Home router security to be tested in upcoming hacking contest

Researchers will compete to exploit previously unknown vulnerabilities in popular home routers

Researchers are gearing up to hack an array of different home routers during a contest next month at the Defcon 22 security conference.

The contest is called SOHOpelessly Broken -- a nod to the small office/home office space targeted by the products -- and follows a growing number of large scale attacks this year against routers and other home embedded systems.

The competition is organized by security consultancy firm Independent Security Evaluators and advocacy group the Electronic Frontier Foundation (EFF), and will have two separate challenges.

The first challenge, known as Track 0, will require researchers to demonstrate exploits for previously unknown, or zero-day, vulnerabilities in a number of popular off-the-shelf consumer wireless routers.

The preselected target devices are: Linksys EA6500, ASUS RT-AC66U, TRENDnet TEW-812DRU, Netgear Centria WNDR4700, Netgear WNR3500U/WNR3500L, TP-Link TL-WR1043ND, D-Link DIR-865L and Belkin N900 DB. The EFF's upcoming Open Wireless Router firmware will also be up for hacking.

Different types of attacks will earn the researchers a different number of points. For example, exploits that result in full router control will be awarded 5,000 points, while those that only cause a denial-of-service condition or low-value information leakage will get 1,000 points. There are also penalties for attacks that require human interaction, authenticated sessions or administrative credentials.

Researchers will prepare their exploits ahead of time and are required to report the vulnerabilities they find to the affected manufacturers ahead of the actual contest. This won't influence their chance of success during the competition because the attacked routers will run specific versions of firmware that have already been announced and won't be updated.

The second challenge, or Track 1, is a capture-the-flag contest where individuals or teams will compete to finish ten objective-based attack scenarios against known vulnerable routers.

The prizes have yet to be announced, but the contest, which is similar to the Pwn2Own hacking competition that targets browsers and mobile devices, is likely to at least bring router vulnerabilities and risks into the spotlight.

It's no secret that the security of routers, and embedded devices in general, has lagged behind that of computer OSes and software. For years researchers have found critical vulnerabilities in a large number of routers, ranging from basic programming errors and hardcoded credentials to more complex flaws in protocol implementations or the administration interface.

Historically the real-world attacks against such devices have been targeted in nature and limited in number, but that's starting to change.

There have been several large scale attacks against routers and embedded devices since the beginning of the year and their number seems to be growing, as attackers begin to understand the potential of compromising such devices.

In March researchers found hundreds of thousands of home routers that had been compromised and had their DNS settings hijacked by attackers. In Poland a similar attack was used to intercept and modify the online banking traffic of home users.

Also this year researchers found thousands of ASUS routers that were exposing the hard drives attached to them to the Internet, a worm infecting Linksys routers and attacks that installed cryptocurrency mining malware on network-attached storage systems.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiononline safetyNetworkingsecurityroutersExploits / vulnerabilitiesIndependent Security EvaluatorsElectronic Frontier Foundationnetworking hardware

More about ASUSASUSASUSBelkin AustraliaD-Link AustraliaEFFElectronic Frontier FoundationLinksysNetgear AustraliaTP-LinkTRENDnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts