Feeds

L33t haxxors compete to p0wn popular home routers

EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry

Beginner's guide to SSL certificates

Gird your loins router-makers: a throng of hackers are set to pry apart your woefully insecure hardware in a competition to expose bad firmware and hard-coded credentials.

The competition will take place at the DEF CON 22 conference and glories in the name "SOHOpelessly Broken". The event is the brainchild of the Electronic Frontier Foundation (EFF) and the router hackers at Independent Security Evaluators (ISE).

The challenge is named for the appalling history of router security which continued to expose everyone on the internet users to dangerously simple flaws. For example, Cisco this week disclosed a series of dangerous holes in its home networking gear that allowed hackers to remotely hijack its kit.

In January, Eloi Vanderbeken demonstrated how he backdoored across routers from manufacturers including Cisco, Netgear and Diamond.

And last year, ISE found flaws ranging from severe to benign in 13 popular routers from the likes of Linksys, NetGear and Belkin, 11 of which could be hijacked from a wide area network. All routers were updated at the time of the tests.

New routers continue to ship with default credentials and login details that cannot be changed by users.

"Despite abundant research and evidence that SOHO (small office/home office) devices are highly vulnerable to malicious compromise, the vulnerable trends continue, the groups wrote on the competition website.

"From shoddy code to blatant backdoors, the excitement never seems to end — though we'd like it to.

"Our hope is that this contest sheds light on the need for manufacturers to better secure these devices by shining a spotlight on them."

For one of the two-track competition, hackers must concoct zero day vulnerabilities against a list of nine popular routers running specific firmware. The EFF's forthcoming Open Wireless Router tools would also be up for testing.

The bugs must be disclosed to the affected vendors prior to being aired on the contest floor, but a run of rapid patching was unlikely judging by history and the possible short time vendors may have to close bugs.

Points will be awarded based on the amount of router blood spilled through hijacking, bricking and denial of service, and contestants were encouraged to chain zero day with known vulnerabilities for maximum carnage. Those who completely compromise the routers will be awarded top points.

A more passive capture the flag competition will be also being run under which hackers teams would compete to hack unnamed routers, scoring points for the number of cracking objectives achieved.

Punters heading to the competition should read over a prepatory router hacking guide by Google engineer Bernardo Rodrigues (@bernardomr)

Keen readers can delve further into the gory history of router manufacturer's obsession with the shiny over the secure. Those wanting to secure their routers without relying on possibly non-responsive vendors can install third party firmware such as OpenWRT or the EFF's Open Wireless Router. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.