This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity  #ndcconferences  #security  #developer   #softwaredeveloper    

Attend the next NDC conference near you: 
https://ndcconferences.com
https://ndc-security.com/

Subscribe to our YouTube channel and learn every day:   @NDC 

Follow our Social Media!

https://www.facebook.com/ndcconferences
https://twitter.com/NDC_Conferences
https://www.instagram.com/ndc_conferences

#hacker #iot 

The SOHO Smashup is a famous category in the IoT focused edition of Pwn2Own. Contestants are challenged to exploit a router from the WAN side and then use that device to exploit a second device on the internal LAN.

Last year, we took them up on this challenge and successfully demonstrated a 0day exploit chain against a QNAP router and pivoting to a TrueNAS system. In this presentation, we'll describe how we performed our research and the vulnerabilities we found.

The Dutch NCSC issued a warning last year that they see an increase of threat actors that shift their attention from endpoints to edge devices, including routers. This demonstrates the relevance of the SOHO Smashup category in Pwn2Own. Vulnerabilities in routers that could be exploited from the WAN side pose a real security risk for companies; as these devices are often badly monitored and not kept up to date. Threat actors who are able to compromise a router are in a key position to further advance into the internal network of a company.

In this talk we'll describe the vulnerabilities and exploits. Specifically, we'll describe our research method on the QNAP router. We tried to increase our attack surface step by step, until we found a reliable exploitation path.

NDC Conferences

A detailed walkthrough of a Pwn2Own IoT competition entry targeting a SOHO attack chain: compromising a QNAP router from the WAN side and pivoting to a TrueNAS Mini X on the LAN. The talk covers the full research process including target selection, firmware decryption, attack surface enumeration (outgoing connections, listening services, IPv6 exposure), and the vulnerabilities ultimately exploited. On the NAS side, a Python-based jail manager (iocage) used an unsafe tarfile.extractall call over HTTP, enabling a DNS-spoofing/MITM attack to overwrite the user database. On the router, a DNS lookup for localhost's AAAA record led to discovery of an internal gRPC service; by impersonating the cloud agent, an address6 field in a site.json config was passed unsanitized to a shell, yielding root code execution. The talk emphasizes failed approaches, heap shaping challenges, and the realities of competing seventh out of seven teams — yet all vulnerabilities were confirmed as previously unknown zero-days.

From WAN to NAS: A Pwn2Own Journey Through the SOHO Attack Surface - Daan Keuper - NDC Security 2026