's set up The authentication is also optional cpe-tacce will tend to use basic auth But it doesn't actually use it for auth quite often the password is shared across all users and the usernames use an identifier for the device If the acs is talking to the cpe You've often got like tls with a client-side cert Or it'll just use a shared secret that you can extract by reverse engineering the firmware of a router And it's probably something shit like broadband one in the case of one isp. That's quite large um Yeah, o69 is like xml. So it's got some stun. It's got some soap for some reason It's got jabber in there of no idea why there's xmpp. I think they just said oh, this is also xml We better add it, you know, keep all the xml heads happy It's like, um, it's an implementation of just let's build the biggest attack surface We possibly can and then put it on the internet to manage millions and millions and millions of devices This stuff probably runs in your home, you know, this this there's an xml parsing gubbins on your wireless router That's doing something with this shit probably so I mean we can take for granted that the cp end is internet a trash It's cheapest manufactured little plastic blinkin box of blinkin lights that you're you know Your isp buys and bulk and ships out to you that probably has rubbish security But surely the internet service provide themselves They take their internal security seriously, we hope and you know, surely they're securing their servers super well And they're really good at this and they have professionals Surely like the isp end of this magical contraption of crap is like rock solid enterprise software You know the support license probably run by oracle or something, you know really good Um, and surely it can't be that bad. I mean you've a committee of xml heads who designed this stuff I mean surely it can't be that fucking awful Well, you're about to find out how bad it is and it's pretty grim So, um, I thought to myself Take the threat model of a 12 year old, right? You've got a 12 year old who wants to take over the world and I thought Hmm Okay, we've got 12 year old wants to do world domination So they want to hack a load of routers. They want to hack like millions of routers They want to build the biggest internet of ship botnet ever so they can pack it people or do whatever it is Script kiddies do and they poem your router because this is the thing they do these days And I was like, okay, so we've got a lazy 12 year old or 15 year old or whatever You know teenage script kitty who's like wanting to take over the world. That's the threat model We're working with here But we want a really lazy one who doesn't want to actually go like hack routers one at a time Or do any scanning or any of that because that's like hard and effort So once you know our threat actor here wants to hack all the routers at once in one go in one shot With no effort So I said, okay, this is probably possible. This protocol is you know enough Horribleness in it and there's enough crap soft for using it that this should be pretty easy So, yeah, I decided to start auditing ACS servers So instead again like instead of hacking millions of devices one at a time even with scripts and bulk scanning and stuff Instead you just hack the one thing that has accessed all of them. It seems like the logical, you know single point of failure So I've been auditing these things in my free time. I've been looking at all the open source ones and found they're all Fucking horrible. They're like disgusting messes Um, so I'm going to talk now about some of the findings some of the vulnerabilities we found Um, none of which have been patched yet So um audit so far free acs which is disgusting. Um, I actually feel sorry for the developer I think free acs is like one person and they're trying really hard to maintain this piece of software But it's just no they should just stop You know, it's it's it's beyond repair. You know, it's grown too complex. It's beyond repair They should just stop and find something else to do open acs is a complete piece of shit that barely works. It's abandoned um You know the person who wrote it clearly put a lot of effort in at once and then just realized they were going down the path of Madness and stopped libre acs the fork of open acs. It's also abandoned. It's the same shit. It's the same bugs I found um a php cwmp library like a php acs that people are using in production and it's written in php So it's going to problems and there was also pearl cwmp because apparently xml people love pearl Or you know pearl people love that xml or whichever so um, I decided to look at that as well and we found some pretty fun stuff So the disclosure timeline free acs was um found bugs Um weaponized the bugs made some really reliable exploit Um dumped them on the internet now still unfixed. So it's august now They were public knowledge when I dumped them on github in april for free acs specifically And nobody really cared. I haven't seen any like isps melt down yet. Um, so whatever And you're gonna see just how really really trivial these bugs are so Free acs it's it's um, it's quite old. It's been around for a while Again one