Feeds

L33t haxxors compete to p0wn popular home routers

EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry

Security for virtualized datacentres

Gird your loins router-makers: a throng of hackers are set to pry apart your woefully insecure hardware in a competition to expose bad firmware and hard-coded credentials.

The competition will take place at the DEF CON 22 conference and glories in the name "SOHOpelessly Broken". The event is the brainchild of the Electronic Frontier Foundation (EFF) and the router hackers at Independent Security Evaluators (ISE).

The challenge is named for the appalling history of router security which continued to expose everyone on the internet users to dangerously simple flaws. For example, Cisco this week disclosed a series of dangerous holes in its home networking gear that allowed hackers to remotely hijack its kit.

In January, Eloi Vanderbeken demonstrated how he backdoored across routers from manufacturers including Cisco, Netgear and Diamond.

And last year, ISE found flaws ranging from severe to benign in 13 popular routers from the likes of Linksys, NetGear and Belkin, 11 of which could be hijacked from a wide area network. All routers were updated at the time of the tests.

New routers continue to ship with default credentials and login details that cannot be changed by users.

"Despite abundant research and evidence that SOHO (small office/home office) devices are highly vulnerable to malicious compromise, the vulnerable trends continue, the groups wrote on the competition website.

"From shoddy code to blatant backdoors, the excitement never seems to end — though we'd like it to.

"Our hope is that this contest sheds light on the need for manufacturers to better secure these devices by shining a spotlight on them."

For one of the two-track competition, hackers must concoct zero day vulnerabilities against a list of nine popular routers running specific firmware. The EFF's forthcoming Open Wireless Router tools would also be up for testing.

The bugs must be disclosed to the affected vendors prior to being aired on the contest floor, but a run of rapid patching was unlikely judging by history and the possible short time vendors may have to close bugs.

Points will be awarded based on the amount of router blood spilled through hijacking, bricking and denial of service, and contestants were encouraged to chain zero day with known vulnerabilities for maximum carnage. Those who completely compromise the routers will be awarded top points.

A more passive capture the flag competition will be also being run under which hackers teams would compete to hack unnamed routers, scoring points for the number of cracking objectives achieved.

Punters heading to the competition should read over a prepatory router hacking guide by Google engineer Bernardo Rodrigues (@bernardomr)

Keen readers can delve further into the gory history of router manufacturer's obsession with the shiny over the secure. Those wanting to secure their routers without relying on possibly non-responsive vendors can install third party firmware such as OpenWRT or the EFF's Open Wireless Router. ®

Beginner's guide to SSL certificates

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.