The SOHOpelessly competition marked the first of, hopefully, many consumer router hacking competitions that continue to apply pressure on vendors to get their security act together.

Throughout the competition, with only a handful of hours and a few available routers for reference, I was able to find zero-day vulnerabilities in the majority of the track 0 ‘up-to-date’ targets. Even more discouraging was the security posture and responsiveness from vendors, like NETGEAR, with the latest firmware containing vulnerabilities that have been repeatedly reported and even fixed for some models.

In addition, the latest firmware for targeted Belkin models also contained flaws reported in various models by nCircle back in 2012, as well as by ISE researchers in 2013. Although, to their credit, the Belkin and Linksys security teams are taking steps to improve their security posture.

D-Link, on the other hand, impressed me in their PSIRT response. Despite the model being ‘phased out,’ D-Link still put in the appropriate time to identify affected models and even sent me an updated firmware before the contest.

My colleague Ian Turner and I also dominated the track 1 competition as team VERT by accumulating 15,000 points (6 flags) in under 4 hours of banging on ISE’s collection of routers.

EFF, ISE and Itus deserve big props for helping push the envelope on home router security. Look out for more vulnerability information on The State of Security as we coordinate with vendors and determine how to best minimize consumer risk.

 

RELATED ARTICLES:

RESOURCES:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Header image courtesy of ShutterStock.

Categories

Tags , , , , ,


Leave a Reply

Craig Young

Craig Young has contributed 26 posts to The State of Security.

View all posts by Craig Young >