Fifteen new vulnerabilities reported during router hacking contest

Five popular router models were hacked during the SOHOpelessly Broken competition at DefCon 22

Routers appear to be as insecure as ever, after hackers successfully compromised five popular wireless models during a contest at the DefCon 22 security conference, reporting 15 new vulnerabilities to affected vendors.

The SOHOpelessly Broken contest pitted hackers against 10 router models from different manufacturers: Linksys EA6500, ASUS RT-AC66U, TRENDnet TEW-812DRU, Netgear Centria WNDR4700, Netgear WNR3500U/WNR3500L, TP-Link TL-WR1043ND, D-Link DIR-865L, Belkin N900 DB and the Open Wireless Router firmware developed by the Electronic Frontier Foundation (EFF).

There were three challenges. In one researchers had to demonstrate unpatched -- zero-day -- vulnerabilities in the preselected devices, and received points based on their criticality. The second challenge was a capture-the-flag-style game in which contestants had to hack into routers running known vulnerable firmware to extract sensitive information, and the third was a similar surprise challenge targeting a router from Asus and one from D-Link.

Four contestants participated in the zero-day vulnerability contest and demonstrated exploits for a total of 15 flaws. Eleven of the reported vulnerabilities were submitted by Craig Young, a researcher at security firm Tripwire.

Young is no newcomer to finding vulnerabilities in routers. In February he published research showing that 80 percent of the 25 best-selling SOHO wireless router models on Amazon had vulnerabilities.

Not all of the flaws reported during SOHOpelessly Broken were critical, and in some cases the contestants had to combine several of them to achieve a full compromise, said Stephen Bono, president of Independent Security Evaluators, the security firm that organized the competition together with the EFF.

A full compromise would entail successfully gaining access to execute privileged commands, essentially an attack that gives the hacker full control over the router.

Seven attacks resulted in full compromises and these were performed against the ASUS RT-AC66U, the Netgear Centria WNDR4700 (which suffered two separate hacks), the Belkin N900, the TRENDnet TEW-812DRU and a router made by Actiontec Electronics and provided by Verizon Communications to its subscribers.

The Actiontec router wasn't among those pre-selected for the competition and was brought in by one of the contestants.

"We made an exception and accepted the submission anyway," Bono said.

In another case, one contestant demonstrated a full compromise of his own D-Link DIR-865L router, but it turned out that the device was running a firmware version older than the one indicated by the organizers that wasn't vulnerable to the reported exploit.

One interesting aspect is that only four of the reported vulnerabilities were completely new. The other ones had been discovered and patched in the past in other router models from the same manufacturers, but the vendors did not fix them in the routers selected for this competition.

This type of patching inconsistency happens frequently in the router world, Bono said. Vendors often fix vulnerabilities only in the models for which those flaws were reported by researchers and fail to test if their other products are also vulnerable. In some cases vendors never fix the reported vulnerabilities at all, and sometimes they're not even able to because the flaws are actually in code supplied to them by chipset vendors, he said.

Bono doesn't think the routers that weren't hacked during the contest don't have any vulnerabilities. He believes the results are related to which models the four contestants had access to in advance so they could analyze them, rather than one router being more secure than another.

In general SOHO routers are not designed with security in mind because manufacturers operate on small profit margins and rush to get products to market as fast as possible rather than invest in secure development lifecycles and security audits, Bono said.

Since most routers are vulnerable regardless of who made them, there is little incentive for secure development. However, with large-scale attacks against routers becoming increasingly common and more people understanding the risks associated with router compromises, security can become a differentiator in this market, Bono said.