This article is more than 1 year old

L33t haxxors compete to p0wn popular home routers

EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry

Gird your loins router-makers: a throng of hackers are set to pry apart your woefully insecure hardware in a competition to expose bad firmware and hard-coded credentials.

The competition will take place at the DEF CON 22 conference and glories in the name "SOHOpelessly Broken". The event is the brainchild of the Electronic Frontier Foundation (EFF) and the router hackers at Independent Security Evaluators (ISE).

The challenge is named for the appalling history of router security which continued to expose everyone on the internet users to dangerously simple flaws. For example, Cisco this week disclosed a series of dangerous holes in its home networking gear that allowed hackers to remotely hijack its kit.

In January, Eloi Vanderbeken demonstrated how he backdoored across routers from manufacturers including Cisco, Netgear and Diamond.

And last year, ISE found flaws ranging from severe to benign in 13 popular routers from the likes of Linksys, NetGear and Belkin, 11 of which could be hijacked from a wide area network. All routers were updated at the time of the tests.

New routers continue to ship with default credentials and login details that cannot be changed by users.

"Despite abundant research and evidence that SOHO (small office/home office) devices are highly vulnerable to malicious compromise, the vulnerable trends continue, the groups wrote on the competition website.

"From shoddy code to blatant backdoors, the excitement never seems to end — though we'd like it to.

"Our hope is that this contest sheds light on the need for manufacturers to better secure these devices by shining a spotlight on them."

For one of the two-track competition, hackers must concoct zero day vulnerabilities against a list of nine popular routers running specific firmware. The EFF's forthcoming Open Wireless Router tools would also be up for testing.

The bugs must be disclosed to the affected vendors prior to being aired on the contest floor, but a run of rapid patching was unlikely judging by history and the possible short time vendors may have to close bugs.

Points will be awarded based on the amount of router blood spilled through hijacking, bricking and denial of service, and contestants were encouraged to chain zero day with known vulnerabilities for maximum carnage. Those who completely compromise the routers will be awarded top points.

A more passive capture the flag competition will be also being run under which hackers teams would compete to hack unnamed routers, scoring points for the number of cracking objectives achieved.

Punters heading to the competition should read over a prepatory router hacking guide by Google engineer Bernardo Rodrigues (@bernardomr)

Keen readers can delve further into the gory history of router manufacturer's obsession with the shiny over the secure. Those wanting to secure their routers without relying on possibly non-responsive vendors can install third party firmware such as OpenWRT or the EFF's Open Wireless Router. ®

More about

TIP US OFF

Send us news


Other stories you might like