I work for the BYU Cybersecurity Research Lab (CSRL) on a student team doing security research on IoT devices. We focus on finding vulnerabilities in these products, which we then document, file for CVEs, and submit to the company in the hopes of a patch being released.

Vilo

From January through May 2024, I worked with my team to hack into a SOHO router from a company by the name of Vilo. They are a relatively new startup and make only two routers, which appear to be very similar in terms of design and functionality. We spent the semester researching this product, dumping firmware, and finding vulnerabilities. Ultimately, we ended up finding 9 CVEs, most of which are of critical severity. After contacting the company about our results, they deployed a patch in August 2024.

Our entire research report can be viewed in our Github repository. We gave a talk about it at DEFCON 32, titled “Finding 0days in Vilo Home Routers” (recording) as well as at SAINTCON 2024, with a few updates (recording).

Our experience with this project proves that even as university students (and mostly undergraduates at the time) with limited time, resources, and relevant experience outside of CTF competitions, our skills were enough to find multiple high-impact vulnerabilities in just a few months. The state of security in IoT devices is atrocious and our research only highlights that.