This is what happens when DNS is your only security.
This dashboard is part of a security research presentation demonstrating why CPE firmware updates must be cryptographically signed. The devices below connected to our server after a simple DNS hijack — no exploit, no vulnerability in the router, just DNS.
The routers automatically connect to whatever ACS server their DNS resolves to via
TR-069/CWMP (the CPE management protocol used by most carrier-grade routers).
TLS certificate verification is disabled. Firmware validation is a 4-byte model ID check —
no cryptographic signature. Any DNS server can become a firmware update server.
The attack: We registered DNS zones for the carrier's real CWMP management domain names
and pointed them at this server. Routers on networks using our DNS automatically connected here
as if it were their legitimate management server. They sent device identifiers, firmware versions,
and would have accepted unsigned firmware images.
The fix: Firmware images must be signed with a private key held by the manufacturer.
The router must verify the signature before applying ANY update. DNS is infrastructure, not security.
A single compromised DNS resolver, DHCP server, or BGP route should never be sufficient to
push malicious firmware to consumer devices.