A Backdoor Lockpick
06-09, 15:30–16:30 (America/New_York), Grand Salon

The recently bankrupt Chinese tech giant Phicomm installed a cryptographically locked backdoor on each and every one of the routers they released over the past several years. In this talk, I will show how I reverse engineered the backdoor protocol and discovered a series of zero day vulnerabilities in that protocol's implementation. I will also demonstrate a tool I developed to exploit these vulnerabilities and gain a backdoor on any Phicomm router released since 2017, including models released on the international market, and which can still be found for sale on Amazon. Since Phicomm is no longer in business, it's safe to assume that there will never be an official patch for these routers, which means that the surest path for securing these devices passes through this very backdoor.


C code for the "backdoor lockpick" tool, which can be used to gain an unauthenticated root shell on any Phicomm router I'm aware of (at least going back to 2017 or so) can be found at https://github.com/oblivia-simplex/backdoor-lockpick.

A Rust port of this tool is currently in progress, and can be found at https://github.com/oblivia-simplex/backdoor-locksmith. If you're building the tool on anything but a Linux host, I recommend you go with the Rust version.

See also:

Olivia Lucca Fraser is a Staff Research Engineer on Tenable's Zero Day team, and holds a Masters in Computer Science from Dalhousie University. Her thesis developed a method of applying genetic programming to the evolution of ROP chain payloads, breeding them to performing subtle tasks like data classification. She has been an active participant in DARPA's AIMEE and ReMath initiatives, and a PI on the latter. She lives in