person or group. It's uses tomcat Which is java horrendousness because xml and java get along and it uses my sequel So I was like, oh no, I'm gonna have to read java. I don't like doing that. Don't got time for that So it advertised itself as the most complete tier o69 acs available for free under the mit license Which is a pretty pretty specific claim because I don't think there are any other acs servers under the mit license So we can't compare we can't contest that claim at all um However, I also read most complete means most attack surface, right? If you implement all this bullshit, you're gonna screw up somewhere and If any you want some fun or want to go mad reading somebody else's java You should audit this software as well because I've barely scratched the like skin of the attack surface And it's both huge and massive and attack surfacey. So you're gonna find something within about 10 minutes so Why did I really pick to hammer on free acs and this is the install instructions It's like w get this like dodgy shell script over htdp and then run it as root And then complete the remaining bit of the installation So their shitty shell script that you download and play in text and just run as root doesn't even finish the install It just does half of it like 90 but you end up spending ages editing configs because Their installer sucks. So it's like well, we're off to a pretty good start So the default logins that you can there are actually ones with these login creds on the internet You can find them in shodan our admin xaps Nobody seems to change it because the change password dialogues a few menus deep So you will find them a shodan query is Entitled free acs google entitled free acs web web. You can try census.io being You could use some of the wonderful camp bandwidth scanning for these yourself um or whatever so Post authentication this acs server is like a cross-site scripting testbed with optional device management features Pretty much every parameter you can put user input to turns into a cross-site scripting bug So it's a really good way to test your xss scanner um All that's post-auth though. So like we'd have to log in first and maybe they have changed the password But here's some screenshots of alert boxes anyway So the first one I found And then another one And then I had to start numbering my alert boxes. So I was losing track of which alert box I put in was coming out the other side Um, see it's pretty grim so But I think in post-auth xss isn't all that big of a deal what I want is a bug that's pre-auth So no authentication to the device required no authentication I can just you know, poem it remotely with no idea what the creds are I wanted to be remote so I didn't want any local bugs I want a remote exploit that was super reliable and want to give me at least, you know Privilege access like an admin role in the acs so complete compromise And I wanted to do it easy because my threat model is like a 12 to 15 year old script kitty So I was looking for something that wouldn't take too much effort So the pre-auth attack surface pretty enormous and I was thinking about this for a bit and I was thinking What interacts with the acs server without auth and it's well, I guess it's a cp device in somebody's house You know that has to chat the acs So I said about writing a toro 69 client. So I started off by creating a valid cwmp notify message which This is an example from a yeah barely readable, but um, basically it posts A bunch of xml garbage and I thought to myself, oh shit I've to write I've to write a fuzzer that generates valid xml and does stuff But there's loads of key value shit there. So I thought, okay So tried fuzzing the xml So I found there was a couple of DOS bugs that like killed the acs server because the xml parser in it sucks So I was able to get to shut down a bunch of times like stop working hang and kill my vm But I got bored of this really fast So I thought is there's something else, you know that I can get along with that um might give me more interesting results than just denial of service bugs so thinking There's the xml. I don't really want to play that game anymore board of xml What about the you know cp to acs auth the basic auth header and I was like basic auth spec is pretty loose You can put whatever the hell you want in there. So it seemed like a pretty viable fuzz target for like testing various things And oh, yes So it turns out That this particular acs server used the basic auth username as a device id And to use the unique ish identifier in the database So Its input gets put into some so this piece of input gets put through like a database and a bunch of queries shows up in the Ui You know, there's loads of potential attack surface just in that code path So I had a look see yeah the too long don't read the basic auth username gets put into a sequel query It doesn't get sanitized And then sequel queries gets ran. So you end up with a super easy to exploit ish second order sequel injection bug However, there is like a character length limit So I couldn't get any useful sequel in there because I suck at like manually crafting sequel queries and just thought Oh the hell with this I'll find