EPISODE · Aug 9, 2025 · 47 MIN
From WAN to NAS: A Pwn2Own Journey Through the SOHO Attack Surface (WHY2025)
from Chaos Computer Club - recent audio-only feed · host Daan Keuper, Thijs Alkemade
The SOHO Smashup is a famous category in the IoT focused edition of Pwn2Own. Contestants are challenged to exploit a router from the WAN side and then use that device to exploit a second device on the internal LAN. Last year, we took them up on this challenge and successfully demonstrated a 0day exploit chain against a QNAP router and pivoting to a TrueNAS system. In this presentation, we'll describe how we performed our research and the vulnerabilities we found. The Dutch NCSC issued a warning last year that they see an increase of threat actors that shift their attention from endpoints to edge devices, including routers. This demonstrates the relevance of the SOHO Smashup category in Pwn2Own. Vulnerabilities in routers that could be exploited from the WAN side pose a real security risk for companies; as these devices are often badly monitored and not kept up to date. Threat actors who are able to compromise a router are in a key position to further advance into the internal network of a company. In this talk we'll describe the vulnerabilities and exploits. Specifically, we'll describe our research method on the QNAP router. We tried to increase our attack surface step by step, until we found a reliable exploitation path. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/LHC7QV/
What this episode covers
The SOHO Smashup is a famous category in the IoT focused edition of Pwn2Own. Contestants are challenged to exploit a router from the WAN side and then use that device to exploit a second device on the internal LAN. Last year, we took them up on this challenge and successfully demonstrated a 0day exploit chain against a QNAP router and pivoting to a TrueNAS system. In this presentation, we'll describe how we performed our research and the vulnerabilities we found. The Dutch NCSC issued a warning last year that they see an increase of threat actors that shift their attention from endpoints to edge devices, including routers. This demonstrates the relevance of the SOHO Smashup category in Pwn2Own. Vulnerabilities in routers that could be exploited from the WAN side pose a real security risk for companies; as these devices are often badly monitored and not kept up to date. Threat actors who are able to compromise a router are in a key position to further advance into the internal network of a company. In this talk we'll describe the vulnerabilities and exploits. Specifically, we'll describe our research method on the QNAP router. We tried to increase our attack surface step by step, until we found a reliable exploitation path. Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://program.why2025.org/why2025/talk/LHC7QV/
NOW PLAYING
From WAN to NAS: A Pwn2Own Journey Through the SOHO Attack Surface (WHY2025)
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Feb 8, 2026 ·4m
Jan 30, 2026 ·6m
Jan 2, 2026 ·47m