As you’re well aware, Patch Tuesday has been going on for more than ten years.
As a result, we’ve grown accustomed to regular bug reports about security holes in widely-used products.
Occasionally, a popular product will receive so many security fixes in one go that we’ll hear people suggesting that we should stop trusting it altogether.
A good example was the June 2014 update to Internet Explorer, which famously patched a claimed “badness record” of 59 vulnerabilities.
You can see why a product with lots of officially-acknowledged holes might feel less secure than one with just a few known holes, especially if that product was previously patched just one month earlier.
Flawed reasoning
But there are some big problems with that line of reasoning.
The most obvious one is that it implies a product is more secure simply because it comes from a vendor who rarely patches it and hardly ever acknowledges holes.
Of course, if a product really is more secure, and has fewer vulnerabilities, then it probably will end up needing fewer patches, but you can’t run that argument in reverse.
All other things being equal, a product is just as likely to have a history of few and intermittent patches because it has received intermittent and inadequate security scrutiny.
In other words, absence of evidence is not evidence of absence.
With that in mind, a company called Independent Security Evaluators (ISE), in concert with privacy advocates the Electronic Frontier Foundation (EFF), is running a security bug-finding competition at this year’s DECFON hacker convention in Las Vegas.
There are even “awesome” prizes promised, though the organisers don’t know what they are yet.
The competition is rather bluntly titled SOHOpelessly Broken, and it’s aimed at turning some serious security scrutiny on home and small business routers.
SoHo routers
You’re probably familiar with this class of product; in fact, you may very well use one to connect to the internet at home.
A typical SoHo router product might cost you $50 and probably includes a Wi-Fi access point, a four-port ethernet switch, an ADSL or cable modem, and an AC-to-DC power brick that’s almost as big as the router itself.
The idea is an appealing one: plug it into the mains, plug it into your phone line, press a button on the front, connect to it from a laptop, and point your browser at an easily remembered web page, such as http://192.168.0.1/login.
Run through some basic setup screens, answer a few simple questions, press [OK] and…
Bingo! A connected household! What could possibly go wrong?
If history is any guide, quite a lot.
Deliberate security holes
We’ve written regularly, and sadly fairly frequently, about security holes in SoHo routers – holes that in many cases do not instil much confidence at all.
Some of these holes were simple bugs; even more alarmingly, others weren’t bugs, but deliberately-programmed security flaws.
For example, we’ve had:
- A remote code execution hole in Cisco devices allowing a cunningly crafted web request to take over your router.
- A Linksys bug allowing an external website to change the router’s password, and to enable login access over the internet.
- “Joel’s Backdoor” in D-Link routers, where a simple change in the User-Agent string in your browser would bypass the login screen.
- Sercomm’s undocumented ScMM backdoor interface that allowed you to bypass not just the login screen but the admin web pages too.
- Sercomm’s patch for the ScMM backdoor, implemented by hiding the backdoor behind a new backdoor.
Quality expectations
Perhaps it’s unfair to expect software code of satisfactory quality in what are primarily considered to be hardware products that cost only a few tens of dollars?
But neither ISE nor the EFF agrees, and one important reason is that insecurities in popular router products are like gold dust to cybercrooks.
It’s easy to dismiss router vulnerabilities as much less of a problem than, say, security holes in your laptop operating system or your mobile phone.
After all, you don’t usually download documents, browse to websites, or enter login passwords on the router itself.
But “securing” your network, and your personally identifiable information, behind a shabbily-programmed $50 router is a bit like “locking up” your $5000 mountain bike with a $1 cable tie.
Here’s one reason: consider that your home network probably relies on your router to handle DNS requests.
In other words, if you decide to visit sophos.com, it’s up to your router whether to tell you the truth (at 2014-07-21T20:30Z, it should direct you to the IP number 31.222.175.174), or to lie deliberately and misdirect you to an imposter site.
In short, if the crooks own your router, they almost certainly own your DNS.
If they own your DNS, then they get to choose when to dump you onto fake websites, to send your email to bogus servers, or to convince your security software there’s a problem getting updates.
