Feeds

L33t haxxors compete to p0wn popular home routers

EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry

Intelligent flash storage arrays

Gird your loins router-makers: a throng of hackers are set to pry apart your woefully insecure hardware in a competition to expose bad firmware and hard-coded credentials.

The competition will take place at the DEF CON 22 conference and glories in the name "SOHOpelessly Broken". The event is the brainchild of the Electronic Frontier Foundation (EFF) and the router hackers at Independent Security Evaluators (ISE).

The challenge is named for the appalling history of router security which continued to expose everyone on the internet users to dangerously simple flaws. For example, Cisco this week disclosed a series of dangerous holes in its home networking gear that allowed hackers to remotely hijack its kit.

In January, Eloi Vanderbeken demonstrated how he backdoored across routers from manufacturers including Cisco, Netgear and Diamond.

And last year, ISE found flaws ranging from severe to benign in 13 popular routers from the likes of Linksys, NetGear and Belkin, 11 of which could be hijacked from a wide area network. All routers were updated at the time of the tests.

New routers continue to ship with default credentials and login details that cannot be changed by users.

"Despite abundant research and evidence that SOHO (small office/home office) devices are highly vulnerable to malicious compromise, the vulnerable trends continue, the groups wrote on the competition website.

"From shoddy code to blatant backdoors, the excitement never seems to end — though we'd like it to.

"Our hope is that this contest sheds light on the need for manufacturers to better secure these devices by shining a spotlight on them."

For one of the two-track competition, hackers must concoct zero day vulnerabilities against a list of nine popular routers running specific firmware. The EFF's forthcoming Open Wireless Router tools would also be up for testing.

The bugs must be disclosed to the affected vendors prior to being aired on the contest floor, but a run of rapid patching was unlikely judging by history and the possible short time vendors may have to close bugs.

Points will be awarded based on the amount of router blood spilled through hijacking, bricking and denial of service, and contestants were encouraged to chain zero day with known vulnerabilities for maximum carnage. Those who completely compromise the routers will be awarded top points.

A more passive capture the flag competition will be also being run under which hackers teams would compete to hack unnamed routers, scoring points for the number of cracking objectives achieved.

Punters heading to the competition should read over a prepatory router hacking guide by Google engineer Bernardo Rodrigues (@bernardomr)

Keen readers can delve further into the gory history of router manufacturer's obsession with the shiny over the secure. Those wanting to secure their routers without relying on possibly non-responsive vendors can install third party firmware such as OpenWRT or the EFF's Open Wireless Router. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.