2025-06-29 –, Grand Salon
End-of-life doesn't mean end-of-risk. In this fun and eye-opening talk, we’ll dive into five never-before-seen zero-day vulnerabilities uncovered in widely deployed legacy routers still active in thousands of networks, especially across South America. Using a mix of hardware hacking and binary reversing, you'll see how four of the zero-days were discovered directly through the board using UART and chip-level tactics, while a fifth was revealed by digging into obscure ARCompact binaries.
From discovering Wi-Fi credentials like a boss, to navigating lateral movement between dual SoCs and overcoming tricky UART communication issues, this session is packed with real-world reversing, clever hardware techniques, and lessons for anyone working with embedded devices.
No patches are available, as these routers have reached end-of-life and the vendor will not issue security updates.
This talk unveils five zero-day vulnerabilities discovered in a legacy, end-of-life router model still widely used in networks, especially across South America. With no patches forthcoming due to its EOL status, the device remains dangerously vulnerable in the wild.
The research begins with firmware extraction using flash programmers to dump the router’s firmware, followed by entropy analysis to identify areas of interest for further reverse engineering. The exploration continues with deep hardware hacking and binary reversing, utilizing tools such as Binary Ninja, Ghidra, Bus Pirate v3, LA1010 logic analyzer, FTDI interface, and essential soldering and probing equipment like multimeters. Attendees will be guided through each step of the exploitation process:
Information Gathering through teardown and interface discovery
Zero-Day 1: Gaining root access on the Broadcom SoC by bypassing UART communication challenges using a custom FTDI-based approach
Zero-Day 2: Discovery of a hidden telnet interface with root privileges
Zero-Day 3: Extraction of sensitive data from a GD25D05BT1G SPI flash chip
Zero-Day 4: Achieving root access on a secondary Quantenna SoC, setting the stage for advanced pivoting
Zero-Day 5: A full remote code execution vulnerability discovered through reversing a binary compiled for the rare ARCompact architecture
The session concludes with a live demo-style walkthrough of a chained attack: from lateral movement between SoCs, WPA2 PSK extraction, backdoor persistence, iptables modification, busybox abuse, and internal port scanning, showcasing real-world post-exploitation tactics.
This is a fast-paced and engaging session designed for researchers, red teamers, and embedded security enthusiasts eager to see how legacy hardware can still pose modern threats.
Danilo Erazo is an Electronics and Computer Networks Engineer from Ecuador, with extensive experience in developing electronic devices, pentesting, programming education, and infrastructure & security analysis. He is currently focused on conducting independent research in hardware hacking, radio frequency, and car hacking. Danilo also produces and shares reverse engineering content on his YouTube channel @revers3everything. He has been a speaker at major international cybersecurity events, including Hardwear USA 2025, DEFCON 32, Ekoparty 2024, Ekoparty 2023, Bsides Colombia 2024, Nerdearla Chile 2024, a lightning talk at Re//verse conference 2025, Cybercon 2025, and more, where he has presented vulnerabilities discovered through reverse engineering techniques in routers and vehicles.
Danilo holds multiple practical certifications in cybersecurity and computer networks, such as OSWP, CEH, CBP, CCSP, CPAZ, CNSP, CAP, CPNA, CCNA, API Security for Connected Cars and Fleets, and Practical Junior IoT Tester (PJIT), among others. He is a collaborator at the Car Hacking Village at DEFCON and the founder of the Car Hacking Village at Ekoparty. Additionally, he is the founder and creator of Ecuador’s most prominent cybersecurity conference, "PWN OR DIE." You can explore more about his researchs in his blog at: https://revers3everything.com