Expert scrutiny
And that’s why we’ve got the SOHOpelessly Broken competition, aimed at encouraging open, expert scrutiny of a range of well-known SoHo routers.
Unfortunately, the competition is a little freewheeling for our tastes, because it claims to have a “strict responsible disclosure policy,” yet it seems that all you need to do is disclose your exploit to the vendor “at some point…prior to its demonstration at the contest area.”
With just over two weeks to go to DEFCON, that doesn’t leave a whole lot of time even if you disclose right now, but there doesn’t seem to be any limit on how late you can leave it, or what sort of degree of detail you can use to publicise the exploit during and after the competition.
(To be fair, the competition encourages you to tell the vendor earlier, rather than later, as your exploit will still count as a zero-day for the purpose of the contest, even if the vendor fixes it in time.)
Nevertheless, setting aside our reservations about just how “strict” and “responsible” the organisers’ rules might be, there is no doubt that SoHo router security needs a bit of a shake-up.
Perhaps this year’s DEFCON will deliver just that?
Free Sophos UTM Home Edition
Looking for a full-blown security solution to add to your regular SoHo router?
If you have a spare PC or laptop handy, why not try the Sophos UTM Home Edition?
You get all the features of our commercial product, including: web and email filtering; a network intrusion detection system; full-blown VPN support; regular and frequent updates; and licences to install and manage Sophos Anti-Virus for Windows on up to 12 PCs.
If you are the IT geek in a shared house or have children to keep safe online, this could be just what you need, all for $0.
Image of archetypal hacker silhouette courtesy of Shutterstock.
Thanks for this really good article, Paul, much appreciated. 🙂
I think the idea of a hacking competition for routers is a great idea. However I can’t help thinking in what manner the issues exploited at the competition will be patched. As you mentioned, Sercomm’s patch for the ScMM backdoor, was to use another backdoor. This is in a way understandable since many routers were just designed like that and re-writing/re-architecting an existing router to fix a flaw (or a number of flaws) is not viable.
In addition, if a very popular router is compromised and it is an older model that is not sold anymore, is the vendor obligated to patch it? This is also what worries me. What is considered by the vendor to be an older router may then have an exploitable flaw that will go un-patched. How many years should a router vendor support your router before they consider it time for you to purchase a new one?
My router is from Asus and costs about $300 US but I am concerned any flaw that it has will not be patched since it is now 1 year old (and has since been replaced by 2 newer models which are even more expensive). I have my doubts that my router will get a patch if it needs one. Previous versions of the firmware for my router fixed security issues (10 in all) and I have the most recent firmware installed that include these fixes.
I just hope for everyone’s sake that whatever flaws are found at the competition are patched by the vendors for all affected models (regardless of how old the router is). I realize this is a little unreasonable, however at what point should a router no longer be supported 3, 5 years, more? Unfortunately, routers don’t have support lifecycles like Linux and Windows operating systems.
Thanks for reading.
I recently moved across from a Draytek that I used for my home network. Cheap business-grade unit, worked really well, but it’s really too old now… I got offered a free unit from my ISP. The trusty Draytek would add the NAT info into the firewall automatically; the new unit needs manual firewall entries. No biggy right?
I setup the NAT/Port forwards (with no firewall entries) and then ran a Shields-UP (gcr.com) test. The test included the newly assigned ports. All but one of the ports was closed. This seemed to puzzle me quite a bit so I then continued to add in the required firewall entries and tried again. All of the required ports were now working.
The laughable thing is that without opening the firewall for the NAT ports, the router had already let one of the ports into my network! I double checked this by removing the firewall entries to leave the NAT entries only. This single port was still working.
I went to check for a newer firmware… There was only one version, version 1.0… Though I was further concerned to find that the ISP had a custom firmware on the unit!
I for one will continue with the “can I hack it” technique to be 99.1% sure I’m safe. Why the 0.9% left over? If you are 100% complacent with any system, you’re setting yourself up for a big fall.
… Time to find another router that actually has a functioning firewall!