DEF CON SOHOpelessly Broken Router Hacking Contest

Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.

Source: DEF CON SOHOpelessly Broken Router Hacking Contest | Threatpost | The first stop for security news

Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.

This is why admin access to a SOHO router should only be accessible from the LAN side and not the WAN side.   Making admin changes should happen rarely.  One of the biggest things a malicious actor can do is point DNS requests to their malicious server allowing them to divert all LAN traffic to wherever they want.  Devices typically get a DNS address when they obtain an IP address from the router via DHCP.

Kicking the SOHO router seems to be a hot topic today.  From:  The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica

The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.

Fault Tolerant Router

Fault Tolerant Router is a daemon, running in background on a Linux router or firewall, monitoring the state of multiple internet uplinks/providers and changing the routing accordingly. LAN/DMZ internet traffic (outgoing connections) is load balanced between the uplinks using Linux multipath routing. The daemon monitors the state of the uplinks by routinely pinging well known IP addresses (Google public DNS servers, etc.) through each outgoing interface: once an uplink goes down, it is excluded from the multipath routing, when it comes back up, it is included again. All of the routing changes are notified to the administrator by email.

via  Fault Tolerant Router

Verizon made an enemy tonight

Watch the video to feel the full pain. What you’ll see is that on Fios it streams at 375 kbps at the fastest. The experience sucks. It takes an eternity to buffer.

Then I connect to a VPN (in this case VyprVPN) and I quickly get up to full speed at 3000 kbps (the max on Netflix), about 10x the speed I was getting connecting directly via Verizon.

via Verizon made an enemy tonight.

From: Verizon’s Accidental Mea Culpa


Verizon has confirmed that everything between that router in their network and their subscribers is uncongested – in fact has plenty of capacity sitting there waiting to be used. Above, I confirmed exactly the same thing for the Level 3 network. So in fact, we could fix this congestion in about five minutes simply by connecting up more 10Gbps ports on those routers. Simple. Something we’ve been asking Verizon to do for many, many months, and something other providers regularly do in similar circumstances. But Verizon has refused. So Verizon, not Level 3 or Netflix, causes the congestion. Why is that? Maybe they can’t afford a new port card because they’ve run out – even though these cards are very cheap, just a few thousand dollars for each 10 Gbps card which could support 5,000 streams or more. If that’s the case, we’ll buy one for them. Maybe they can’t afford the small piece of cable between our two ports. If that’s the case, we’ll provide it. Heck, we’ll even install it.

Glenn Greenwald: how the NSA tampers with US-made internet routers

But while American companies were being warned away from supposedly untrustworthy Chinese routers, foreign organisations would have been well advised to beware of American-made ones. A June 2010 report from the head of the NSA‘s Access and Target Development department is shockingly explicit. The NSA routinely receives – or intercepts – routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers.

via Glenn Greenwald: how the NSA tampers with US-made internet routers | World news | The Guardian.

The oRouter Is A Tor-Powered Linux Box That Secures Your Internet Connection

As an end user, the process of using the oRouter is designed to be exceedingly simple. It’s zero configuration, meaning that you plug it in and then connect to the Wi-Fi network it provides. Unlike the Tor download, it requires no additional software in order to work. Once connected, as you browse the web and use online services, you’re actually using Tor (via Wi-Fi), thereby securing your communications from eavesdropping. In addition, for an extra layer of security, the oRouter’s MAC address (hardware address) changes every 10 minutes.

via The oRouter Is A Tor-Powered Linux Box That Secures Your Internet Connection | TechCrunch.

$99 ARM-based Utilite gives the Raspberry Pi some competition

The Utilite can have the processor configured up to 1.2GHz, up to 4GB of DDR3 RAM, up to a 512GB mSATA SSD, up to a 128GB Micro-SD SDXC, and two display ports — HDMI 1.4 and DVI-D — up to 1920×1200 resolution at 60Hz. The specs of the GPU aren’t listed, but rather what is listed is what it supports: OpenGL ES 1.1 and 2.0, OpenVG 1.1 and OpenCL EP, multi-stream 1080p H.264, VC1, RV10, and DivX HW decoding. What seems static on the Utilite, at least, is Bluetooth 3.0, two Gigabit Ethernet ports, 802.11b/g/n WiFi, stereo line-out and in, four USB 2.0 ports, a micro-USB OTG connector, and two RS232 serial ports.

via $99 ARM-based Utilite gives the Raspberry Pi some competition | ExtremeTech.

