In this white paper we will cover not only the results of a hardware penetration test which has started as a customer project and ended up in a research project, but also the steps leading to them. The subject of this test was the Cisco Aironet 602 OfficeExtend Access Point1 (short: Cisco OEAP602), which is intended to extend the corporate network to e.g. teleworker’s home via DTLS. Initially we were asked by our customer to have a look on the device and to find out if there is any chance to dump the certificates and keys stored on the device. It turned out that there are several possibilities to do this as you can read on the following pages.
What we found is a so called “Manufacturer Installed Certificate”, or short “MIC” and the corresponding private key. Both could be dumped via UART and JTAG access from the AP’s flash memory device. There is also a third method to dump the NAND flash using third party tools, but this costs more time due to electrical interferences when dumping in-circuit.
There might also be some additional vulnerabilities (e.g. use of old and vulnerable software versions) which were not in our scope. We only focused on the hardware hacking part. The vulnerabilities we have found went through a responsible disclosure process with Cisco. They (Cisco) made the case public on 22nd of September 2016.