It should come as no surprise that a recent hacking competition unearthed no fewer than 15 zero-day vulnerabilities in residential and small business routers.
The Electronic Frontier Foundation and Independent Security Evaluation set up the SOHOpelessly Broken competition to demonstrate what a poor job internet router providers do of keeping their firmware up to date from a security perspective.
We're talking about big name router brands like Asus, Netgear, D-Link, Belkin and Linksys, whose kit can be prised open with little effort by any moderately skilled hacker.
An unkind observer might say it’s more surprising that EFF and ISE would bother demonstrating such flaws because it’s quite clear that many makers of broadband and wi-fi routers have precisely zero interest in security - and customers don’t seem to care either.
But I would commend the two organisations for trying to raise awareness about a serious security problem that will only get worse as more insecure devices are networked around the world.
I spoke to the winner of the SOHOpelessly Broken competition, Tripwire Security researcher Craig Young, who agreed that the situation is…well, hopeless really.
“Some router vendors do better than others but overall vendors seem to have little interest in fixing vulnerabilities unless there is publicity surrounding the disclosure,” Young said.
“Even in that case, vendors will commonly patch one model used by the researcher and ignore the fact that the flaw is replicated across many other models."
Young won the competition after finding five full router takeover flaws on four devices.
It wasn’t particularly hard either.
“Yes, it is correct that it did not take much time or effort to identify the vulnerabilities I demonstrated in the contest,” he said.
Young’s flaw-finding workflow consists of getting the firmware for a specific vendor and extracting the file system with Craig Heffner’s binwalk tool.
“The general idea is that the router’s web server is programmed to send certain files or file types without asking for a password. Programming errors make it possible to trick the router into thinking sensitive requests should be processed without checking if the request is authorised," Young said.
"This type of authentication bypass can expose other flaws such as command injection. Since the web server runs as a privileged user, basically any server-side vulnerability can lead to full system compromise."
Since the web servers for router configuration against security best practice can run as privileged users, and more often than not return the device password when presented with the right query, Young focuses his efforts there.
“This technique has led me to identify authentication bypass flaws in dozens of router models from multiple vendors,” Young said.
Router vulnerability disclosures are an every day thing now, Young said, with the bad guys happily exploiting the easy targets.
Last month hackers loaded onto the website of a Brazilian newspaper content designed to attack routers of the web sitie's visitors.
“From what I understand of this attack however the hackers used a rather unsophisticated technique to take over home routers," Young said.
"Rather than locating and exploiting a weakness within the routers, they relied on bad practices such as default passwords and IP addresses."
Also, who can forget “The Researcher” and his Carna botnet that subverted hundreds of thousands of devices that were then used to scan the entire IPv4 address space?
Even if end users pay attention to security vulnerabilities, they are let down by router vendors that do not address the full range of vulnerabilities found - if they issue patches at all.
Young has published a list of six common sense tips to make routers a little more difficult to hack.
Other than that, there’s a lack of protective measures for users of SoHo routers. Young said more sophisticated users are best served by configuring their devices so that only minimal services are exposed over network interfaces.
Some progress is being made. Young said the ITUS iGuardian hardware based intrusion detection system that is currently in Kickstarter funding mode could block external threats.
The iGuardian isn’t the be-all and end-all solution though, as it is very difficult to defend against attacks from wireless clients or even malicious apps, Young noted.
There’s a gaping hole in the market here: in other words, why isn't it being filled?