The Routers of All Evil

While the rest of us are enjoying the sunshine – at least when we’re not stuck behind our desks – a select group of techies, no doubt complete with pony tails and full-fat coke, are preparing to lock themselves away in dark rooms. (Honestly, the sun was shining when I wrote this!)


It’s all part of a competition that will take place at DEF CON 22 – one of the world’s largest annual hacker conventions, held every year in Las Vegas, Nevada.

The challenge, ingeniously named ‘SOHOpelessly Broken’ – SOHO standing for small office / home office – invites participants to expose flaws in entry level and home networking routers that leave users vulnerable to attack.

It’s all legitimate with the hope that the contest sheds light on the need for manufacturers to better secure these devices. In fact, all hacks must be disclosed to the affected vendors before being entered into the competition.

James Lyne, Global Head of Security Research at Sophos, who has spoken at numerous TSG events recently told the Guardian that router manufacturers need to learn to take security seriously, explaining that many home and small business routers still have basic web application security flaws which allow remote control or information exposure.

Whilst these security concerns won’t impact those TSG customers who have the right processes and equipment in place – such as a UTM device – there may be some who should give serious consideration to upgrading their routers and security devices.

Equally, given the number of people who now work from home, even if that’s only to check emails, it may be something that affects more than those who realise.

It’s also not just big businesses like Dominos, Sony, Evernote and Feedly that are affected by attacks, as I discovered recently when I was called in by a friend to help ‘disinfect’ a brand new laptop – more of that one in a future blog!

Anyway, back to the competition which has been devised by the Electronic Frontier Foundation (EFF) and the Independent Security Evaluators (ISE), hackers must concoct ‘zero day’ (i.e. previously unknown) vulnerabilities against a list of nine popular routers running specific firmware.

Points will be awarded based on the amount of router blood spilled through hijacking, bricking and denial of service, and contestants are encouraged to chain zero day with known vulnerabilities for maximum carnage. Those who completely compromise the routers will be awarded top points.

In effect, the competition is a bit like a quality control process – albeit that it’s too late for those already affected – and that got me wondering if our R & D team’s recent bug hunt had a similar vibe. Maybe we should set up a points system for the next one.

Although, I’m not sure we could change the venue from Loughborough to Las Vegas! Sorry Mat.

DEF CON 22 doesn’t start until August 7th, but we’ll keep you posted on how the competition goes. Maybe we’ll organise a sweepstake in the office to guess the winner?

In the meantime, suffice to say that entry level equipment – even from well-known brands – isn’t the right way to protect the perimeter of your network.