
DEFCON Router Hacking Contest Reveals Major Vulnerabilities - Garbage
https://www.eff.org/deeplinks/2014/08/def-con-router-hacking-contest-success-fun-learning-and-profit-many
======
dmix
The problem that Dan Geer pointed out at his NSA talk [1] isn't that they have
some surface level vulns, it's that they are mostly all running linux from 5
years ago and rarely get security updates. Home routers are insecure by
default. The problem is that even if your home router gets hacked and bricked,
you go to BestBuy or Newegg to buy a new router and they are _all_ running the
same old broken OS by default - not including the questionable services and
awful vendor-created software included (ie Asus cloud management software with
5x CVEs).

So he posed the question: What if all home routers get hacked and wiped in a
mass attack against a country? People can't go out and buy new ones since they
are just at risk and will probably just get hacked again. This puts a large
amount of any countries technical infrastructure at risk.

The router manufacturers really need to step up here. And even technical users
could benefit from more options on the market for secure routers, instead of
just DIY OpenBSD boxes.

I'm curious if the gov will ever pressure these companies for better security,
although they seem to prefer insecure-by-default.

[1]
[http://geer.tinho.net/geer.nsa.26iii14.txt](http://geer.tinho.net/geer.nsa.26iii14.txt)

~~~
gear54rus
> home routers get hacked and wiped in a mass attack against a country

Who would want to do that, I wonder. I mean, it's not a one-click process, on
that scale, diversity will be an important factor (FW and HW versions,
manufacturers, OpenWRT and stuff).

It seems to me that this would require a lot of effort and the result will be
questionable. What will be achieved by this?

I think if someone cares about security, they've already flashed DD-WRT by now
and those who don't... well, router (in)security will not stop their systems
from being overtaken.

~~~
dmix
> I think if someone cares about security, they've already flashed DD-WRT by
> now and those who don't... well, router (in)security will not stop their
> systems from being overtaken.

Nonsense.

a) People shouldn't have to flash their firmware to have an adequate level of
security. If we're creating software we should hold some at least
responsibility to provide basic security. Engineers in other fields take
safety extremely seriously, why should software only provide it to a small
percentage of people with technical knowledge?

b) Using up-to-date operating systems with update processes and security-
conscious decision-making when packaging 3rd-party software is not a huge cost
to these companies.

c) The goal of any security is to significantly increase costs and
complexities of attacks. No solution will completely eliminate possibilities
for attack but that doesn't negate need for security.

~~~
gear54rus
> _Nonsense.

a) People shouldn't have to flash their firmware to have an adequate level of
security. If we're creating software we should hold some at least
responsibility to provide basic security. Engineers in other fields take
safety extremely seriously, why should software only provide it to a small
percentage of people with technical knowledge?_

I think you are comparing fundamentally different threat levels.

Say you're designing a car. A cool, safe car in which passengers survive head-
on collision with a wall at 100km/h with 100% chance. That's a nice car, but
it can't save you if someone shoots you in the head with a 9mm through the
windshield, unfortunately. You want that kind of protection? You go and buy
special car with bulletproof glass and additional security measures.

Your router may save you against someone typing 192.168.0.1 in browser and
getting full rights without password. But it won't (and probably can't) save
you from someone with enough tech knowledge and determination by default.

> _b) Using up-to-date operating systems with update processes and security-
> conscious decision-making when packaging 3rd-party software is not a huge
> cost to these companies._

Well they won't want to spend it. People will buy them anyway like they do
now.

~~~
Karunamon
I think the difference here is that your hypothetical gunman taking potshots
at passing cars/routers (i.e. random hackers) is a lot more of a clear and
present danger in the post-Snowden world than real gunmen in the real world.

In other words, that armor glass should come standard, and there's no excuse
for it not to.

Microsoft learned this lesson - you either design for security up front or you
design for security after the fact, _the hard way_ , breaking things as you go
and annoying users.

~~~
gear54rus
I guess I see your point.

------
netdog
I think the widespread insecurity of home routers will not improve anytime
soon.

Background: I work at a company which makes a "home router". It's not one you
will find at a big box store, but internally it's not much different.

Most of these routers are built from a MIPS SoC manufactured by Broadcom,
Atheros, or Marvell. Since their business is selling chips, not routers, these
SoC companies need to make it easy for your LanWan Company startup to choose
to use their chipset.

So these SoC companies will give you a reference hardware design. They will
also give you a completely functional software package with Linux kernel,
drivers for all the peripherals (Wi-Fi, ethernet, etc.), all the necessary
user space utilities, a complete GCC cross-compiler toolchain binary which
runs on Ubuntu, and a bad web app. You can literally unzip this package, run
'make', and end up with a functional filesystem image ready to flash onto the
reference board.

So LanWan startup can start manufacturing routers with only one or two
software devs who know some C and a part-time hardware engineer. Manufacturing
is contracted out to China.

The vendor-supplied C code is not written by expert programmers. It's obvious
when you (try to) read the source. It's also a huge and messy pile of code.

Where I work we use the vendor-supplied kernel but we wrote all the user space
ourselves. All this stuff is written in C. The software devs here have more
than a few years of experience writing C, but are very uneducated about how to
write secure code. They don't think about it. And management does not think
about it. The only thing that matters to management is that the box passes the
tests.

I've been around long enough to have figured out that things are like this in
most places. Whether small companies or big companies doesn't matter.