Home Routers Pose Biggest Consumer Cyberthreat

Of the small-office, home-office routers evaluated, every one could be compromised with relative ease by hijacking DNS connections, exploiting HTTPS flaws, weaknesses in Universal Plug and Play services, cross-site-scripting attacks, file-traversal and source-code vulnerabilities, weaknesses in WiFi Protected Setup (WPS), buffer overflows or simply bypassing authentication requirements.

via Home Routers Pose Biggest Consumer Cyberthreat.

During late 2013 and early 2014, gangs of Polish hackers have robbed thousands of consumers by attacking home routers and changing DNS settings so they point at the attackers’ DNS servers rather than legitimate servers.

DNS is a big problem.  Usually devices behind a SOHO router will receive their DNS info from the router via DHCP.  The router has been configured by the owner using DNS settings from their ISP or they could use one of Google’s servers like  A user of their home network should expect a higher level of security unlike the open wifi people use on the road.

The simplest remedy is never allow router management access from the Internet.  This is usually turned off by default.  Routers should be set and forget so using the maintenance interface should be a rare occurrence.  The TP-LINK outlined here requires a user to click a malicious link while in a management session according to this:

Attack Requirements

  • The victim must have an active management session with the WR1043N.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Here again the user gets tricked into becoming compromised so this wouldn’t be a problem if the user simply entered the management interface of the router, made changes, and left. There’s no point lingering around in a management session.

A physical dedicated firewall sitting between the Internet and treating all routers as dumb access points makes for an added layer of security.  All SOHO routers are relatively cheap embedded devices.  It is impractical to even expect them to defend against all possible exploits.  By virtue of being on the Internet everyone gets constantly scanned by bots.  That only poses a problem if the bot sees a vulnerability and phones home listing your device as a possible target.

Your next network operating system is Linux

Thus, the scale and agility of modern data centers put data center networking at odds with the existing network models. Some problems, such as the number of virtual networks, required the development of new technologies such as VXLAN, while others have required a redesign of the network architecture deployed in the data center. But the problem of managing the network is not rooted in any failure of networking, rather in the design of the network OS.

via Your next network operating system is Linux | Networking – InfoWorld.

Essentially, we can write the equivalent of a device driver to synchronize the kernel state of these data structures with the hardware. Silicon switching ports can be made to appear like NICs to the OS. Thanks to Linux’s Netlink model, a device driver can sit by the side and listen to everything that’s going on with the kernel state — interface up/down, routing entries added/deleted either by user or routing protocols, netfilter entries added or deleted — and synchronize that state with the hardware. Furthermore, the driver can sync the state of counters from the hardware with the kernel state allowing native Linux tools such as ethtool, iptables, or /proc/net/dev to display the correct information, completely unaware that these values are coming from the hardware. Cumulus Networks has developed the first such solution, but others with a similar model may not be far away.


CeroWrt is a project built on the OpenWrt firmware to resolve the endemic problems of bufferbloat in home networking today, and to push forward the state of the art of edge networks and routers. Projects include proper IPv6 support, tighter integration with DNSSEC, and most importantly, reducing bufferbloat in both the wired and wireless components of the stack.

via Cerowrt – Overview – Bufferbloat.

From their wiki page on buffer bloat:

Bufferbloat is a huge drag on Internet performance created, ironically, by previous attempts to make it work better. The one-sentence summary is “Bloated buffers lead to network-crippling latency spikes.”

The bad news is that bufferbloat is everywhere, in more devices and programs than you can shake a stick at. The good news is, bufferbloat is relatively easy to fix. The even better news is that fixing it may solve a lot of the service problems now addressed by bandwidth caps and metering, making the Internet faster and less expensive for both consumers and providers.