"I could take down the internet with that, and so could you."
Dan Geer, Chief Information Security Officer of CIA’s venture capital arm, didn't mince words when he mentioned the security flaws in home routers during his keynote address at last month's Black Hat conference in Las Vegas. But he also noted a small silver lining around the dark cloud of router security: people are starting to take the problem much more seriously. As he noted, the "SOHOpelessly Broken" DEFCON hacking contest, co-presented by Independent Security Evaluators and EFF, is drawing attention to security vulnerabilities in routers with the goal of helping to get them fixed.
The contest was a success and the results are alarming: participants documented 15 new 0-day vulnerabilities, including 7 full router takeovers. These attacks took place on Track 0 of the contest.
According to the rules of the contest, an entry wasn't considered valid unless the contestant also showed proof of disclosure to the manufacturer. Here's a full list of routers in which 0-days were reported in Track 0, along with our current understanding of the fix in progress:
- ASUS AC66U; reported, but no response from the manufacturer.
- Netgear WNDR4700; reported, but no response from the manufacturer.
- D-LINK 865L; reported, and manufacturer confirms it is working on a fix, currently in beta.
- Belkin N900; reported, and manufacturer acknowledged but was unclear on providing a fix.
- TRENDnet TEW-812DRU; reported, and manufacturer claims all reported 0-days are fixed.
- Actiontec Q1000; reported, and manufacturer acknowledged the report.
For details please see the full contest results.
It's clear from the fact that the list spans many different manufacturers that the problem is not unique to any one company. It affects nearly all router makers, and a huge percentage of Internet users. And if these brand names are not familiar, that doesn't mean you're safe: the Actiontec Q1000, for example, is provided by Verizon Communications to its customers.
Unfortunately, fixes have been slow to roll out. Because each of the bugs have been disclosed to the manufacturer directly, there may not be pressure to push an emergency patch, but manufacturers have a chance to address the issues. As Craig Young, the winner of Track 0 notes, that process results in better security without the panic of high-profile exploits:
SOHOpelessly Broken clearly got the attention of vendors without attacks in the wild or irresponsibly disclosed vulnerabilities. Several vendors have already released fixes and others have proactively reached out to the Tripwire VERT researchers for security guidance.
There were two other tracks in the contest, that aimed to get newbies interested in hacking routers. These were Track 1 and and a "surprise" Track 2, both of which involved demonstrating attacks on routers known to be vulnerable. The first round of the surprise Track 2 attracted 7 teams, and the winner was able to demonstrate a full takeover after an hour and a half; the second round featured 9 teams and a winner was crowned after three hours. For details please see the full contest results.
At the end of the day, we were able to help expose many major bugs, and to reward their discoverers $2,700 in cash prizes, 8 DEFCON badges for next year, 11 trophies, as well as swag including backpacks, stickers, shirts, and other gear. We hope the experience, awards, and bragging rights will draw more hackers to expose the problems with SOHO routers and motivate manufacturers to fix them.
We're a long way from a good baseline level of router security, but—alongside projects like EFF's Open Wireless Router Firmware—these efforts can help us get there.