Home and small office wireless routers are feature-rich networking devices, providing consumers and mom-and-pop shops with much more than an Internet gateway. Some, for example, have a print server function, while others store personal files—and very few are secure out of the box.
Hackers and researchers have spent considerable resources pounding away at these devices, uncovering trivially exploitable vulnerabilities that are not only putting consumers and businesses at risk for data and identity theft, but significantly aiding the cause of botnet herders. In the past six months alone, more than a half-dozen serious vulnerabilities have been reported in popular home routers that allow for authentication bypass or have been used in DNS-based amplification attacks.
In April 2013, researchers at Independent Security Evaluators examined 13 popular SOHO Wi-Fi routers, finding that all 13 were open to some sort of local or remote attack, either from the local or wide area network, some of those attacks did not require an active management session be enabled.
All of the vulnerabilities ISE discovered were reported to the respective manufacturers, cofounder Stephen Bono told Threatpost, but few of the security issues were ever resolved.
“Part of the research shocked even ourselves as to how vulnerable things were. We knew we would find bad ones, but we found 100 percent of the routers were wide open for the taking,” Bono said.
Rather than find and release a new spate of vulnerabilities, ISE decided to organize a two-track hacking contest at next week’s DEF CON in Las Vegas. One track is open to researchers who discover a zero-day vulnerability in one of 10 fully patched routers listed below:
- Linksys EA6500 [Ver.1.1.40 (build 160989)]
- ASUS RT-AC66U (HW Ver. A2) [Version 220.127.116.11.374.5517]
- TRENDnet TEW-812DRU (H/W: v1.0R) [Version 18.104.22.168]
- Netgear Centria WNDR4700 [Version V22.214.171.124]
- Netgear WNR3500U/WNR3500L [Version V126.96.36.199_35.0.55]
- TP-Link TL-WR1043ND (Ver. 1.10) [Version V1_140319]
- D-Link DIR-865L (HW Ver. A1) [Version 1.05]
- Belkin N900 DB (Model: F9K1104v1) [Version 1.00.23]
- EFF Open Wireless Router [Details forthcoming]
The rules are listed on the SOHOpelessly Broken website, but in a nutshell, contestants must pre-register for the event and identify and demonstrate their zero-day exploit during DEF CON. Prizes, yet to be determined, will be awarded.
The second track will be a Capture the Flag-style event where router firmware will be dialed back to versions current to a year ago and contestants will complete 10 attack scenarios against known vulnerabilities in the routers and firmware.
All zero-days demonstrated during the event, Bono said, must be disclosed to the respective vendor or manufacturer.
“We decided to open it up to the hacker community at large, have a contest, and shine a big spotlight on the issue, and down the road, maybe manufacturers will take security more seriously,” Bono said.
Like other small device manufacturers and OEMs, features come first for these routers, and security a distant second or third in terms of priorities.
“The amount of features these things have is definitely a big issue,” Bono said. “All sorts of services can be turned on, and these aren’t functionos a router should have. A router should route. I understand they have to compete with competitors and features give them an edge, but by doing so, they’re just opening up more attack surfaces. It’s sort of offensive how bad the security is.”
And patching routers and firmware can be a chore. Most cannot be patched automatically, Bono said.
“In almost 100 percent of cases, the user has to download the firmware, log in to the router and flash it manually,” Bono said. “It’s cumbersome and not easy for users to do. The likelihood they get patched and fixed in the wild are very low. And there again is one of the big design flaws of these things; you build a security devices that cannot be updated. This is the gatekeeper for the Internet.”