As you’re well aware, Patch Tuesday has been going on for more than ten years.
As a result, we’ve grown accustomed to regular bug reports about security holes in widely-used products.
Occasionally, a popular product will receive so many security fixes in one go that we’ll hear people suggesting that we should stop trusting it altogether.
A good example was the June 2014 update to Internet Explorer, which famously patched a claimed “badness record” of 59 vulnerabilities.
You can see why a product with lots of officially-acknowledged holes might feel less secure than one with just a few known holes, especially if that product was previously patched just one month earlier.
But there are some big problems with that line of reasoning.
The most obvious one is that it implies a product is more secure simply because it comes from a vendor who rarely patches it and hardly ever acknowledges holes.
Of course, if a product really is more secure, and has fewer vulnerabilities, then it probably will end up needing fewer patches, but you can’t run that argument in reverse.
All other things being equal, a product is just as likely to have a history of few and intermittent patches because it has received intermittent and inadequate security scrutiny.
In other words, absence of evidence is not evidence of absence.
With that in mind, a company called Independent Security Evaluators (ISE), in concert with privacy advocates the Electronic Frontier Foundation (EFF), is running a security bug-finding competition at this year’s DECFON hacker convention in Las Vegas.
There are even “awesome” prizes promised, though the organisers don’t know what they are yet.
The competition is rather bluntly titled SOHOpelessly Broken, and it’s aimed at turning some serious security scrutiny on home and small business routers.
You’re probably familiar with this class of product; in fact, you may very well use one to connect to the internet at home.
A typical SoHo router product might cost you $50 and probably includes a Wi-Fi access point, a four-port ethernet switch, an ADSL or cable modem, and an AC-to-DC power brick that’s almost as big as the router itself.
The idea is an appealing one: plug it into the mains, plug it into your phone line, press a button on the front, connect to it from a laptop, and point your browser at an easily remembered web page, such as http://192.168.0.1/login.
Run through some basic setup screens, answer a few simple questions, press [OK] and…
Bingo! A connected household! What could possibly go wrong?
If history is any guide, quite a lot.
Deliberate security holes
We’ve written regularly, and sadly fairly frequently, about security holes in SoHo routers – holes that in many cases do not instil much confidence at all.
Some of these holes were simple bugs; even more alarmingly, others weren’t bugs, but deliberately-programmed security flaws.
For example, we’ve had:
- A remote code execution hole in Cisco devices allowing a cunningly crafted web request to take over your router.
- A Linksys bug allowing an external website to change the router’s password, and to enable login access over the internet.
- “Joel’s Backdoor” in D-Link routers, where a simple change in the User-Agent string in your browser would bypass the login screen.
- Sercomm’s undocumented ScMM backdoor interface that allowed you to bypass not just the login screen but the admin web pages too.
- Sercomm’s patch for the ScMM backdoor, implemented by hiding the backdoor behind a new backdoor.
Perhaps it’s unfair to expect software code of satisfactory quality in what are primarily considered to be hardware products that cost only a few tens of dollars?
But neither ISE nor the EFF agrees, and one important reason is that insecurities in popular router products are like gold dust to cybercrooks.
It’s easy to dismiss router vulnerabilities as much less of a problem than, say, security holes in your laptop operating system or your mobile phone.
After all, you don’t usually download documents, browse to websites, or enter login passwords on the router itself.
But “securing” your network, and your personally identifiable information, behind a shabbily-programmed $50 router is a bit like “locking up” your $5000 mountain bike with a $1 cable tie.
Here’s one reason: consider that your home network probably relies on your router to handle DNS requests.
In other words, if you decide to visit sophos.com, it’s up to your router whether to tell you the truth (at 2014-07-21T20:30Z, it should direct you to the IP number 220.127.116.11), or to lie deliberately and misdirect you to an imposter site.
In short, if the crooks own your router, they almost certainly own your DNS.
If they own your DNS, then they get to choose when to dump you onto fake websites, to send your email to bogus servers, or to convince your security software there’s a problem getting updates.
And that’s why we’ve got the SOHOpelessly Broken competition, aimed at encouraging open, expert scrutiny of a range of well-known SoHo routers.
Unfortunately, the competition is a little freewheeling for our tastes, because it claims to have a “strict responsible disclosure policy,” yet it seems that all you need to do is disclose your exploit to the vendor “at some point…prior to its demonstration at the contest area.”
With just over two weeks to go to DEFCON, that doesn’t leave a whole lot of time even if you disclose right now, but there doesn’t seem to be any limit on how late you can leave it, or what sort of degree of detail you can use to publicise the exploit during and after the competition.
(To be fair, the competition encourages you to tell the vendor earlier, rather than later, as your exploit will still count as a zero-day for the purpose of the contest, even if the vendor fixes it in time.)
Nevertheless, setting aside our reservations about just how “strict” and “responsible” the organisers’ rules might be, there is no doubt that SoHo router security needs a bit of a shake-up.
Perhaps this year’s DEFCON will deliver just that?
Free Sophos UTM Home Edition
Looking for a full-blown security solution to add to your regular SoHo router?
If you have a spare PC or laptop handy, why not try the Sophos UTM Home Edition?
You get all the features of our commercial product, including: web and email filtering; a network intrusion detection system; full-blown VPN support; regular and frequent updates; and licences to install and manage Sophos Anti-Virus for Windows on up to 12 PCs.
If you are the IT geek in a shared house or have children to keep safe online, this could be just what you need, all for $0.