another bug However, if you just send a single quote as your basic auth username The acs server will cease functioning forever It'll just stop because every time it tries to do anything it will trigger the sequel injection again screw itself over and just crash So you can permados it with one single quote So I thought to myself. Hmm. This this is a good path. So, um Username is unsanitized username pops up in the ui a lot and there's clearly no sanitizing going on and we already know It's full of xss. I thought what if we could get An xss injected in there that pops out like in the admin session so we can like jack the admin session and Yeah, it worked. So we found this remote persistent xss in the basic auth header and we unauthenticated send a cwmp notify and the cross-size scripting pops out on the admin side And exploits the admin. So we just jacked their session. There's a few payload limitations, but it's really easy to do So, um, that was my first test case of yay, it works And then I thought I'll get it to load a remote script in to get around the character length limit and it worked Then I thought right I have to now write like a bit of javascript that'll take over the acs server entirely for me So I was looking and I was like, oh, I'll just make it add a new user So adding a new admin user is just a post request and there's no C serve protections or xss protection or any of that nice web app sex stuff that we've had for years going on there So I thought I'll go to stack overflow. I'll copy and paste some javascript to send a post request and I'll stick that in my payload and will it work can we build it and um, yeah, so Hack together this disgusting proof of concept that sends a notify message gets an informed response back Spins up a web server with the javascript payload on it And then it gets injected at the admin session and boom you're getting new user at it and it notifies you at the end So, um, yeah, it you send this and then when the admin logs in they'll get cross-site scripted which Happens in a silently in the background the alert box like for debugging and to show that something happens Yeah, it adds a user and the user shows up with admin is true So you've just taken over the entire thing. See if a remote unauthenticated admin takeover bug, which is trivial to exploit no effort So what do you do next? Well, you can scan the internet showed and sent to google whatever you just spam out your payloads At all of these acs servers And within like a day or so you'll have hacked them all Um, it's super easy. Um, I'm surprised it hasn't happened yet And then you have admin access to millions of routers with like just a handful of post requests So it's game over for all those isps and their customers So hack the planet Then I thought it I'd look at open acs and libera acs um Which were the next audit targets It took me ages to get them to work because they're shit and the documentation sucks So I set them up as per the documentation. Then I realized, you know You know, they barely work. There's not much to go on with broken software So I stopped for a bit and I started reading through the setup docs again And I found that the configuration for the jboss server leaves it vulnerable to known exploits in jboss known code execution flaws So I was like, oh, you don't even need to bug in the software when the way the software uses jboss expose it to this issue So, um, yeah, there's like three different ways to like own them You can hit the jmx console the web console or the jmx invoker servlet And also the install method the install instructions leave the mysql root pass for blank because that's a super clever idea Because who needs alt anyway? So, um, these things are just there and you can just poem them. So that's um open and libera misconfiguration server Go have fun with those So, um, yeah, it's just screenshot of owning one of them my test network I found a couple these in the wild, um at a few smaller isps and I was like, oh, whoa now So I dropped them a couple of emails didn't get any replies Since then one of the one of the Vulnerable ones that I found was decommissioned, but then it just never got back to me Um, I kind of stopped looking after that So I was fairly sure that if I actually owned a bunch of isps I get in a world of hurt You know apparently it's against the law or something. So decide it not to do it um I think some of the super vulnerable ones have been decommed But there's still a few out there in use in the wild that people can have a play with Um, if you ever want to like have the full experience of managing an isp You just go own one and like realize why the tech support sucks so bad because they're working with shitty software So I needed a break from java, you know, I was done with java for a while So thought to myself I'll chill out and look at something else um So I eventually came across this acs written in php and it's like a library so you can diy in acs in it and um It's a good effort, you know It's uh You know, you can build your own acs server using it and it uses larval and php and all that lovely web shit So, um, I started to just have a quick grep through to see if there was anything