14 DAY TRIAL // During the SOHOpelessly Broken competition at DefCon security conference last week, hackers discovered a total of 15 vulnerabilities in ten router models selected for the contest, five of them being compromised completely.
The competition featured three challenges, and in one of them, the hackers had to find and exploit vulnerabilities in the following router models: Linksys EA6500, ASUS RT-AC66U, TRENDnet TEW-812DRU, Netgear Centria WNDR4700, Netgear WNR3500U/WNR3500L, TP-Link TL-WR1043ND, D-Link DIR-865L, Belkin N900 DB and the Open Wireless Router firmware developed by the Electronic Frontier Foundation (EFF).
According to Lucian Constantin from IDG News Service, only four of the 15 vulnerabilities were completely new, the others having been discovered and patched in other router models of a vendor but not in the one assessed at SOHOpelessly Broken event.
This can happen because the vendor fixes the flaws in the devices for which they were reported and does not extend evaluation to other products sharing the vulnerable code.
Stephen Bono, president of Independent Security Evaluators, the company organizing the competition in collaboration with the EFF, says that it also happens that vendors cannot fix the problem at all because the trouble is with the code supplied by the chipset vendors.
From the four contestants participating in the competition, Craig Young from security firm Tripwire managed to report no less than 11 vulnerabilities.
It appears that exploiting the security holes was not a straightforward task in all cases as sometimes multiple flaws were leveraged in order to compromise the device.
Gaining complete control over an attacked router happened seven times, and the EFF product was never at the other end, against models from ASUS, Netgear (Centria WNDR4700), Belkin and TRENDnet.
Another model, provided by Verizon to its customers (Actiontec), which was not on the original list of approved devices, was also broken during the competition.
Most of the routers are vulnerable and the fact that some of the models were easier to hack into does not necessarily mean that the rest of them are impenetrable. The success of the contestants relies on the type of devices they were familiar with and had prior access to SOHOpelessly Broken event.
Bono told IDG that security could be a decisive factor in user preferences when selecting a router, considering that more and more attacks target this type of devices, and the number of users understanding the risks that may arise from compromising them is on the rise.