Broadband routers: SOHOpeless and vendors don't care

A problem shared is a problem worsened

Features are a common enemy of security. Router manufacturers differentiate with price and bells and whistles, and this is where hacker Peter Adkins – who this week published un-patched vulnerabilities in D-Link routers after a communication breakdown – places the lion's share of fault.

"The main factors here I would guess to be a combination of cost, code reuse and sprawling feature sets," Adkins says. "The platforms the devices are build upon may be solid – such as OpenWRT – but then additional services are 'bolted on' to provide value-add, and that security seems to go straight out of the window."

Common firmware environments supplied by chipset manufacturers means many of the vulnerabilities of recent years were shared across router makes. NetGear and TrendNet had trivial authentication bypass vulnerabilities due to what Young says was a ""huge" logic error in the embedded HTTP server. Fast forward to August at the SOHOpelessly Broken contest and Young had popped a D-Link router using a flaw he later found was publicly documented for more than a year.

"It seems to be a recurring theme that after finding and reporting a vulnerability, I learn that someone else had reported the same issue to the vendor yet the flaw still exists, or I find that the vendor fixed an issue on one model and left a dozen others unpatched," Young says. Last year he reported a shocking flaw in the Linksys WRT54g only to learn the firmware bug had been reported seven and a half years earlier and was still unfixed.

It isn't just code reuse. Design flaws abound in home routers in no small part because of the need for usability and function, which trump security in the time-to-market race.

"Much of the problem I think comes from vendors competing in a feature race on a product with potentially razor thin margins", Young says. "Developers know that there is a tight timeline for getting their code ready and therefore take shortcuts and ignore potential security threats."

Cut price, cut security

Other prominent hackers requesting anonymity agree the market is cheapening routers and squeezing out security. "Consumers vote with their wallets and data shows that they have a price threshold over which they are not willing to spend on a SOHO router," one says.

"So the manufacturers say that they don't invest in security because it will increase prices, which the market will reject, however I call BS on that as there is absolutely a market of consumers who will pay more for a secured device."

Shodan's Matherly agrees on the role of the price squeeze, but he adds that engineers need to better understand security to reduce the "gaping" but simple holes in routers. "These aren't attacks carried out by organisations with millions of dollars at their disposal. They're discovered by individuals that happen to have the router in their home and want to make sure it's not compromising the security of their network."

Matherly suggests simple preventative measures: don't re-invent the wheel; use existing hardened firmware designs, preferably open-source like OpenWRT; and add a dose of engineer security training. Consumers, too, should research a vendor's security chops.

"The risks if nothing changes is that the internet will continue to be filled with devices that can be compromised and used to execute malware, steal personal information and in the near future take control of your house … if that central piece of your home is compromised, it provides access and control to every part of your life."

A more secure out-of-the-box product must be developed, according to Adkins, which could be achieved with the simple feat of disabling by default any features that extend a router's attack surface. "Perhaps [vendors could] even recommend the user register with the vendor for security updates as part of a 'quick-start' process – well before the device is connected and stashed away in a closet somewhere," he says.

Beyond automatic updates to avoid the unrealistic expectation that users will manually download-and-patch their routers, Young reckons a security star rating could help guide consumer tastes.

"Something along the lines of a consumer advocacy group tasked with reviewing and grading products based on results of a standardised security assessment similar to how cars are tested for safety," he says. "In this scenario, vendors would drive to make their products more secure so they can advertise a higher security score for the product to influence purchasing decisions. This situation would present an impetus for the vendors to change as it would directly affect their bottom line in the form of sales numbers."

Failing that, more full disclosures or forceful initiatives like Google's Project Zero vulnerability research program could work.

If nothing is done - and so far efforts are thin on the ground - the potential for more Lizard Squad-style stressors that could threaten enterprises will grow, says ProofPoint's Epstein.

"There are millions of Internet-of-things, and there will soon be more than laptop computers and smartphones combined," he says.

"An attacker who could mass-compromise significant numbers would have substantial distributed computing power at their command, for DDoS attacks, phishing, or even compute tasks like decryption. Such mass-compromises would clearly represent significant challenges to legacy enterprise security." ®