glaringly obvious So I came up with this This pretty much explains my findings Let's un-serialize all the user input Um Because that's a super clever thing to do and here we go We've got not one but two un-serialized unlike cookie data So you can just jam whatever the hell you want in there and it turns out that larval does a bunch of auto loading So you have like infinite pop gadgets to choose from it like makes writing and un-serialized exploit too easy for these So it's like super simple So you're able to like just send cookies with the data value as a serialized blob and then just suddenly boom Instant code execution. So it's like take it away. No, no, please nobody be running this in production Unfortunately, some people actually are At pretty big isps. So this is out there this exists people actually do this which surprised me I was like people actually still un-serialized like random shit people send them I thought people would have learned by now, but whatever Um, it is exploitable because um, you've got larval composer and also their php nonsense Which gives you a massive choice of pop chains Otherwise you get yourself a nice memory corruption and php's un-serialized and just pwn it the same way those guys pwn Pornhub that time for the bug bounty, which was really neat. Um, basically if you're using the php cwmp library You're going to get wrecked. There's no question about you're just going to get toasted And the final one I've looked at is um called pearl cwmp. It's written in pearl So I started fuzzing it manually with the notify messages and it came across this interesting bug Within about 10 minutes just crafting ones and sending it So it was directory traversal allowing arbitrary file creation with partially controlled contents and partially controlled file name And it would also create a directory with a controlled name. So it's like I can put stuff with content on disk, but I don't fully control the content or the names So, you know, it's interesting. So there's some ways in which this can be exploited, but it's unreliable You can combine it with other bugs and other applications and the thing to get root But it's a bit of a chore You just you change the serial number parameter to dot dot slash dot slash dot slash temp test And it will create a folder temp test and it'll create a file temp test dot yaml So it's super easy to do and you can just like spaff files all over the box and you know do whatever Um, we can also control values to get shout out into the file the manufacturer product class and o ui All get put into the yaml file and we can sneak executable code in there We can sneak in php and put it in the web root. Maybe it might execute. Maybe it might not It's fairly trivial exploit under the right circumstances And we have another exploit because fuck pearl apparently I got one of my friends who like is a pearl master to come have a look Senior ens who's around somewhere. He speaks pearl. He speaks the weird regex language of brackets And turns out the manual says to run pearl cwmp in debug mode Which actually opens an enormous remote code execution hole because pearl does really weird stuff So you send like one request to it With the with some bits And it just gives you command execution. It's super reliable and it's repeatable. So I was like, oh, how oh wow So my friend then he was up now and he goes actually because pearl and because he likes to do pearl golf He fit the exploit in a tweet so if you like Put that tweet into a dot pl file and provide it with an ip a port And a command to run on any server running pearl cwmp It will run that command on the server and give you the output So apparently, you know, we can tweet the proof of concept these days You could probably shave more bytes off and make a smaller one if you enjoy pearl golf Yeah, I thought it was it's a pretty neat bug. So I'll try yeah, so basically You stick Oh god, I can't even read pearl Yeah, basically back ticks and pearl variable magic voodoo If any speak pearl, you'll be able to make sense of it Yeah, and it just sends it and magic happens As far as I'm concerned witchcraft because pearl um So yeah, that's the fun that was um I owe him a couple of beers this because I put out a bounty on like Find, you know exploiting a different bug in it and he just comes up with this tweetable exploit So um wherever he is Um, see it So the final bit is what can we actually do if we hack an acs server, which we clearly can um We can reconfigure settings on every user of an isp. We can go around reconfigure all their routers We could change everyone's dns servers to our dns servers and conduct mass farming attacks We could like redirect paypal.com to our paypal.com whatever and do mass phishing Or we can push out malicious firmware upgrades really easily to all the clients Can you imagine the cleanup costs of like 10 million routers with firmware root kits? That have been disconnected from the legit acs the isp would have to ship new units out There'd be engineers visits you it would cost millions to clean up. I think we can also screw with billing We can provision new devices, etc. You know, we can do an awful lot Or we can just jack everyone's