Kurt Baumgartner
Bio: Kurt Baumgartner is currently an independent security researcher. Previously, he worked for a well known international vendor for over a decade – hunting, discovering, and sometimes attributing new APT malware and activity. He currently pursues the unfortunate crossover of APT activity and botnet technologies. He develops YARA, fingerprints systems, and researches detection technologies. You may have been scanned by his agents recently.
Vitaly Kamluk 🗣 | Kurt Baumgartner 🗣
Abstract (click to view)
ORB networks have been highlighted recently with several APT related campaigns such as VoltTyphoon, FlaxTyphoon, and few others, providing a layer of anonymity to the APT operators and complicating attribution based on netflow. This problem is quickly emerging worldwide leveraging multiple platforms – from personal computers, to servers and IoT devices.
According to recent media reports (https://www.bleepingcomputer.com/news/security/us-considers-banning-tp-link-routers-over-cybersecurity-risks/) the U.S. government is considering banning TP-Link routers starting 2025 if ongoing investigations find that their use in cyberattacks poses a national security risk.
We have conducted a teardown of several TP-Link devices and analyzed attack surface, architecture, internal API, privacy issues and general inspectability opportunities from the perspective of security researchers. We would like to share the latest findings of how a TP-Link device might get compromised and turned into an ORB. Our research covers conducting an IoT forensics to analyze potentially compromised IoT devices, as well as build your own ORB honeypot.
