DEFCON Router Hacking Contest Reveals 15 Major Vulnerabilities
"I could take down the internet with that, and so could you."
Dan Geer, Chief Information Security Officer of CIA’s venture capital arm, didn't mince words when he mentioned the security flaws in home routers during his keynote address at last month's Black Hat conference in Las Vegas. But he also noted a small silver lining around the dark cloud of router security: people are starting to take the problem much more seriously. As he noted, the "SOHOpelessly Broken" DEFCON hacking contest, co-presented by Independent Security Evaluators and EFF, is drawing attention to security vulnerabilities in routers with the goal of helping to get them fixed.
The contest was a success and the results are alarming: participants documented 15 new 0-day vulnerabilities, including 7 full router takeovers. These attacks took place on Track 0 of the contest.
According to the rules of the contest, an entry wasn't considered valid unless the contestant also showed proof of disclosure to the manufacturer. Here's a full list of routers in which 0-days were reported in Track 0, along with our current understanding of the fix in progress:
- ASUS AC66U; reported, but no response from the manufacturer.
- Netgear WNDR4700; reported, but no response from the manufacturer.
- D-LINK 865L; reported, and manufacturer confirms it is working on a fix, currently in beta.
- Belkin N900; reported, and manufacturer acknowledged but was unclear on providing a fix.
- TRENDnet TEW-812DRU; reported, and manufacturer claims all reported 0-days are fixed.
- Actiontec Q1000; reported, and manufacturer acknowledged the report.
For details please see the full contest results.
It's clear from the fact that the list spans many different manufacturers that the problem is not unique to any one company. It affects nearly all router makers, and a huge percentage of Internet users. And if these brand names are not familiar, that doesn't mean you're safe: the Actiontec Q1000, for example, is provided by Verizon Communications to its customers.
Unfortunately, fixes have been slow to roll out. Because each of the bugs have been disclosed to the manufacturer directly, there may not be pressure to push an emergency patch, but manufacturers have a chance to address the issues. As Craig Young, the winner of Track 0 notes, that process results in better security without the panic of high-profile exploits:
SOHOpelessly Broken clearly got the attention of vendors without attacks in the wild or irresponsibly disclosed vulnerabilities. Several vendors have already released fixes and others have proactively reached out to the Tripwire VERT researchers for security guidance.
There were two other tracks in the contest, that aimed to get newbies interested in hacking routers. These were Track 1 and and a "surprise" Track 2, both of which involved demonstrating attacks on routers known to be vulnerable. The first round of the surprise Track 2 attracted 7 teams, and the winner was able to demonstrate a full takeover after an hour and a half; the second round featured 9 teams and a winner was crowned after three hours. For details please see the full contest results.
At the end of the day, we were able to help expose many major bugs, and to reward their discoverers $2,700 in cash prizes, 8 DEFCON badges for next year, 11 trophies, as well as swag including backpacks, stickers, shirts, and other gear. We hope the experience, awards, and bragging rights will draw more hackers to expose the problems with SOHO routers and motivate manufacturers to fix them.
We're a long way from a good baseline level of router security, but—alongside projects like EFF's Open Wireless Router Firmware—these efforts can help us get there.
Recent DeepLinks Posts
Feb 20, 2017
Feb 17, 2017
Feb 17, 2017
Feb 17, 2017
Feb 16, 2017
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- UK Investigatory Powers Bill
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Eyes, Ears & Nodes Podcast
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games