wireless keys in a free internet forever um It's you can just whatever you can imagine is possible Um, there's also a friend of mine and I came up with this idea You could um the acs server stores firmware images for the routers that manages because it pushes updates So you download all the images You'd patch all the firmwares. So you'd you know, you'd write patches for as many as possible To and you could write a simple bit of code that would tell the acs to Phone home to the real isp's one but actually only take commands from your one So it had hide from the isp that their entire estate has just been taken from underneath them You could then persistently crap these out unto all the routers Clear the logs from the acs server question mark question mark question mark profit You're now an isp. You manage millions of devices You're probably going to go mad. Unfortunately as a side effect. You've just gotten a second job um That's one technique you could do you can use your imagination. There's so many potential ways to do horrible things using this stuff um So final bit the defences isp is used to protect these servers sometimes they Restrict the access to the acs server to only the ip ranges of their customers Which is completely useless because all you have to do is hack one of their customers And it's not as if that's impossible, right? Or they put them on a management subnet that only the cpe can talk to That's also trivial to get around you just hack one of the cpe devices and then you can talk to that management subnet That's what quite a few in the uk have started doing Or you use client-side certs and mutual art stuff again We just hone one cpe or get one reverse engineer it and then we've got the credentials However, if you combine all these layers of defense together You can make it somewhat of a pain in the ass to talk to the acs server illegitimately So I think we need to do a lot more work to help You know there is more work needed from the isp side and actually defending their like Main machine that does all the fancies, you know that does all the management because that shits the crown jewels They have no protections on them at the moment that are worth anything so What's next in the agenda for this because i'm no, you know I'm what's next on the research agenda for this is auditing more acs servers And I as I search more I find more people have done small bits of work here and there on this So it's like genie acs, which is which is pretty amazing because it involves like MongoDB and readus and node and rubion rails and all this other hipster stuff that You know, it's all this modern web stuff. So it's see it's also extremely well maintained So I want to have a look at that this free acs ng which looks pretty tight But it's written in c so there might be some interesting memory corruption to be found there There's some dry tech and sysco ones that are closed source There's some dutch people who found a load of bugs in the dry tech stuff that I just stumbled across the other day They'd like a bunch of remote routes for it So I need to have another look at the dry tax and the sysco sysco of an acs server They've end of life recently. So i'm hoping to get one those to reverse I also need to look at more um device implementations because the acs client on the routers has like a web port that it listens on and There's other servers besides just rom pager like the isp orange and france recently enough I think was recent they open sourced their acs client So that's available on their github. So I want to have a look at that And I also want to look at tier 111 which is tier 69 for your internet of trash So um, this is how your isp some isps also do televisions and stuff They want to be able to manage your smart tv So tier 111 is for like stuff on the internal network that your isp manages for you Like your set top box or something is what their intended use for this is and smart tvs With a lot of isps also being television providers, you know, isn't they provide tv channels and stuff I think this can become more prevalent in the future because they've already got the protocol They've got the tools. They just need to deploy it and roll it out. We're seeing a few instances of it So that's kind of my next bit of work to look at Um, and yeah, finally, I guess thanks Um, thanks to you all for listening. Um Yeah, is this on yeah it is. Thanks Aaron for the talk. Um Maybe some of you still have questions. Please go up to the microphones. There's one on the back and one on the front Hi, um You mentioned that you disclose this like full disclosure. You just put it on the internet Did you consider during coordinated vulnerability disclosure? No, um, I've had bad experiences with responsible disclosure. Um coordinated disclosure tends to lead to vendors being a pain in the ass and I've just gotten tired of dealing with vendors and you know holding their hand through the disclosure process So I now just dump it on the internet unless they have a bug bounty You know, it's unless you're going to give me some money for wasting my time dealing with the vendor Then i'm just going to dump it on the internet or keep it private But you know