15 new bugs exploited at DEF CON router hacking contest
Security researchers taking part of the SOHOpelessly Broken hacking competition at this year’s edition of DEF CON have demonstrated 15 flaws affecting a number of small office/home office routers.
Organized by Independent Security Evaluators and the EFF, the competition consisted of two tracks (and an impromptu addition to the second one). In the first one contestants were challenged to demonstrate previously unidentified vulnerabilities in off-the-shelf consumer wireless routers, and to publicly carry out attacks taking advantage of them.
In the second one, a capture-the-flag style contest, the contestants were tasked with taking over 10 off-the-shelf SOHO routers, hardened, but with known vulnerabilities.
Of the ten, ASUS RT-AC66U, Belkin N900 DB, Netgear Centria WNDR4700, TRENDnet TEW-812DRU, have been fully compromised, along with an Actiontec Electronics router that is usually issued to Verizon Communications’ customers, and which has been brought in by one of the contestants.
The Linksys EA6500, Netgear WNR3500U/WNR3500L, TP-Link TL-WR1043ND, D-Link DIR-865L, and EFF’s Open Wireless Router firmware were either unsuccessfully attacked or haven’t been attacked at all.
The zero-day vulnerability track saw four contestants demonstrating 15 vulnerabilities, eleven of which were reported by Tripwire researcher Craig Young, who previously worked on testing popular wireless routers and discovered that 80% of Amazon’s top 25 best-selling SOHO wireless router models sport security vulnerabilities.
Previous research by Independent Security Evaluators also found that a great many routers by different and popular manufacturers have one or more critical security vulnerabilities that allow local and remote attackers to take control of the device and use it to stage attacks.
According to Lucian Constantin, only four of the reported vulnerabilities were actually new – the rest have been discovered earlier, and patched by the manufacturers but only on other router models.
It is precisely this careless attitude by vendors and manufacturers that the contest aimed to shine a spotlight on. The organizators also hope that these results will spur users and technologists to urge manufacturers to step up their game.