Critical Vulnerabilities in Network Equipment: Past, Present and Future

Back to the list of Speakers and Sessions
Watch the stream
In this talk, we will discuss common vulnerability patterns in network equipment (consumer and enterprise routers, firewalls, VPN, TLS accelerators, switches, WAF, etc). This critical infrastructure is unfortunately a lot more vulnerable than most people believe, although its security stance has improved within the last few years. We will go through the history of these vulnerabilities, why they occur and what should we expect to happen in the future, as exploit protections in these devices improve.

Routers are considered easy to hack, and that's kind of true. But is that much harder to hack a home router than an enterprise firewall? Think twice before answering!

The purpose of this talk is to demonstrate the similarities in inner workings, technology, hardware and vulnerability density between every piece of network equipment, be it for home or enterprise.

We will walk through specific examples of vulnerabilities found in these equipments in the past and present. Vulnerability patterns will be identified, and we will discuss why they keep occuring and what circumstances led to them appearing in the first place.

Finally, we will discuss future trends for vulnerabilities in network equipment. And because it can't all be negative, we will also discuss how the constant hardening of these devices will make exploitation much harder (but far from impossible :) in the future.


Pedro Ribeiro Founder & Director of Research, Agile Information Security

Pedro started working in security by doing ISO27001 audits. After almost dying of boredom, he jumped into penetration testing, reverse engineering and vulnerability research, focusing on embedded systems and enterprise software.

He is the Founder & Director of Research at Agile Information Security, a boutique security consultancy that focuses in providing hardcore technical cyber security solutions to its clients.

In his spare time Pedro hacks hardware and software and has made public dozens of remote code execution vulnerabilities resulting in 140+ CVE, and authored 60+ Metasploit exploits. He regularly participates in Pwn2Own as part of "Flashback Team", winning Pwn2Own Tokyo 2020 outright with his teammate Radek Domanski.