Broadband routers: SOHOpeless and vendors don't care

Everything is awesome!

This year's roaring start to router carnage continued in February: ProofPoint reported attackers were sending phishing messages to Brazilian organisations operating TP-Link and UTStarcom home routers in a bid to quietly alter DNS settings for later attacks.

Vice president of advanced security and governance at Proofpoint Kevin Epstein labels that attack as notable because it did not require bugs and was more a "viciously elegant loophole in the interactions between the systems" that attackers exploited with social engineering.

"Each piece of software used in the attack – from web pages to email to browsers to routers – is operating exactly as designed by the vendors," Epstein says.

"Coupled with a lack of any specific functional staff chartered with maintaining their security – your home doesn't usually have a CISO or IT security team – and the challenges of firmware upgrades, and the result is that SOHO systems seem to be much less secure in total than enterprise systems."

Already bad, things will only get worse as more internet-enabled products – sans patches – are released, says Tripwire security researcher and accomplished router hacker Craig Young.

"I have evaluated a lot of embedded devices targeted to consumers and I would say it is far more common to find critical flaws in the devices than it is to find a device without any exploitable flaws," Young says.

"When confronted with the flaws, vendors tend to either play down the risk of attack or simply ignore reports entirely [and] this is a huge problem because these devices are gradually becoming so prevalent that mass infection of vulnerable ‘things’ could have devastating impacts on personal privacy as well as the health of the Internet."

He says many internet-of-things devices are purchased with vulnerabilities thrown in.

Points of failure

The Register received no response from major routers vendors when we asked about the lack of security in their products. In the void, researchers mull how it is that scores of vulnerabilities and bad configurations continue to emerge in new products and be ignored in the old gear.

A cynic could say the barrage points to a patent failure by manufacturers to conduct basic security due diligence in the design of consumer router firmware, and security experts give vendors little excuse for their failings.

Moreover, the industry's failure is so well-known it has spawned a dedicated and burgeoning competition aptly named SOHopelessly Broken (PDF), in which hackers compete to break popular lines of home routers updated to the latest firmware. Dozens of zero day flaws have so far emerged from the contest.

Vendors have told some inquisitive router hackers that the complexity of the supply chain in which the devices are forged is to blame. Big names complain that vulnerabilities are often in the components whose design they don't control.

However, hackers tend to agree that a lack of security auditing of routers in the tight, price-competitive market is responsible for much of the problem. "A lack of external review is probably the cause of firmware being released with exploitable flaws," says Fioravante Souza, senior malware researcher and seasoned router hacker at Sucuri.

"But users also share some responsibility with securing those devices. It's common to see users keeping the factory settings like network name, IP address range and credentials unchanged [and] we see malware abusing those default configurations to change DNS settings".

Souza adds that generic devices that use buggy open source or even pirated firmware are becoming more common, and would be even less likely to be subject to external security reviews.