~~~
AnthonyMouse
I believe this is the premise behind EFF's open router project. Provide a
higher quality base router distribution that can be used by anyone, including
SoC and router manufacturers.

~~~
netdog
Every SoC has a different kernel, heavily patched, with drivers specific to
the SoC. The SoC vendor has an army of paid programmers developing this
software for every SoC they make.

These Soc vendors have to start working on a new kernel long before the chip
is released, as they need working software by the time the chip goes to market
(to offer the router makers). Broadcom's business depends on this. They will
not simply hope some loose-knit group of volunteers will timely produce
software which will help them sell their new chips.

And it's not realistic for the open router project to do this much work. It
would require cooperation from the SoC vendors, providing free and early
access to their kernel driver source and complete documentation for their
chips. I don't see this happening.

At best the open router project could release software for hardware which is
already a year or two old.

Sorry to be such a pessimist, but the incentives to make this work are just
not there for the businesses involved.

~~~
yuhong
Fortunately, most of the important security bugs tends to be in userspace.

------
danielweber
Many years ago I went hunting for CSRF attacks in SOHO routers and found it in
all of them. Most of them completely ignored me when I reported it, one
accused me of accessing an internal dev-only version (when it was simply in
the office of a friend of my boss). Checkpoint followed through like
professionals.

(To be fair, I was working at a place selling all-in-one firewalls to SMB, so
many of those boxes were our competitors.)

------
me_again
I own and am currently using an Actiontec Q1000 with a CenturyLink DSL
connection.

I'm trying to work out just how exposed I am, and whether there's anything
practical I can do about it.

Presumably I can: 1) buy a different device not currently known to be
vulnerable 2) reflash with an alternate firmware 3) disable as many admin
options as possible to reduce surface area 4) pray

Are there other alternatives for the luckless home router owner?

~~~
michaellosee
They gave the exploit a "1337 compromise" award, so it is almost as bad as it
gets.

While you still have the Q1000, be sure that you have the remote interface
disabled and use the NoScript browser plugin. Those two items will mitigate a
lot of the risk.

I replaced my Actiontec Q1000 with a used Zyxel Q1000Z I got for $30. I
haven't had time to assess the Q1000Z yet, but it does not have any known
0-day vulnerabilities.

~~~
sitkack
Actually the parent should firewall off both sides of the router and turn off
internal management, Samy has been p0wning routers from inside the network
since 1989.

~~~
michaellosee
That is true. Those first two recommendations are good bang for your buck (for
the newbies), I guess I forgot I have a technical audience here :-)

Now that I'm thinking about it transparent bridge mode might do the trick as
well.

------
tedunangst
> Unfortunately, fixes have been slow to roll out. Because each of the bugs
> have been disclosed to the manufacturer directly, there may not be pressure
> to push an emergency patch, but manufacturers have a chance to address the
> issues.

Responsible disclosure for the win. It's a good thing nobody else is looking
for vulnerabilities in these routers.

~~~
michaellosee
I demonstrated the Actiontec Q1000 exploit on Track 0. As a security
professional I am very interested in responsible disclosure, and had already
reported the vulnerability to Century Link 6+ months before Defcon (slight
correction to the article, the ISP is not Verizon). I first read about the
SOHOplessly broken contest on HN the week before Defcon and figured I'd apply
since I already had a 0-day in my back pocket.

As the article says the manufacturer has acknowledged the vulnerability, but I
have not heard from them for quite a while. I've begun to wonder how much time
has to pass without a fix before it would be irresponsible of me not to fully
disclose the vulnerability. Lately I've been thinking that full disclosure may
be the only responsible way to disclose a vulnerability. But I am still
conflicted.

~~~
tedunangst
I understand 3 months, or 6 at the outside, to be a fair deadline. Bugs not
fixed after six months are never fixed.

------
r00fus
Wonder why an Apple product wasn't on that target list. I'm sure it
compromises a good sized population and likely valuable targets for
compromise.

~~~
lunixbochs
There's a much higher barrier to entry for security research on AirPort
routers.

The only configuration method is over a custom binary protocol, so you can't
just fuzz HTTP headers and input fields. The firmware downloads are encrypted,
so there's no easy way to pull binaries from the device.

The only public way to do any analysis on the software requires soldering to
the board.

The early models run VXWorks, the N models run NetBSD 4.3 on ARM (Express) and
MIPS (Extreme), and the AC models (Extreme and Time Capsule, the weird tall
ones) run a fork of NetBSD 6.0 on ARM. The AC versions actually contain a
single-core binned ARM Cortex A9 from the iPhone 4S like you would find in the
Apple TV.

That said, at least one group has root, firmware dumps, and is doing active
research. Come hang out #theairportwiki on freenode if you're interested.

------
tehskylark
That feeling when the eff labels you as a newb.. :/

~~~
rangak
I am one of the authors of the blog post.

I think you are referring to the description of Track 1 and 2. Seems like you
were one of the contestants. Sorry, we didn't mean to label anyone a newbie.
It is just that Track 1 and 2 had goals of bringing in newbies. Of course many
of the contestants were even experienced hackers. Indeed one of the winners of
Track 1 was also the Track 0 winner.

I apologize if the phrasing in the blog post seemed like a put down of
contestants' expertise in any of the Tracks.

------
lawnchair_larry
There is nothing "responsible disclosure" about not reporting these to the
people affected. Another example of why that term is terrible.

