Feeds

L33t haxxors compete to p0wn popular home routers

EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry

Internet Security Threat Report 2014

Gird your loins router-makers: a throng of hackers are set to pry apart your woefully insecure hardware in a competition to expose bad firmware and hard-coded credentials.

The competition will take place at the DEF CON 22 conference and glories in the name "SOHOpelessly Broken". The event is the brainchild of the Electronic Frontier Foundation (EFF) and the router hackers at Independent Security Evaluators (ISE).

The challenge is named for the appalling history of router security which continued to expose everyone on the internet users to dangerously simple flaws. For example, Cisco this week disclosed a series of dangerous holes in its home networking gear that allowed hackers to remotely hijack its kit.

In January, Eloi Vanderbeken demonstrated how he backdoored across routers from manufacturers including Cisco, Netgear and Diamond.

And last year, ISE found flaws ranging from severe to benign in 13 popular routers from the likes of Linksys, NetGear and Belkin, 11 of which could be hijacked from a wide area network. All routers were updated at the time of the tests.

New routers continue to ship with default credentials and login details that cannot be changed by users.

"Despite abundant research and evidence that SOHO (small office/home office) devices are highly vulnerable to malicious compromise, the vulnerable trends continue, the groups wrote on the competition website.

"From shoddy code to blatant backdoors, the excitement never seems to end — though we'd like it to.

"Our hope is that this contest sheds light on the need for manufacturers to better secure these devices by shining a spotlight on them."

For one of the two-track competition, hackers must concoct zero day vulnerabilities against a list of nine popular routers running specific firmware. The EFF's forthcoming Open Wireless Router tools would also be up for testing.

The bugs must be disclosed to the affected vendors prior to being aired on the contest floor, but a run of rapid patching was unlikely judging by history and the possible short time vendors may have to close bugs.

Points will be awarded based on the amount of router blood spilled through hijacking, bricking and denial of service, and contestants were encouraged to chain zero day with known vulnerabilities for maximum carnage. Those who completely compromise the routers will be awarded top points.

A more passive capture the flag competition will be also being run under which hackers teams would compete to hack unnamed routers, scoring points for the number of cracking objectives achieved.

Punters heading to the competition should read over a prepatory router hacking guide by Google engineer Bernardo Rodrigues (@bernardomr)

Keen readers can delve further into the gory history of router manufacturer's obsession with the shiny over the secure. Those wanting to secure their routers without relying on possibly non-responsive vendors can install third party firmware such as OpenWRT or the EFF's Open Wireless Router. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.